Re: Private Vlans

[Russ Leathe <Russ.Leathe () GORDON EDU>]

we setup a PVLAN for our VM server farm assigned static IP's and tagged the ports only in the DC.  ACL's take care of 
the rest.



I hope this is helpful,



Russ

________________________________
From: The EDUCAUSE Security Constituent Group Listserv [SECURITY () LISTSERV EDUCAUSE EDU] on behalf of Dennis Bohn 
[bohn () ADELPHI EDU]
Sent: Thursday, July 28, 2011 1:01 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] Private Vlans

We are in a position to make a few changes on our network, and are kicking around the idea of private vlans on our 
server segments.  Our thoughts so far are:

Advantages:
Prevent a compromised machine from nmapping the segment.
Make it harder (but not impossible) for the compromised machine to communicate with other machines on the segment.
The idea of servers being isolated, and only able to communicate with the gateway is attractive.

Disadvantages:
Time/energy to configure
Time/energy to maintain: no matter how much the server admin swears that server A will never ever ever need to 
communicate with Server B, .... that day will come!  It seems like the permutations of necessary server-to-server 
communication could be prohibitive.

Has anyone tried this and are there any lessons learned that you would like to share?

TIA,
Dennis Bohn
Manager of Network and Systems
Adelphi University
bohn () adelphi edu<mailto:bohn () adelphi edu>
5168773327