HPE Community read-only access December 15, 2018
This is a maintenance upgrade. You will be able to read articles and posts, but not post or reply.
Dec 15, 4:00 am to 10:00 am UTC
Dec 14, 10:00 pm CST to Dec 15, 4:00 am CST
Dec 14, 8:00 pm PST to Dec 15, 2:00 am PST
Comware Based
Showing results for 
Search instead for 
Did you mean: 

How to secure Protocol-VLAN: what to do with PVID?

Go to solution
Trusted Contributor

How to secure Protocol-VLAN: what to do with PVID?

A common use for Protocol-VLAN is when you want IPv4/ARP to go into one VLAN and IPv6 into another.

Such as:

vlan 100
 description R1
 protocol-vlan 0 mode ethernetii etype 0806
 protocol-vlan 4 ipv4
vlan 101
 description 01_CUSTOMER
 protocol-vlan 6 ipv6
vlan 148
 description 48_CUSTOMER
 protocol-vlan 6 ipv6

interface GigabitEthernet1/0/1
 description 01_CUSTOMER
 port link-type hybrid
 undo port hybrid vlan 1
 port hybrid vlan 100 101 untagged
 port hybrid protocol-vlan vlan 100 0
 port hybrid protocol-vlan vlan 100 4
 port hybrid protocol-vlan vlan 101 6
 port-isolate enable

However the above means that PVID is still set to VLAN 1 according to "display interface GigabitEthernet 1/0/1":

Mdi type: auto
Port link-type: hybrid
 Tagged   VLAN ID : none
 Untagged VLAN ID : 100-101

As I understand the use of Protocol-VLAN goes something like (according to <URL removed in order to be able to post this message> , Im having a hard time locating a reference from HP/H3C on how this actually works):

* If the packet matches the protocol template, and the In port of the packet is allocated to the VLAN of the corresponding VLAN ID, the packet is allocated to VLAN ID corresponding to the port configuration protocol template.

* If the packets have no matched protocol template, the packets are divided to the default VLAN ID of the port.

My interpretation of this (if this is correct) is that sure IPv4/ARP goes into VLAN 100 and IPv6 goes into VLAN 101. But if some other ethertype shows up that goes into VLAN 1... which sounds bad because this would mean that for example two IPX clients connected to two physical interfaces of this switch would be able to bypass the security model.

So how to secure a Protocol-VLAN configuration as above so that if the ethertype doesnt match IPv4/ARP/IPv6 then the packet arriving from the client should be dropped?

Trusted Contributor

Re: How to secure Protocol-VLAN: what to do with PVID?

Looks like assigning a PVID to unconfigured vlan is possible which seems to be the best option in this case.

That is adding this to gi 1/0/1 on SW1:

port hybrid pvid vlan 3101

and so on.

The PVID will match the ACL number and hey presto, easy to audit :-)