- Community Home
- >
- Networking
- >
- Switching and Routing
- >
- Comware Based
- >
- How to secure Protocol-VLAN: what to do with PVID?
Categories
Company
Local Language
Forums
Discussions
Forums
- Data Protection and Retention
- Entry Storage Systems
- Legacy
- Midrange and Enterprise Storage
- Storage Networking
- HPE Nimble Storage
Discussions
Discussions
Discussions
Forums
Discussions
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
- BladeSystem Infrastructure and Application Solutions
- Appliance Servers
- Alpha Servers
- BackOffice Products
- Internet Products
- HPE 9000 and HPE e3000 Servers
- Networking
- Netservers
- Secure OS Software for Linux
- Server Management (Insight Manager 7)
- Windows Server 2003
- Operating System - Tru64 Unix
- ProLiant Deployment and Provisioning
- Linux-Based Community / Regional
- Microsoft System Center Integration
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Community
Resources
Forums
Blogs
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-07-2014 11:47 PM
06-07-2014 11:47 PM
A common use for Protocol-VLAN is when you want IPv4/ARP to go into one VLAN and IPv6 into another.
Such as:
#
vlan 100
description R1
protocol-vlan 0 mode ethernetii etype 0806
protocol-vlan 4 ipv4
#
vlan 101
description 01_CUSTOMER
protocol-vlan 6 ipv6
#
...
#
vlan 148
description 48_CUSTOMER
protocol-vlan 6 ipv6
#
#
interface GigabitEthernet1/0/1
description 01_CUSTOMER
port link-type hybrid
undo port hybrid vlan 1
port hybrid vlan 100 101 untagged
port hybrid protocol-vlan vlan 100 0
port hybrid protocol-vlan vlan 100 4
port hybrid protocol-vlan vlan 101 6
port-isolate enable
#
However the above means that PVID is still set to VLAN 1 according to "display interface GigabitEthernet 1/0/1":
PVID: 1
Mdi type: auto
Port link-type: hybrid
Tagged VLAN ID : none
Untagged VLAN ID : 100-101
As I understand the use of Protocol-VLAN goes something like (according to <URL removed in order to be able to post this message> , Im having a hard time locating a reference from HP/H3C on how this actually works):
"
* If the packet matches the protocol template, and the In port of the packet is allocated to the VLAN of the corresponding VLAN ID, the packet is allocated to VLAN ID corresponding to the port configuration protocol template.
* If the packets have no matched protocol template, the packets are divided to the default VLAN ID of the port.
"
My interpretation of this (if this is correct) is that sure IPv4/ARP goes into VLAN 100 and IPv6 goes into VLAN 101. But if some other ethertype shows up that goes into VLAN 1... which sounds bad because this would mean that for example two IPX clients connected to two physical interfaces of this switch would be able to bypass the security model.
So how to secure a Protocol-VLAN configuration as above so that if the ethertype doesnt match IPv4/ARP/IPv6 then the packet arriving from the client should be dropped?
Solved! Go to Solution.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-11-2014 10:39 AM
06-11-2014 10:39 AM
SolutionLooks like assigning a PVID to unconfigured vlan is possible which seems to be the best option in this case.
That is adding this to gi 1/0/1 on SW1:
port hybrid pvid vlan 3101
and so on.
The PVID will match the ACL number and hey presto, easy to audit :-)