On a flat network, private VLANs, again implemented at the physical switch/router, can be used to group a system into one of three category types, each with its own traffic control properties: promiscuous port, community port, and isolated port.
A promiscuous-port PVLAN designation, typically used for the gateway of a given subnet, has unfettered access to other interfaces on the PVLAN. A community-port PVLAN designation allows communication with other members of the community and promiscuous ports on the PVLAN, making this a good choice for a group of servers that need to talk on a given segment, such as a group of Web servers and a database server. The isolated-port PVLAN applies the tightest controls, limiting the device to talking only with promiscuous ports on the PVLAN.
In general, PVLANs provide broad segmentation of L2 traffic rather than granular control. Still, they are useful to support defense in depth and break up subnet broadcast domains, plus, they work in tandem with VACLs if more specific access profiles are needed.
Layer 2 firewalling provides similar functionality as VACLs, but you can wrap it up in a nice user interface. Advanced firewalls, like those from Palo Alto Networks, support the ability to actually switch between two or more interfaces on the same VLAN and inspect traffic traversing this path. The upside to this approach is that it leverages the abilities of an enterprise-class firewall and provides a clean way of integrating controls into a consistent firewall policy. The downside? It's expensive to implement due to port-density requirements and the cost of each physical interface.
True Layer 2 firewalling (not transparent mode firewalling), while fairly uncommon, can make sense implemented as a filter between communicating devices on the same subnet that reside on different physical switches.
Keep in mind that the addition of any Layer 2 control introduces another level of filtering and, potentially, breakage. If a host becomes inaccessible, you'll have to look at all the usual suspects--firewall, host adapter, application processes, network--in addition to determining if Layer 2 filtering might be causing a problem.
|Administrators can use three types of private VLANs to segment Layer 2 traffic|
|Promiscuous port||Device can communicate with other interface types on the PVLAN|
|Community port||Device can communicate with promiscuous ports and other community members on the PVLAN|
|Isolated port||Device can only communicate with promiscuous ports on the PVLAN|
Hey, we said it could make the network faster. We didn't say it would make your life easier.
Consider the operational impact particularly when you apply controls such as VACLs and PVLANs. Insist on excellent management and audit capabilities to streamline configuration tasks and ease troubleshooting. Typically, this means using a management tool or element manager that can monitor filtering rules; provide centralized, actionable audit logs; and help enforce consistency throughout your implementation. These concepts of manageability and consistency are essential as we move away from physical appliances and transition into our next topic: virtual L2 controls.