Private VLANs provide isolation between ports within a Layer-2 service. Although the configuration is fairly simple, it can become very complex and it also has a number of caveats to how it works and how it can be used.
The article explains what Private VLANs are, a brief summary of how they work and then provides an example configuration of an VLAN configuration that has macrosegmentation (i.e. firewalled flows for North-South traffic) and microsegementation (i.e. firewalled flows for East-West traffic).
A Private VLAN (PVLAN) allows you to segment traffic at Layer 2 within a VLAN. Of course in a normal VLAN, all hosts can communicate directly with each other. Depending on what these hosts are, this can be a security issue because there are scenarios where hosts should not be able to communicate with each other. For example you have hosts which are made by a particular manufacturer and have IP (intelectual prooperty) that the manufacturer wants to protect, so requires that they are used on a network separate from their competitiors, or perhaps these hosts have out of date Operating Systems, out of date software or other security concerns which make them being isolated a necessity to reduce risk and reduce the liklihood of east-west traffic being used by nefarious actors for lateral movement or worm/virus propagation.
A simple way to explain how it works is that you have two VLANs required for a private VLAN.
Firstly you have the Publisher VLAN (also known as Network VLAN), this is the VLAN that can be used for the communication outside of the Private VLAN, and then you have the Subscriber VLAN, the actual Private VLAN where the devices you want isolated will be connected. You’ll never have devices you want isolating connected to the Publisher VLAN, and the Publisher VLAN is essential to allow these devices to be able to reach other hosts on the network (if that is what is required), otherwise even the default gateway for that subnet (i.e. the Private VLAN) would be isolated, so the devices wouldn’t be able to reach much!
Basic Configuration
So let’s say we have two devices (hosts) on our network and we want these to be isolated from each other (East-West), but also isolated from the rest of the network (North-South), but also need that these devices (hosts) be able to reach certain Internet sites, but also certain services on the internal network, so what do we do?
On a network switch, we create two VLANs, one we’ll call isolated-pub, and the other we’ll call isolated-sub, the latter is the “Private VLAN” where our two devices will be connected, the other VLAN (Publisher VLAN) will be where from the network’s point of view, the rest of the network is.
So to put it another way, the two devices we want to be isolated will be connected to the isolated-sub VLAN, this will stop them communicating with each other (isolation), but this isolated-sub VLAN is connected to the isolated-pub VLAN. Because the switch knows the MAC addresses of all the devices in isolated-pub VLAN and isolated-sub VLAN, it can make decisions on what traffic flows are allowed and which are not.
The traffic from a host within the isolated-sub VLAN is translated into the isolated-pub VLAN IF it is going to a MAC address that is not within the isolated-sub VLAN.
IF however the traffic is attempting to go from a host within the isolated-sub VLAN to a MAC address that is also in the isolated-sub VLAN it is dropped; this is the mechanism that allows the isolation to happen.
So, what is within the isolated-pub VLAN, well typically that would be the default gateway of the “Private VLAN” (i.e. both the isolated-pub and isolated-sub), so the MAC address of the default gateway (Router) would exist within the isolated-pub VLAN.
From the point of view of the rest of the network, if say Host 1 within the isolated-sub VLAN wants to talk say to the outside world (Internet) via the default gateway (Router), its MAC address is translated to appear on the isolated-pub VLAN to. That means from the rest of the network’s point of view Host 1’s MAC Address will be on the isolated-pub VLAN the rest of the network knows nothing of the isolated-sub VLAN (Private VLAN) below, it doesn’t need to. So these “North-South” flows just work as they normally would.
Limitations
There are some limitations however. Although it is possible to have multiple network switches involved in the Private VLAN, there are specific configuration that are required, examples of these are discussed in this article: https://documentation.extremenetworks.com/exos_31.1/GUID-B5273B47-E949-450D-8071-86F6CB327282.shtml this limits somewhat the practical scalability. For us this is the main issue we’ll face, effectively this means that we’d need many different isolated-pub VLAN and isolated-sub VLAN pairs because of the reason detailed below.
Let’s say for example we have four hosts, two one switch 1 and two on switch 2, and we want all of the four hosts to be isolated from each other on their respective home switches, but obviously also allow all four of these hosts to be able to reach the default gateway and therefore the network and/or Internet (firewall rules permitting); we’ll see the issue that appears which makes the the issue of scalability very apparent, due to it partly breaking the isolation in a way that makes it useless for our use case!
A key thing to remember is although it doesn’t look like it the isolated-pub and isolated-sub are actually the same VLAN, its just that the isolated-sub is a Private VLAN, so works slightly differently for any MAC addresses that exist in that Private VLAN, i.e. it isolates them.
OK, so what’s the problem.
In the diagram below, we have host 1 attempting to communicate with host 3. Both are in isolated-sub, so they should be isolated from each other right? Wrong!
The issue here is that from Switch 2’s point of view the MAC address of host 1: DE:AD:BE:EF:CD:AA is within isolated-pub, i.e. the Publisher VLAN, so it just considers it to be outside of the isolated-sub (Subscriber) Private VLAN and therefore that traffic is allowed to flow.
If it didn’t consider this to be outside of the isolated-sub VLAN (Private VLAN), then how would the switch know that the default gateway MAC address (Router/Firewall) was outside of the Private VLAN, and this in a nutshell is the issue which causes our scalability problems.
The upstream switch just sees all of the host (1,2,3 and 4) MAC address on the same VLAN. And Network Switch 1 and Network Switch 2, see’s only its locally connected host’s MAC addresses within the isolated-sub Private VLAN, not the MAC Addresses of the hosts on the other switch.
What this means is that Host 1 and Host 2 are isolated, Host 3 and Host 4 are isolated, BUT, Host 1 can communicate with Host 3 and Host 4, and Host 2 can communicate with Host 3 and Host 4, and vice-versa.
And this….we do not want, we want all the hosts to be isolated from each other!
A possible way around this is to have multiple isolated-pub and isolated-sub VLAN pairs for each switch, so flows are actually going via the firewall between the different VLAN pairs, and thus can be restricted, while the flows (east-west) within the Private VLAN are obviously blocked by the Private VLAN mechanism.
However, this will require a number of additional VLANs to be created and managed likely one per network area, which increases complexity and the management overhead somewhat.
Simple Example Configuration
The edge switch configuration based on our example VLANs is as given below. We are assuming NAC will be assigning the two test devices to the Subscriber VLAN (isoinst1-sub), hence why there is no specific configuration for those.
create vlan "isoinst1-pub" tag 100
create vlan "isoinst1-sub" tag 101
create private-vlan "isoinst1"
configure private-vlan isoinst1 add network "isoinst1-pub"
configure private-vlan isoinst1 add subscriber "isoinst1-sub"
configure "isoinst1-pub" add ports 32 private-vlan translatedIn this example port 32 is the uplink port from the edge switch to the upstream distribution switch, which is configured with just the Publisher VLAN (isoinst1-pub).
You will also notice that upon configuring the Private VLAN configuration, that the Subscriber VLAN (isoinst1-sub) is added to the uplink too, this is normal, you don’t however need the VLAN to be present in the rest of the network outside this edge switch for Private VLAN to work.
Now the edge switch has been configured to isolate the East West traffic, i.e. microsegment it, we can move onto the configuration of the rest of the network switches and firewall isolation of the North-South traffic to provide the macrosegmentation also required.