Friday, July 16, 2021

Private VLANs and non-private VLANs over same trunk ports?

We recently set up a DMZ vlan for any device that is not controlled directly by our company and only needs direct internet access. This was simple enough to do and it's working fine.

We would like to set up an additional layer of security between these devices by using private vlans to separate devices from different vendors. Basically, each vendors' devices would live in their own private community vlan, associated to the single primary DMZ vlan, all with access to the internet but without being able to communicate to another vendor's devices.

I'm testing this in a lab setting right now and the issue I'm having is that I can get private vlan hosts on a switch to access the internet, and I can get non-private vlan hosts to access the internet, but not both at the same time.

Here's a simple diagram: https://i.ibb.co/YDskJXR/2021-07-16-14-52-43-Untitled-Diagram-drawio-diagrams-net.png

When the router-facing port is in trunk mode, host B can reach the internet. When the router-facing port is configured as a promiscuous port, host A can. But only one of the hosts can ever reach the internet at once.

Obviously this will cause problems in production because unless I can figure this out, enabling the DMZ hosts in their private vlans to reach the internet will cut off access for all other non-dmz devices.

What am I missing here?



No comments:

Post a Comment