This may not be the depth you are looking for, but this may shed a little bit of light. I don't have the book you are reading so I can't see the whole thing in context. Is he talking about ACLs or VACLs (Vlan ACLs)?
He specifically says ACL's in this section. I thought about how VACLs could be used as well. When I read through PVLAN attacks, I see the need for care on any device connected to a promiscuous port that has routing capabilities. This is due to the fact that a packet could be forged with the mac address of a router connected to the promiscuous port and the IP of another host in a community or isolated vlan. The packet would reach the layer 3 device and be rerouted or reflected back to the destination IP address, thus negating the effect of PVLAN (at least in one direction). I'm not sure if this is what he means by ACL's in this context or not.
What is really confusing me is the limit of one promiscuous port. I don't see this limitation anywhere on the DocCD, at least based on my interpretation. I also see examples that seem to have multiple promiscuous ports. So, maybe this was an old limitation or something? Or maybe I'm misinterpreting something.
I do think a VACL would make sense on the primary VLAN. The primary VLAN carries traffic away from promiscuous ports toward isolated and community ports. So a VACL could be there that allowed the source IP of the device to the subnet, denied everything else that is both sourced and destined to the connected subnet, then permit all else. That could be what he is explaining there. That is mentioned in the following document.
However, this document also mentions multiple promiscuous ports if you scroll down to "Testing Pass-Thru DMZ".
I don't even recall there initially being a limitation of one promiscuous port for PVLANs. I know I've certainly used more than one before!
I don't see why you couldn't use a VACL with a Private VLAN, but the logic would be much more confusing about where the packets are flowing and where to apply it (primary vs. sub). But as with any port, and ACL on the port is designed to limit traffic that enters or leaves that particular port.
You have confirmed my understanding. I think it is that one thing in the book that was throwing me. I think you would apply a VACL on the primary vlan for traffic sourced from the promiscuous ports and a VACL on the respective secondary vlan for traffic sourced by host (isolated or community) ports. But you are right, it certainly adds to the confusion.
Finally, how many promiscuous ports can be working in a PVLAN? Only one? or more?
I’ve been looking for the description, but I cannot find it so far.
I’ve referred same book P.86. There are two descriptions as follows. I think this is contradiction.
- Only one promiscuous port is allowed per single PVLAN……. (P.86 Line 11)
- As a primary VLAN: Carries traffic from a promiscuous port to isolated,
community, and other promiscuous ports in the same primary VLAN. (P.86 Line 26)
Link for the P.86
Message was edited by: babel2 Added the link for the P.86