Virtual local area network (VLAN) technology has been around for some time. It provides for flexible, distributed Layer 2 network segmentation and resource isolation. An additional capability often overlooked by network engineers allows for further segmentation of a VLAN: the secondary or private VLAN (PVLAN). Using PVLANs, organizations can achieve more granular network segmentation and control without configuring additional VLANs, routers, or firewalls.
How PVLANs work
According to Cisco, “…PVLANs are a tool that allows segregating traffic at Layer 2 (L2) turning a broadcast segment into a non-broadcast multi-access-like segment” (“Securing Networks with Private VLANs and VLAN Access Control Lists”, Cisco, 2005). Let’s use Figure 1 to step through how this works.
Figure 1 (Cisco, 2005)
Primary VLANs, shown in blue, are what most of us think of when we discuss VLAN technology. All packets with the same VLAN tag travel over this path. In this example, the primary is subdivided into two secondary VLANs, depicted in red and yellow. The switch ports to which Host 1 and Host 2 connect are configured as isolated PVLANs. In other words traffic can flow from either host to the switch and on through to the primary VLAN, but the two hosts cannot communicate with each other. Once host traffic reaches the switch, it flows out the port to which the primary VLAN is connected. This port is known as a promiscuous port since traffic from all secondary VLANs can pass through it.
When configured in this way, the risk associated with malware or other types of attacks launched from Host 1 reaching Host 2 is mitigated.
Figure 2 depicts another use for secondary VLANs. In this example, the two servers in the DMZ are connected to isolated PVLANs—a common use for this technology. Since the two servers can’t communicate with each other, the work factor associated with spreading an attack to both servers in the DMZ once a foothold is gained on one of the servers is significantly increased.
Figure 2 (Cisco, 2005)
Finally, Figure 3 depicts two additional concepts: community and guest/visitor PVLANs. In the previous two examples, we focused on isolated PVLANs—PVLANs consisting of a single device. In this example, we have two workstations attached to switch ports configured as a community secondary VLAN. Community PVLANs typically consist of multiple end-user devices within a business critical workgroup or team. For example, the people responsible for processing payroll might be assigned to a community PVLAN. This helps to isolate them from attack situations that might exist in other areas of the VLAN or network.
Figure 3 (Larger Image)
Figure 3 also demonstrates how visitor PVLANs might be configured in conference rooms connected to standard floor or building VLAN segments. In this case, the visitor laptop can only access the Internet through the switch’s promiscuous port. Any packets attempting to travel from the laptop to the community PVLAN or the isolated server PVLANs will be dropped by the switch.
The final word
PVLAN segmentation is a great way to add an additional layer of security through VLAN segmentation, but segmentation by itself is not enough. VLAN access control lists (VACL) must be implemented to ensure resource isolation.
There are many possible uses for PVLANs, including reducing the cost of segmentation via additional firewalls and routers. Like any technology, a secondary VLAN is not the answer to every segmentation challenge, but it is a good addition to any network engineer’s tool kit.
Tom is a security researcher for the InfoSec Institute and an IT professional with over 30 years of experience. He has written three books, Just Enough Security, Microsoft Virtualization, and Enterprise Security: A Practitioner's Guide (to be published in Q1/2013). Before joining the private sector, he served 10 years in the United States Army Military Police with four years as a military police investigator. He has an MBA and CISSP certification. He is also an online instructor for the University of Phoenix.