PVLAN (private VLAN) in the switch - are you using it?

1337

Are you guys using pvlan features in your switches?

If I understand correctly it will isolate vlan ports from each other.
So for instance:

• your desktops can talk to the servers, but not each other,
• servers in a dmz can talk to the firewall but not each other

etc.

JaredBusch

@pete-s said in PVLAN (private VLAN) in the switch - are you using it?:

Are you guys using pvlan features in your switches?

If I understand correctly it will isolate vlan ports from each other.
So for instance:

• your desktops can talk to the servers, but not each other,
• servers in a dmz can talk to the firewall but not each other

etc.

That would require me to use a VLAN in the first place...

Seriously though, I use VLAN for Guest WiFi and that is about it. Since my WiFi hardware is UniFi, it already does this, so no.

1337

@jaredbusch said in PVLAN (private VLAN) in the switch - are you using it?:

@pete-s said in PVLAN (private VLAN) in the switch - are you using it?:

Are you guys using pvlan features in your switches?

If I understand correctly it will isolate vlan ports from each other.
So for instance:

• your desktops can talk to the servers, but not each other,
• servers in a dmz can talk to the firewall but not each other

etc.

That would require me to use a VLAN in the first place...

Seriously though, I use VLAN for Guest WiFi and that is about it. Since my WiFi hardware is UniFi, it already does this, so no.

You could put all computers in the same vlan... Are you not worried about the security implication of letting every device have access to everything on the LAN? Zero-day exploits?

Dashrender

@pete-s said in PVLAN (private VLAN) in the switch - are you using it?:

@jaredbusch said in PVLAN (private VLAN) in the switch - are you using it?:

@pete-s said in PVLAN (private VLAN) in the switch - are you using it?:

Are you guys using pvlan features in your switches?

If I understand correctly it will isolate vlan ports from each other.
So for instance:

• your desktops can talk to the servers, but not each other,
• servers in a dmz can talk to the firewall but not each other

etc.

That would require me to use a VLAN in the first place...

Seriously though, I use VLAN for Guest WiFi and that is about it. Since my WiFi hardware is UniFi, it already does this, so no.

You could put all computers in the same vlan... Are you not worried about the security implication of letting every device have access to everything on the LAN? Zero-day exploits?

So it infects the server, then the server infects the PCs.. what's the diff?

1337

@dashrender said in PVLAN (private VLAN) in the switch - are you using it?:

@pete-s said in PVLAN (private VLAN) in the switch - are you using it?:

@jaredbusch said in PVLAN (private VLAN) in the switch - are you using it?:

@pete-s said in PVLAN (private VLAN) in the switch - are you using it?:

Are you guys using pvlan features in your switches?

If I understand correctly it will isolate vlan ports from each other.
So for instance:

• your desktops can talk to the servers, but not each other,
• servers in a dmz can talk to the firewall but not each other

etc.

That would require me to use a VLAN in the first place...

Seriously though, I use VLAN for Guest WiFi and that is about it. Since my WiFi hardware is UniFi, it already does this, so no.

You could put all computers in the same vlan... Are you not worried about the security implication of letting every device have access to everything on the LAN? Zero-day exploits?

So it infects the server, then the server infects the PCs.. what's the diff?

Maybe nothing, maybe something. The server might not be running the same OS, it is likely not running the same services as desktops. Either way the intruder/malicious software has to gain access over the server as well before getting access to the other PCs. One more layer of security to overcome. More difficult for things to spread.

Dashrender

@pete-s said in PVLAN (private VLAN) in the switch - are you using it?:

@dashrender said in PVLAN (private VLAN) in the switch - are you using it?:

@pete-s said in PVLAN (private VLAN) in the switch - are you using it?:

@jaredbusch said in PVLAN (private VLAN) in the switch - are you using it?:

@pete-s said in PVLAN (private VLAN) in the switch - are you using it?:

Are you guys using pvlan features in your switches?

If I understand correctly it will isolate vlan ports from each other.
So for instance:

• your desktops can talk to the servers, but not each other,
• servers in a dmz can talk to the firewall but not each other

etc.

That would require me to use a VLAN in the first place...

Seriously though, I use VLAN for Guest WiFi and that is about it. Since my WiFi hardware is UniFi, it already does this, so no.

You could put all computers in the same vlan... Are you not worried about the security implication of letting every device have access to everything on the LAN? Zero-day exploits?

So it infects the server, then the server infects the PCs.. what's the diff?

Maybe nothing, maybe something. The server might not be running the same OS, it is likely not running the same services as desktops. Either way the intruder/malicious software has to gain access over the server as well before getting access to the other PCs. One more layer of security to overcome. More difficult for things to spread.

But PVLAN is also one more thing for you to manage. It's 2 AM something broke and you forget about PVLAN, stand up a new box for whatever and can't figure out why you can't talk to it. etc.

Sure it can be good, but the risk has to be worth it.

1337

@dashrender said in PVLAN (private VLAN) in the switch - are you using it?:

@pete-s said in PVLAN (private VLAN) in the switch - are you using it?:

@dashrender said in PVLAN (private VLAN) in the switch - are you using it?:

@pete-s said in PVLAN (private VLAN) in the switch - are you using it?:

@jaredbusch said in PVLAN (private VLAN) in the switch - are you using it?:

@pete-s said in PVLAN (private VLAN) in the switch - are you using it?:

Are you guys using pvlan features in your switches?

If I understand correctly it will isolate vlan ports from each other.
So for instance:

• your desktops can talk to the servers, but not each other,
• servers in a dmz can talk to the firewall but not each other

etc.

That would require me to use a VLAN in the first place...

Seriously though, I use VLAN for Guest WiFi and that is about it. Since my WiFi hardware is UniFi, it already does this, so no.

You could put all computers in the same vlan... Are you not worried about the security implication of letting every device have access to everything on the LAN? Zero-day exploits?

So it infects the server, then the server infects the PCs.. what's the diff?

Maybe nothing, maybe something. The server might not be running the same OS, it is likely not running the same services as desktops. Either way the intruder/malicious software has to gain access over the server as well before getting access to the other PCs. One more layer of security to overcome. More difficult for things to spread.

But PVLAN is also one more thing for you to manage. It's 2 AM something broke and you forget about PVLAN, stand up a new box for whatever and can't figure out why you can't talk to it. etc.

Sure it can be good, but the risk has to be worth it.

Yup, agreed. That is why I was wondering if anyone is using it and what their experience is.

I haven't used it myself yet but I'm contemplating it.

travisdh1

@pete-s said in PVLAN (private VLAN) in the switch - are you using it?:

@dashrender said in PVLAN (private VLAN) in the switch - are you using it?:

@pete-s said in PVLAN (private VLAN) in the switch - are you using it?:

@dashrender said in PVLAN (private VLAN) in the switch - are you using it?:

@pete-s said in PVLAN (private VLAN) in the switch - are you using it?:

@jaredbusch said in PVLAN (private VLAN) in the switch - are you using it?:

@pete-s said in PVLAN (private VLAN) in the switch - are you using it?:

Are you guys using pvlan features in your switches?

If I understand correctly it will isolate vlan ports from each other.
So for instance:

• your desktops can talk to the servers, but not each other,
• servers in a dmz can talk to the firewall but not each other

etc.

That would require me to use a VLAN in the first place...

Seriously though, I use VLAN for Guest WiFi and that is about it. Since my WiFi hardware is UniFi, it already does this, so no.

You could put all computers in the same vlan... Are you not worried about the security implication of letting every device have access to everything on the LAN? Zero-day exploits?

So it infects the server, then the server infects the PCs.. what's the diff?

Maybe nothing, maybe something. The server might not be running the same OS, it is likely not running the same services as desktops. Either way the intruder/malicious software has to gain access over the server as well before getting access to the other PCs. One more layer of security to overcome. More difficult for things to spread.

But PVLAN is also one more thing for you to manage. It's 2 AM something broke and you forget about PVLAN, stand up a new box for whatever and can't figure out why you can't talk to it. etc.

Sure it can be good, but the risk has to be worth it.

Yup, agreed. That is why I was wondering if anyone is using it and what their experience is.

I haven't used it myself yet but I'm contemplating it.

This is one of those "If you have to ask the question, the answer is no" times.

JaredBusch

@travisdh1 said in PVLAN (private VLAN) in the switch - are you using it?:

@pete-s said in PVLAN (private VLAN) in the switch - are you using it?:

@dashrender said in PVLAN (private VLAN) in the switch - are you using it?:

@pete-s said in PVLAN (private VLAN) in the switch - are you using it?:

@dashrender said in PVLAN (private VLAN) in the switch - are you using it?:

@pete-s said in PVLAN (private VLAN) in the switch - are you using it?:

@jaredbusch said in PVLAN (private VLAN) in the switch - are you using it?:

@pete-s said in PVLAN (private VLAN) in the switch - are you using it?:

Are you guys using pvlan features in your switches?

If I understand correctly it will isolate vlan ports from each other.
So for instance:

• your desktops can talk to the servers, but not each other,
• servers in a dmz can talk to the firewall but not each other

etc.

That would require me to use a VLAN in the first place...

Seriously though, I use VLAN for Guest WiFi and that is about it. Since my WiFi hardware is UniFi, it already does this, so no.

You could put all computers in the same vlan... Are you not worried about the security implication of letting every device have access to everything on the LAN? Zero-day exploits?

So it infects the server, then the server infects the PCs.. what's the diff?

Maybe nothing, maybe something. The server might not be running the same OS, it is likely not running the same services as desktops. Either way the intruder/malicious software has to gain access over the server as well before getting access to the other PCs. One more layer of security to overcome. More difficult for things to spread.

But PVLAN is also one more thing for you to manage. It's 2 AM something broke and you forget about PVLAN, stand up a new box for whatever and can't figure out why you can't talk to it. etc.

Sure it can be good, but the risk has to be worth it.

Yup, agreed. That is why I was wondering if anyone is using it and what their experience is.

I haven't used it myself yet but I'm contemplating it.

This is one of those "If you have to ask the question, the answer is no" times.

No it isn’t.

But PVLAN also means your are in the world of LAN-less design of not trusting the LAN. So everything should be firewalled. Thus, less risk of issues anyway.

scottalanmiller

@pete-s said in PVLAN (private VLAN) in the switch - are you using it?:

@jaredbusch said in PVLAN (private VLAN) in the switch - are you using it?:

@pete-s said in PVLAN (private VLAN) in the switch - are you using it?:

Are you guys using pvlan features in your switches?

If I understand correctly it will isolate vlan ports from each other.
So for instance:

• your desktops can talk to the servers, but not each other,
• servers in a dmz can talk to the firewall but not each other

etc.

That would require me to use a VLAN in the first place...

Seriously though, I use VLAN for Guest WiFi and that is about it. Since my WiFi hardware is UniFi, it already does this, so no.

You could put all computers in the same vlan... Are you not worried about the security implication of letting every device have access to everything on the LAN? Zero-day exploits?

Worried, yes, but that's why we lock them down as if the LAN is risky. We fear the LAN just like we fear the public space.

scottalanmiller

PVLAN, or Port Isolation as I think most of us know it, is one of the better uses of VLAN tech. The idea is for extreme environments (not really SMB generally) when normal security measures are not enough, that you make an individual VLAN for every single device on the network so that you control via central firewall a second layer of access for every single port that there is.

There are certainly legit cases for this. And I've worked for one of those places. But it's super rare. It is a lot of work, requires gear that supports it, and adds a lot of complication that you have to consider. It also adds a good deal of security.

In the SMB, most places have over the top security already and zero day threats rarely threaten OS level firewalls. So PVLAN, while legit, rarely has appreciable value to an SMB. But when you need that "second firewall per device", then yes, it's definitely the way to go.

1337

@scottalanmiller said in PVLAN (private VLAN) in the switch - are you using it?:

PVLAN, or Port Isolation as I think most of us know it, is one of the better uses of VLAN tech. The idea is for extreme environments (not really SMB generally) when normal security measures are not enough, that you make an individual VLAN for every single device on the network so that you control via central firewall a second layer of access for every single port that there is.

There are certainly legit cases for this. And I've worked for one of those places. But it's super rare. It is a lot of work, requires gear that supports it, and adds a lot of complication that you have to consider. It also adds a good deal of security.

In the SMB, most places have over the top security already and zero day threats rarely threaten OS level firewalls. So PVLAN, while legit, rarely has appreciable value to an SMB. But when you need that "second firewall per device", then yes, it's definitely the way to go.

Makes sense, but I'm thinking it doesn't have to be that much more work if you can apply automation to switch management as well.

I think you can do port isolation on the virtual switches in VM hosts in the same way as the physical ones. I understand that at least VMware has had it for a long time so assume other have it now as well.