Switch Private VLANs in multi-switch environment
Hi, I have a question about private VLANs in bigger switch environments.
We want to employ private VLANs to secure our PC environment. Rather than having lots of VLANs and subnets (making office moves difficult without changing desktop users IP addresses) we felt the use of Private VLANs was a good way to isolate all desktop PCs from each other whilst allowing internet / printer access. The desktop isolation is to slow or halt the spread of viruses etc from one PC to another in the even that we had an infected machine.
We have looked at your knowledge base article on Private VLANs on GS2210 switches and for XGS switches that work differently.
Below is a topology of our network; we have a USG Firewall, two "Data cab" switches on each of our two floors in our building, and each data cab switch links to about 10 "Desk" switches - one switch under each desk connected to about 8 PCs each.
All Switches talk on a management VLAN (eg1) Desk PC data goes on (eg) VLAN100.
Private VLAN on the GS2210-8 is easy, we isolate ports 1-8 and have port 10 (upstream to the data cab switch ) is promiscuous, so data between PCs on the desk switch is isolated whilst internet traffic can flow up to the firewall.
However, the XGS4600 has private, community and promiscuous and operates a different way. What we want to achieve is:
- Data from any desk switch on either floor to flow up to the firewall
- Data from any desk switch to not flow to another desk switch, either on the same (XGS4600) data cab switch or the other one.
To do this, each data cab switch must be able to see each others isolated ports? I can see how you could stop traffic flow with only one data cab switch, but not stop a flow between floors?
Hope that makes sense and look forward to any thoughts.