Independent Submission S. HomChaudhuri
Request for Comments: 5517 M. Foschiano
Category: Informational Cisco Systems
ISSN: 2070-1721 February 2010
Independent Submission S. HomChaudhuri
Request for Comments: 5517 M. Foschiano
Category: Informational Cisco Systems
ISSN: 2070-1721 February 2010
Cisco Systems' Private VLANs: Scalable Security in a Multi-Client Environment
Cisco Systems的专用VLAN:多客户端环境中的可扩展安全性
Abstract
摘要
This document describes a mechanism to achieve device isolation through the application of special Layer 2 forwarding constraints. Such a mechanism allows end devices to share the same IP subnet while being Layer 2 isolated, which in turn allows network designers to employ larger subnets and so reduce the address management overhead.
本文档描述了通过应用特殊的第2层转发约束实现设备隔离的机制。这种机制允许终端设备在第2层隔离的同时共享同一IP子网,从而允许网络设计者使用更大的子网,从而减少地址管理开销。
Some of the numerous deployment scenarios of the aforementioned mechanism (which range from data center designs to Ethernet-to-the-home-basement networks) are mentioned in the following text to exemplify the mechanism's possible usages; however, this document is not intended to cover all such deployment scenarios nor delve into their details.
下文中提到了上述机制的一些部署场景(从数据中心设计到以太网到家庭底层网络),以举例说明该机制的可能用途;但是,本文档不打算涵盖所有此类部署场景,也不打算深入研究它们的细节。
Status of This Memo
关于下段备忘
This document is not an Internet Standards Track specification; it is published for informational purposes.
本文件不是互联网标准跟踪规范;它是为了提供信息而发布的。
This is a contribution to the RFC Series, independently of any other RFC stream. The RFC Editor has chosen to publish this document at its discretion and makes no statement about its value for implementation or deployment. Documents approved for publication by the RFC Editor are not a candidate for any level of Internet Standard; see Section 2 of RFC 5741.
这是对RFC系列的贡献,独立于任何其他RFC流。RFC编辑器已选择自行发布此文档,并且未声明其对实现或部署的价值。RFC编辑批准发布的文件不适用于任何级别的互联网标准;见RFC 5741第2节。
Information about the current status of this document, any errata, and how to provide feedback on it may be obtained at http://www.rfc-editor.org/info/rfc5517.
有关本文件当前状态、任何勘误表以及如何提供反馈的信息,请访问http://www.rfc-editor.org/info/rfc5517.
Copyright Notice
版权公告
Copyright (c) 2010 IETF Trust and the persons identified as the document authors. All rights reserved.
版权所有(c)2010 IETF信托基金和确定为文件作者的人员。版权所有。
This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document.
本文件受BCP 78和IETF信托有关IETF文件的法律规定的约束(http://trustee.ietf.org/license-info)自本文件出版之日起生效。请仔细阅读这些文件,因为它们描述了您对本文件的权利和限制。
Table of Contents
目录
1. Introduction ....................................................2
1.1. Security Concerns with Sharing a VLAN ......................3
1.2. The Traditional Solution and Its Related Problems ..........3
2. Private VLANs Architecture ......................................4
2.1. VLAN Pairings and Their Port-Related Characteristics .......7
3. Extending Private VLANs across Switches .........................9
4. A More Flexible IP Addressing Scheme ............................9
5. Routing Considerations .........................................10
6. Security Considerations ........................................10
7. Acknowledgements ...............................................11
8. References .....................................................11
8.1. Normative References ......................................11
8.2. Informative References ....................................11
1. Introduction ....................................................2
1.1. Security Concerns with Sharing a VLAN ......................3
1.2. The Traditional Solution and Its Related Problems ..........3
2. Private VLANs Architecture ......................................4
2.1. VLAN Pairings and Their Port-Related Characteristics .......7
3. Extending Private VLANs across Switches .........................9
4. A More Flexible IP Addressing Scheme ............................9
5. Routing Considerations .........................................10
6. Security Considerations ........................................10
7. Acknowledgements ...............................................11
8. References .....................................................11
8.1. Normative References ......................................11
8.2. Informative References ....................................11
In an Ethernet switch, a VLAN is a broadcast domain in which hosts can establish direct communication with one another at Layer 2. If untrusted devices are introduced into a VLAN, security issues may arise because trusted and untrusted devices end up sharing the same broadcast domain.
在以太网交换机中,VLAN是一个广播域,在该域中,主机可以在第2层彼此建立直接通信。如果将不受信任的设备引入VLAN,则可能会出现安全问题,因为受信任和不受信任的设备最终共享同一广播域。
The traditional solution to this kind of problem is to assign a separate VLAN to each user concerned about Layer 2 security issues. However, the IEEE 802.1Q standard [802.1Q] specifies that the VLAN ID field in an Ethernet frame is 12 bits wide. That allows for a theoretical maximum of 4094 VLANs in an Ethernet network (VLAN numbers 0 and 4095 are reserved). If the network administrator assigns one VLAN per user, then that equates to a maximum of 4094 users that can be supported. The private VLANs technology described in this memo addresses this scalability problem by offering more granular and more flexible Layer 2 segregation, as explained in the following sections.
这种问题的传统解决方案是为每个关心第2层安全问题的用户分配一个单独的VLAN。然而,IEEE 802.1Q标准[802.1Q]规定以太网帧中的VLAN ID字段为12位宽。这允许以太网中理论上最大4094个VLAN(保留VLAN编号0和4095)。如果网络管理员为每个用户分配一个VLAN,则相当于最多可支持4094个用户。本备忘录中描述的专用VLAN技术通过提供更细粒度和更灵活的第2层隔离解决了这一可伸缩性问题,如下部分所述。
Companies who have Internet presence can either host their servers in their own premises or, alternatively, they can locate their servers at the Internet Service Provider's premises. A typical ISP would have a server farm that offers web-hosting functionality for a number of customers. Co-locating the servers in a server farm offers ease of management but, at the same time, may raise security concerns.
拥有互联网存在的公司可以在自己的场所中托管其服务器,也可以在互联网服务提供商的场所中定位其服务器。典型的ISP会有一个服务器场,为许多客户提供web托管功能。将服务器放在服务器场中可以简化管理,但同时可能会引起安全问题。
Let us assume that the ISP puts all the servers in one big VLAN. Servers residing in the same VLAN can listen to Layer 2 broadcasts from other servers. Once a server learns the Media Access Control (MAC) address associated to the IP address of another computer in the same VLAN, it can establish direct Layer 2 communication with that device without having to go through a Layer 3 gateway/firewall. If, for example, an attacker gets access to one of the servers, he or she can use that compromised host to launch an attack on other servers in the server farm. To protect themselves from malicious attacks, ISP customers want their machines to be isolated from other machines in the same server farm.
让我们假设ISP将所有服务器放在一个大VLAN中。驻留在同一VLAN中的服务器可以侦听来自其他服务器的第2层广播。一旦服务器了解到与同一VLAN中另一台计算机的IP地址相关联的媒体访问控制(MAC)地址,它就可以与该设备建立直接的第2层通信,而无需通过第3层网关/防火墙。例如,如果攻击者访问其中一台服务器,他或她可以使用该受损主机对服务器场中的其他服务器发起攻击。为了保护自己免受恶意攻击,ISP客户希望他们的机器与同一服务器场中的其他机器隔离。
The security concerns become even more apparent in metropolitan area networks. Metropolitan Service Providers may want to provide Layer 2 Ethernet access to homes, rental communities, businesses, etc. In this scenario, the subscriber next door could very well be a malicious network user.
在城域网中,安全问题变得更加明显。大都市服务提供商可能希望为家庭、租赁社区、企业等提供第2层以太网接入。在这种情况下,隔壁的订户很可能是恶意网络用户。
It is therefore very important to offer Layer 2 traffic isolation among customers. Customer A would not want his Layer 2 frames being broadcast to customer B, who happens to be in the same VLAN. Also, customer A would not want customer B to bypass a router or a firewall and establish direct Layer 2 communication with him/her.
因此,在客户之间提供第2层流量隔离非常重要。客户A不希望将其第2层帧广播给客户B,因为客户B恰好位于同一个VLAN中。此外,客户A不希望客户B绕过路由器或防火墙,与他/她建立直接的第2层通信。
The traditional solution would be to assign a separate VLAN to each customer. That way, each user would be assured of Layer 2 isolation from devices belonging to other users.
传统的解决方案是为每个客户分配一个单独的VLAN。这样,每个用户都可以确保第2层与属于其他用户的设备隔离。
However, with the VLAN-per-customer model, if an ISP wanted to offer web-hosting services to, say, 4000 customers, it would consume 4000 VLANs. Theoretically, the maximum number of VLANs that an 802.1Q-compliant networking device can support is 4094. In reality, many devices support a much smaller number of active VLANs. Even if all devices supported all 4094 VLANs, there would still be a scalability problem when the 4095th customer signed up.
然而,对于每个客户的VLAN模型,如果ISP想为(比如)4000个客户提供web托管服务,它将消耗4000个VLAN。理论上,符合802.1Q标准的网络设备可以支持的最大VLAN数量是4094。实际上,许多设备支持的活动VLAN数量要少得多。即使所有设备都支持所有4094个VLAN,当第4095个客户注册时,仍然会存在可伸缩性问题。
A second problem with assigning a separate VLAN per customer is management of IP addresses. Since each VLAN requires a separate subnet, there can be potential wastage of IP addresses in each subnet. This issue has been described by RFC 3069 [RFC3069] and will not be discussed in detail in this document.
为每个客户分配单独VLAN的第二个问题是IP地址的管理。由于每个VLAN都需要一个单独的子网,因此每个子网中可能存在IP地址的潜在浪费。RFC 3069[RFC3069]已对该问题进行了描述,本文件将不再详细讨论。
The private VLANs architecture is similar to but more elaborate than the aggregated VLAN model proposed in RFC 3069. The concepts of 'super VLAN' and 'sub VLAN' used in that RFC are functionally similar to the concepts of 'primary VLAN' and 'secondary VLAN' used in this document.
专用VLAN体系结构与RFC 3069中提出的聚合VLAN模型相似,但更为复杂。该RFC中使用的“超级VLAN”和“子VLAN”的概念在功能上与本文档中使用的“主VLAN”和“辅助VLAN”的概念类似。
On the other hand, the private VLANs technology differs from the mechanism described in [RFC4562] because instead of using a MAC-address-based 'forced forwarding' scheme it uses a VLAN-based one.
另一方面,专用VLAN技术与[RFC4562]中描述的机制不同,因为它使用基于VLAN的方案,而不是使用基于MAC地址的“强制转发”方案。
A regular VLAN is a single broadcast domain. The private VLANs technology partitions a larger VLAN broadcast domain into smaller sub-domains. So far, two kinds of special sub-domains specific to the private VLANs technology have been defined: an 'isolated' sub-domain and a 'community' sub-domain. Each sub-domain is defined by assigning a proper designation to a group of switch ports.
常规VLAN是单个广播域。专用VLAN技术将较大的VLAN广播域划分为较小的子域。到目前为止,已经定义了专用VLAN技术特有的两种特殊子域:“隔离”子域和“社区”子域。通过为一组交换机端口分配适当的名称来定义每个子域。
Within a private VLAN domain, three separate port designations exist. Each port designation has its own unique set of rules, which regulate a connected endpoint's ability to communicate with other connected endpoints within the same private VLAN domain. The three port designations are promiscuous, isolated, and community.
在专用VLAN域中,存在三个单独的端口指定。每个端口指定都有自己独特的一组规则,这些规则控制连接的端点与同一专用VLAN域内其他连接的端点通信的能力。这三个港口的名称是混乱的、孤立的和社区的。
An endpoint connected to a promiscuous port has the ability to communicate with any endpoint within the private VLAN. Multiple promiscuous ports may be defined within a single private VLAN domain. In most networks, Layer 3 default gateways or network management stations are commonly connected to promiscuous ports.
连接到混杂端口的端点能够与专用VLAN内的任何端点通信。可以在单个专用VLAN域中定义多个混杂端口。在大多数网络中,第3层默认网关或网络管理站通常连接到混杂端口。
Isolated ports are typically used for those endpoints that only require access to a limited number of outgoing interfaces on a private-VLAN-enabled device. An endpoint connected to an isolated port will only possess the ability to communicate with those endpoints connected to promiscuous ports. Endpoints connected to adjacent isolated ports cannot communicate with one another. For example, within a web-hosting environment, isolated ports can be used to connect hosts that require access only to default gateways.
隔离端口通常用于那些只需要访问启用VLAN的专用设备上数量有限的传出接口的端点。连接到隔离端口的端点只能与连接到混杂端口的端点通信。连接到相邻隔离端口的端点无法相互通信。例如,在web托管环境中,可以使用隔离端口连接只需要访问默认网关的主机。
A community port is a port that is part of a private VLAN community, which is a grouping of ports connected to devices belonging to the
社区端口是专用VLAN社区的一部分,是连接到属于该社区的设备的端口分组
same entity (for example, a group of hosts of the same ISP customer or a pool of servers in a data center). Within a community, endpoints can communicate with one another and can also communicate with any configured promiscuous port. Endpoints belonging to one community cannot instead communicate with endpoints belonging to a different community or with endpoints connected to isolated ports.
同一实体(例如,同一ISP客户的一组主机或数据中心中的一组服务器)。在社区中,端点可以彼此通信,也可以与任何配置的混杂端口通信。属于一个社区的终结点不能与属于不同社区的终结点通信,也不能与连接到隔离端口的终结点通信。
The aforementioned three port designations directly correspond to three different VLAN types (primary, isolated, and community) with well-defined, port-related characteristics, which are described in detail in Section 2.1 below.
上述三个端口名称直接对应于三种不同的VLAN类型(主要、隔离和社区),具有定义良好的端口相关特性,详见下文第2.1节。
Figure 1 below illustrates the private VLAN model from a switch port classification perspective.
下面的图1从交换机端口分类的角度说明了专用VLAN模型。
-----------
| R |
-----------
|
|
|
----------------------------------------
| p1 |
| |
=====| t1 |
| switch |
| |
| |
|i1 i2 c1 c2 |
----------------------------------------
| | | |
| | | |
| | | |
A B C D
-----------
| R |
-----------
|
|
|
----------------------------------------
| p1 |
| |
=====| t1 |
| switch |
| |
| |
|i1 i2 c1 c2 |
----------------------------------------
| | | |
| | | |
| | | |
A B C D
A, B - Isolated devices C, D - Community devices R - Router (or other L4-L7 device) i1, i2 - Isolated switch ports c1, c2 - Community switch ports p1 - Promiscuous switch port t1 - Inter-switch link port (a VLAN-aware port)
A、 B-隔离设备C、D-社区设备R-路由器(或其他L4-L7设备)i1、i2-隔离交换机端口c1、c2-社区交换机端口p1-混杂交换机端口t1-交换机间链路端口(VLAN感知端口)
Figure 1. Private VLAN classification of switch ports
图1。交换机端口的专用VLAN分类
With reference to Figure 1, each of the port types is described below.
参考图1,下面描述了每种端口类型。
Isolated ports: An isolated port, e.g., i1 or i2, cannot talk to any other port in the private VLAN domain except for promiscuous ports (e.g., p1). If a customer device needs to have access only to a gateway router, then it should be attached to an isolated port.
隔离端口:隔离端口(如i1或i2)不能与专用VLAN域中的任何其他端口通信,混杂端口(如p1)除外。如果客户设备只需要访问网关路由器,则应将其连接到隔离端口。
Community ports: A community port, e.g., c1 or c2, is part of a group of ports. The ports within a community can have Layer 2 communications with one another and can also talk to any promiscuous port. If an ISP customer has, say, 2 devices that he/she wants to be isolated from other customers' devices but to be able to communicate among themselves, then community ports should be used.
社区端口:社区端口(例如c1或c2)是一组端口的一部分。社区内的端口可以彼此进行第2层通信,也可以与任何混乱的端口进行通信。例如,如果一个ISP客户有两台设备,他/她希望与其他客户的设备隔离,但能够在它们之间进行通信,那么应该使用社区端口。
Promiscuous ports: As the name suggests, a promiscuous port (p1) can talk to all other types of ports. A promiscuous port can talk to isolated ports as well as community ports and vice versa. Layer 3 gateways, DHCP servers, and other 'trusted' devices that need to communicate with the customer endpoints are typically connected via promiscuous ports.
混杂端口:顾名思义,混杂端口(p1)可以与所有其他类型的端口通信。混杂端口可以与孤立端口以及社区端口通信,反之亦然。第3层网关、DHCP服务器和其他需要与客户端点通信的“受信任”设备通常通过混杂端口连接。
Please note that isolated, community, and promiscuous ports can either be access ports or hybrid/trunk ports (according to the terminology presented in Annex D of the IEEE 802.1Q specification, up to its 2004 revision).
请注意,隔离、社区和混杂端口可以是接入端口,也可以是混合/中继端口(根据IEEE 802.1Q规范附录D中的术语,直到其2004年修订版)。
The table below summarizes the communication privileges between the different private VLAN port types.
下表总结了不同专用VLAN端口类型之间的通信权限。
---------------------------------------------------------------
| | isolat-| promis-| commu-| commu-| interswitch |
| | ted | cuous | nity1 | nity2 | link port |
---------------------------------------------------------------
| isolated | deny | permit | deny | deny | permit |
---------------------------------------------------------------
| promiscuous | permit | permit | permit| permit| permit |
---------------------------------------------------------------
| community1 | deny | permit | permit| deny | permit |
---------------------------------------------------------------
| community2 | deny | permit | deny | permit| permit |
---------------------------------------------------------------
| interswitch | | | | | |
| link port | deny(*)| permit | permit| permit| permit |
---------------------------------------------------------------
---------------------------------------------------------------
| | isolat-| promis-| commu-| commu-| interswitch |
| | ted | cuous | nity1 | nity2 | link port |
---------------------------------------------------------------
| isolated | deny | permit | deny | deny | permit |
---------------------------------------------------------------
| promiscuous | permit | permit | permit| permit| permit |
---------------------------------------------------------------
| community1 | deny | permit | permit| deny | permit |
---------------------------------------------------------------
| community2 | deny | permit | deny | permit| permit |
---------------------------------------------------------------
| interswitch | | | | | |
| link port | deny(*)| permit | permit| permit| permit |
---------------------------------------------------------------
Table 1
表1
(*) Please note that this asymmetric behavior is for traffic traversing inter-switch link ports over an isolated VLAN only.
(*)请注意,这种不对称行为仅适用于通过隔离VLAN的交换机间链路端口的流量。
Traffic from an inter-switch link port to an isolated port will be denied if it is in the isolated VLAN. Traffic from an inter-switch link port to an isolated port will be permitted if it is in the primary VLAN (see below for the different VLAN characteristics).
从交换机间链路端口到隔离端口的流量如果在隔离VLAN中,将被拒绝。如果在主VLAN中,则允许从交换机间链路端口到隔离端口的通信量(请参阅下文了解不同的VLAN特征)。
N.B.: An inter-switch link port is simply a regular port that connects two switches (and that happens to carry two or more VLANs).
注意:交换机间链路端口只是连接两个交换机的常规端口(碰巧承载两个或多个VLAN)。
In practice, the Layer 2 communication constraints described in the table above can be enforced by creating sub-domains within the same VLAN domain. However, a sub-domain within a VLAN domain cannot be easily implemented with only one VLAN ID. Instead, a mechanism of pairing VLAN IDs can be used to achieve this notion. Specifically, sub-domains can be represented by pairs of VLAN numbers:
实际上,可以通过在同一VLAN域内创建子域来实施上表中描述的第2层通信约束。然而,VLAN域中的子域不能仅用一个VLAN ID轻松实现。相反,可以使用VLAN ID配对机制来实现这一概念。具体而言,子域可以由成对的VLAN编号表示:
<Vp,Vs> Vp is the primary VLAN ID ------
Vs is the secondary VLAN ID | Vp |
------
where Vs can be: / \
- Vi (an isolated VLAN) / \
- Vc (a community VLAN) / \
------ ------
| Vi | | Vc |
------ ------
<Vp,Vi> <Vp,Vc>
<Vp,Vs> Vp is the primary VLAN ID ------
Vs is the secondary VLAN ID | Vp |
------
where Vs can be: / \
- Vi (an isolated VLAN) / \
- Vc (a community VLAN) / \
------ ------
| Vi | | Vc |
------ ------
<Vp,Vi> <Vp,Vc>
Figure 2. A private VLAN domain can be implemented with one or more VLAN ID pairs.
图2。专用VLAN域可以使用一个或多个VLAN ID对实现。
A private VLAN domain is built with at least one pair of VLAN IDs: one (and only one) primary VLAN ID (Vp) plus one or more secondary VLAN IDs (Vs). Secondary VLANs can be of two types: isolated VLANs (Vi) or community VLANs (Vc).
专用VLAN域至少由一对VLAN ID构建:一个(且仅一个)主VLAN ID(Vp)加上一个或多个辅助VLAN ID(Vs)。辅助VLAN可以有两种类型:隔离VLAN(Vi)或社区VLAN(Vc)。
A primary VLAN is the unique and common VLAN identifier of the whole private VLAN domain and of all its VLAN ID pairs.
主VLAN是整个专用VLAN域及其所有VLAN ID对的唯一和通用VLAN标识符。
An isolated VLAN is a secondary VLAN whose distinctive characteristic is that all hosts connected to its ports are isolated at Layer 2. Therefore, its primary quality is that it allows a design based on private VLANs to use a total of only two VLAN identifiers (i.e., a single private VLAN pairing) to provide port isolation and serve any number of end users (vs. a traditional design in which one separate plain VLAN ID would be assigned to each port).
隔离VLAN是一个辅助VLAN,其显著特征是连接到其端口的所有主机都在第2层隔离。因此,其主要质量是,它允许基于专用VLAN的设计仅使用两个VLAN标识符(即,单个专用VLAN配对)来提供端口隔离并服务于任意数量的最终用户(与传统设计相比,传统设计中每个端口分配一个单独的普通VLAN ID)。
A community VLAN is a secondary VLAN that is associated to a group of ports that connect to a certain "community" of end devices with mutual trust relationships.
社区VLAN是与一组端口关联的辅助VLAN,这些端口连接到具有相互信任关系的特定“社区”终端设备。
While only one isolated VLAN is allowed in a private VLAN domain, there can be multiple distinct community VLANs.
虽然在专用VLAN域中只允许一个独立VLAN,但可以有多个不同的社区VLAN。
Please note that this VLAN pairing scheme simply requires that all traffic transported within primary and secondary VLANs be tagged according to the IEEE 802.1Q standard (see for example [802.1Q], Section B.1.3), with at most a single standard VLAN tag. No special double-tagging is necessary due to the 1:1 correspondence between a secondary VLAN and its associated primary VLAN.
请注意,此VLAN配对方案仅要求根据IEEE 802.1Q标准(例如参见[802.1Q],第B.1.3节)标记主VLAN和辅助VLAN内传输的所有流量,最多使用一个标准VLAN标记。由于辅助VLAN与其关联的主VLAN之间存在1:1的对应关系,因此不需要特殊的双重标记。
(Also note that this document makes use of the "traditional" VLAN terminology, whereas the IEEE 802.1ag standard [802.1ag] amends key sections of IEEE 802.1Q-2005 to make the distinction between "VLANs" and "VLAN IDs" so that every "VLAN" can be assigned one or more VLAN IDs, similarly to the pairing scheme described in this document.)
(还请注意,本文件使用了“传统”VLAN术语,而IEEE 802.1ag标准[802.1ag]修订了IEEE 802.1Q-2005的关键章节,以区分“VLAN”和“VLAN ID”,从而可以为每个“VLAN”分配一个或多个VLAN ID,类似于本文件中描述的配对方案。)
The ports in a private VLAN domain derive their special characteristics (as described in Section 2) from the VLAN pairing(s) they are configured with. In particular, a promiscuous port is a port that can communicate with all other private VLAN port types via the primary VLAN and any associated secondary VLANs, whereas isolated or community ports can communicate over their respective secondary VLANs only.
专用VLAN域中的端口从其配置的VLAN对中获得其特殊特性(如第2节所述)。特别是,混杂端口是可以通过主VLAN和任何关联的辅助VLAN与所有其他专用VLAN端口类型进行通信的端口,而隔离端口或社区端口只能通过各自的辅助VLAN进行通信。
For example, with reference to Figure 1, a router R connected to the promiscuous port can have Layer 2 communication with a device A connected to an isolated port and also with a device C connected to a community port. Devices C and D can also have Layer 2 communication between themselves since they are part of the same community VLAN. However, devices A and B cannot communicate at Layer 2 due to the special port segregation property of the isolated VLAN. Also, devices A and C cannot communicate at Layer 2 since they belong to different secondary VLANs.
例如,参考图1,连接到混杂端口的路由器R可以与连接到隔离端口的设备a以及连接到社区端口的设备C进行第2层通信。设备C和D之间也可以有第2层通信,因为它们是同一个社区VLAN的一部分。但是,由于隔离VLAN的特殊端口隔离特性,设备A和B无法在第2层通信。此外,设备A和C不能在第2层通信,因为它们属于不同的辅助VLAN。
The impact of these enforced forwarding restrictions is two-fold. Firstly, service providers can assign multiple customers to the same isolated VLAN, thereby conserving VLAN IDs. Secondly, end users can be assured that their Layer 2 traffic cannot be sniffed by other end users sharing the same isolated VLAN or connected to a different secondary VLAN.
这些强制转发限制的影响是双重的。首先,服务提供商可以将多个客户分配给同一个隔离的VLAN,从而保护VLAN ID。其次,可以确保终端用户的第2层流量不会被共享同一隔离VLAN或连接到不同辅助VLAN的其他终端用户嗅探。
Some switch vendors have attempted to provide a port isolation feature within a VLAN by implementing special logic at the port level. However, when implemented at the port level, the isolation behavior is restricted to a single switch.
一些交换机供应商试图通过在端口级别实现特殊逻辑,在VLAN内提供端口隔离功能。但是,在端口级别实现时,隔离行为仅限于单个交换机。
When a VLAN spans multiple switches, there is no standard mechanism to propagate port-level isolation information to other switches and, consequently, the isolation behavior fails in other switches.
当VLAN跨越多个交换机时,没有标准机制将端口级隔离信息传播到其他交换机,因此,隔离行为在其他交换机中失败。
In this document, the proposal is to implement the port isolation information implicitly at the VLAN level. A particular VLAN ID can be configured to be the isolated VLAN. All switches in the network would give special "isolated VLAN" treatment to frames tagged with this particular VLAN ID. Thereby, the isolated VLAN behavior can be maintained consistently across all switches in a Layer 2 network.
在本文档中,建议在VLAN级别隐式实现端口隔离信息。可以将特定VLAN ID配置为隔离VLAN。网络中的所有交换机将对标记有此特定VLAN ID的帧进行特殊的“隔离VLAN”处理。因此,隔离VLAN行为可以在第2层网络中的所有交换机上保持一致。
In general, isolated, community, and primary VLANs can all span multiple switches, just like regular VLANs. Inter-switch link ports need not be aware of the special VLAN type and will carry frames tagged with these VLANs just like they do any other frames.
通常,隔离、社区和主VLAN都可以跨多个交换机,就像普通VLAN一样。交换机间链路端口不需要知道特殊的VLAN类型,并且将携带带有这些VLAN标记的帧,就像它们携带任何其他帧一样。
One of the objectives of the private VLANs architecture is to ensure that traffic from an isolated port in one switch does not reach another isolated or community port in a different switch even after traversing an inter-switch link. By implicitly embedding the isolation information at the VLAN level and by transporting it along with the packet, it is possible to maintain a consistent behavior throughout the network. Therefore, the mechanism discussed in Section 2, which will restrict Layer 2 communication between two isolated ports in the same switch, will also restrict Layer 2 communication between two isolated ports in two different switches.
专用VLAN体系结构的目标之一是确保即使在通过交换机间链路之后,来自一个交换机中的隔离端口的流量也不会到达另一个交换机中的隔离端口或社区端口。通过在VLAN级别隐式嵌入隔离信息并将其与数据包一起传输,可以在整个网络中保持一致的行为。因此,第2节中讨论的机制将限制同一交换机中两个隔离端口之间的第2层通信,也将限制两个不同交换机中两个隔离端口之间的第2层通信。
The common practice of deploying multiple VLANs in a network for security reasons and of allocating a subnet to each VLAN has led to a certain number of inefficiencies in network designs, such as the suboptimal utilization of the IP addressing space (as exemplified in the introduction of RFC 3069 [RFC3069]). Moreover, each subnet requires addresses to be set aside for internetworking purposes (a subnetwork address, a directed broadcast address, default gateway address(es), etc.). So a high number of used VLANs traditionally translates into a significant number of special addresses to be consumed.
出于安全原因在网络中部署多个VLAN以及为每个VLAN分配子网的常见做法导致了网络设计中一定数量的低效率,例如IP寻址空间的利用率不理想(如RFC 3069[RFC3069]的介绍所示)。此外,每个子网都需要留出用于互联目的的地址(子网地址、定向广播地址、默认网关地址等)。因此,大量使用的VLAN传统上会转化为大量要使用的特殊地址。
On the other hand, in a private VLAN domain, all members can share a common address space that is part of a single subnet associated to the primary VLAN. An end device can be assigned an IP address statically or by using a DHCP server connected to a promiscuous port. Since IP addresses are no longer allocated on a smaller subnet basis but are assigned from a larger address pool shared by all members in the private VLAN domain, address allocation becomes much more efficient: fewer addresses are consumed for internetworking purposes, while most of the address space is allotted to end devices, leaving ample flexibility in the way available addresses are (re-)assigned.
另一方面,在专用VLAN域中,所有成员都可以共享一个公共地址空间,该地址空间是与主VLAN关联的单个子网的一部分。可以静态地或通过使用连接到混杂端口的DHCP服务器为终端设备分配IP地址。由于IP地址不再在较小的子网上分配,而是从私有VLAN域中所有成员共享的较大地址池中分配,因此地址分配变得更加高效:用于网络互连的地址更少,而大部分地址空间分配给终端设备,在(重新)分配可用地址的方式上留有足够的灵活性。
The entire private VLANs architecture confines secondary VLANs within the 2nd layer of the OSI model. With reference to Figure 2, the secondary VLANs are internal to a private VLAN domain. Layer 3 entities are not directly aware of their existence: to them it appears as if all the end devices are part of the primary VLAN.
整个专用VLAN体系结构将辅助VLAN限制在OSI模型的第二层内。参考图2,辅助VLAN位于专用VLAN域的内部。第3层实体并不直接意识到它们的存在:对它们来说,似乎所有终端设备都是主VLAN的一部分。
With reference to Figure 1, the isolation behavior between devices A and B is at the Layer 2 level only. Devices A and B can still communicate at the Layer 3 level via the router R. Since A and B are part of the same subnet, the router assumes that they should be able to talk directly to each other. That however is prevented by the isolated VLAN's specific behavior. So, in order to enable A and B to communicate via the router, a proxy-ARP-like functionality needs to be supported on the router interface.
参考图1,设备A和B之间的隔离行为仅在第2层。设备A和B仍然可以通过路由器R在第3层进行通信。由于A和B是同一子网的一部分,路由器认为它们应该能够直接相互通信。但是,隔离VLAN的特定行为阻止了这一点。因此,为了使A和B能够通过路由器进行通信,需要在路由器接口上支持类似ARP的代理功能。
With regard to the specific version of the IP protocol in use, all routing considerations apply to both IPv4 and IPv6 for the case of unicast traffic. On the other hand, due to their complexity, considerations about multicast bridging and routing within a private VLAN domain transcend the scope of this introductory document, and are therefore omitted.
关于所使用的IP协议的特定版本,对于单播流量,所有路由考虑均适用于IPv4和IPv6。另一方面,由于其复杂性,关于专用VLAN域内的多播桥接和路由的考虑超出了本介绍性文档的范围,因此省略。
In a heterogeneous Layer 2 network that is built with switches from multiple vendors, the private VLAN feature should be supported and configured on all the switches. If a switch S in that network does not support this feature, then there may be undesired forwarding of packets, including permanent flooding of Layer 2 unicast frames. That is because switch S is not aware of the association between primary and secondary VLANs and consequently cannot apply the segregation rules and constraints characteristic of the private VLANs architecture (an example of one such constraint is explained in [802.1Q], Section B.1.3). This impact is limited to traffic within
在使用多个供应商的交换机构建的异构第2层网络中,所有交换机上都应支持和配置专用VLAN功能。如果该网络中的交换机不支持此功能,则可能存在不希望的分组转发,包括第2层单播帧的永久泛洪。这是因为交换机S不知道主VLAN和辅助VLAN之间的关联,因此无法应用专用VLAN体系结构的隔离规则和约束特性(在[802.1Q]第B.1.3节中解释了一个此类约束的示例)。这种影响仅限于内部交通
the private VLAN domain and will not affect the regular Layer 2 forwarding behavior on other VLANs.
专用VLAN域,不会影响其他VLAN上的常规第2层转发行为。
If the private VLAN feature is properly deployed, it can be used at Layer 2 to segregate individual users or groups of users from each other: this segregation allows a network designer to more effectively constrain Layer 2 forwarding so as to, for instance, block or contain unwanted inter-device communication like port scans or Address Resolution Protocol (ARP) poisoning attacks.
如果正确部署了专用VLAN功能,则可在第2层使用该功能将单个用户或用户组彼此隔离:这种隔离允许网络设计者更有效地约束第2层转发,例如,阻止或包含不必要的设备间通信,如端口扫描或地址解析协议(ARP)中毒攻击。
Many people have contributed to the private VLANs architecture. We would particularly like to thank, in alphabetical order, Senthil Arunachalam, Jason Chen, Tom Edsall, Michael Fine, Herman Hou, Kannan Kothandaraman, Milind Kulkarni, Heng-Hsin Liao, Tom Nosella, Prasanna Parthasarathy, Ramesh Santhanakrishnan, Mukundan Sudarsan, Charley Wen, and Zhong Xu for their significant contributions.
许多人对私有VLAN体系结构做出了贡献。我们特别要按照字母顺序感谢Senthil Arunachalam、Jason Chen、Tom Edsall、Michael Fine、Herman Hou、Kannan Kothandaraman、Milind Kulkarni、Heng Xin Liao、Tom Nosella、Prasanna Parthasarathy、Ramesh Santhanakrishnan、Mukundan Sudarsan、Charley Wen和钟旭,感谢他们做出的重大贡献。
[802.1Q] Institute of Electrical and Electronics Engineers, "Virtual Bridged Local Area Networks", IEEE Standard 802.1Q, 2005 Edition, May 2006.
[802.1Q]电气和电子工程师协会,“虚拟桥接局域网”,IEEE标准802.1Q,2005年版,2006年5月。
[802.1ag] Institute of Electrical and Electronics Engineers, "Connectivity Fault Management", IEEE Standard 802.1ag, 2007 Edition, December 2007.
[802.1ag]电气和电子工程师协会,“连接故障管理”,IEEE标准802.1ag,2007年版,2007年12月。
[RFC3069] McPherson, D. and B. Dykes, "VLAN Aggregation for Efficient IP Address Allocation", RFC 3069, February 2001.
[RFC3069]McPherson,D.和B.Dykes,“有效IP地址分配的VLAN聚合”,RFC 3069,2001年2月。
[RFC4562] Melsen, T. and S. Blake, "MAC-Forced Forwarding: A Method for Subscriber Separation on an Ethernet Access Network", RFC 4562, June 2006.
[RFC4562]Melsen,T.和S.Blake,“MAC强制转发:以太网接入网络上用户分离的方法”,RFC 45622,2006年6月。
Authors' Addresses
作者地址
Marco Foschiano Cisco Systems, Inc. Via Torri Bianche 7 Vimercate, MI, 20059, Italy EMail: foschia@cisco.com; mfoschiano@gmail.com
Marco Foschiano Cisco Systems,Inc.通过Torri Bianche 7 Vimercate,MI,20059,意大利电子邮件:foschia@cisco.com; mfoschiano@gmail.com
Sanjib HomChaudhuri EMail: sanjibhc@gmail.com
Sanjib HomChaudhuri电子邮件:sanjibhc@gmail.com