Switch Private VLANs in multi-switch environment

Hi, I have a question about private VLANs in bigger switch environments.

We want to employ private VLANs to secure our PC environment. Rather than having lots of VLANs and subnets (making office moves difficult without changing desktop users IP addresses) we felt the use of Private VLANs was a good way to isolate all desktop PCs from each other whilst allowing internet / printer access. The desktop isolation is to slow or halt the spread of viruses etc from one PC to another in the even that we had an infected machine.

We have looked at your knowledge base article on Private VLANs on GS2210 switches and for XGS switches that work differently.

Below is a topology of our network; we have a USG Firewall, two "Data cab" switches on each of our two floors in our building, and each data cab switch links to about 10 "Desk" switches - one switch under each desk connected to about 8 PCs each.

All Switches talk on a management VLAN (eg1) Desk PC data goes on (eg) VLAN100.

Private VLAN on the GS2210-8 is easy, we isolate ports 1-8 and have port 10 (upstream to the data cab switch ) is promiscuous, so data between PCs on the desk switch is isolated whilst internet traffic can flow up to the firewall.

However, the XGS4600 has private, community and promiscuous and operates a different way. What we want to achieve is:

  1. Data from any desk switch on either floor to flow up to the firewall
  2. Data from any desk switch to not flow to another desk switch, either on the same (XGS4600) data cab switch or the other one.

To do this, each data cab switch must be able to see each others isolated ports? I can see how you could stop traffic flow with only one data cab switch, but not stop a flow between floors?

Hope that makes sense and look forward to any thoughts.


Tagged:

All Replies

  • Zyxel_DerrickZyxel_Derrick Zyxel Official Agent Posts: 51  mod

    Hi @Dudley_Winchester


    Based on your topology, we think configuring port isolation to all ports except for the uplink port can achieve your goal.

    For how to configure port isolation, you can refer to our handbook chapter 5.12.

    You can download it in the link below:

    https://www.zyxel.com/support/download_landing/product/xgs4600_series_14.shtml?c=gb&l=en&pid=20170103133252&tab=Handbook&pname=XGS4600%20Series

    Also, we will merge GS2210's private vlan into XGS2210 and XGS4600 in the future release (perhaps firmware 4.70).

    Thanks


    Best regards,

    Zyxel_Derrick

  • Hi Derek,

    That almost works! However, the manual shows that the port isolation blocks all VANs, whereas private VLANs can be set in a VLAN-specific way. We wold only want to isolate data traffic (VLAN100) not management traffic (VLAN1) - sorry I didn't make that more clear.

    I think the answer lies in the way Private VLAN is set up; but the bit I don't quite follow is - if a PC connected through the 2nd floor network can communicate with the internet, it must flow up though the 1st floor switch, so I guess it can also flow to a PC connected in the 1st floor... unless the two data cab switches can pass private VLAN information between themselves? If so, how is that achieved? The Cisco switch FAQs suggest such a setup can be done (but don't show how).

    I suspect few people use private VLANs, but in a world where more viruses and ransomware are running wild I am surprised switch manufacturers are not promoting this feature heavily and showing how it's done in a multi-switch environment!

  • Zyxel_DerrickZyxel_Derrick Zyxel Official Agent Posts: 51  mod

    Hi @Dudley_Winchester


    I have sent a PM message to you

    Please check the inbox

    Thanks


    Best regards,

    Zyxel_Derrick

Sign In to comment.