The PVLAN concept was introduced in FWSM from 3.x code version onward. It is important for the switch code to be above 12.2.18SXFx version to integrate the PVLAN concept with the FWSM. Here x defines the version number. The primary VLAN of the PVLAN should be configured in the FWSM. No other special VLAN configuration is needed for PVLANs at the FWSM. Using PVLANs achieves Layer 2 segregation. This can be used in smaller DMZ designs where the servers in the DMZ within a single subnet need isolation. This helps to avoid major attacks in the DMZ security domain. Other virtualization techniques, such as Layer 3 VPN with MPLS labels or multi VRF, can also be used for Layer 3 segregation. These two techniques need a Layer 3 device.
In routed mode, the FWSM can act as a gateway between hosts on the PVLAN and the outside world. It secures the entire PVLAN itself from attacks initiated from the outside, and it stops malicious traffic originating from hosts on the internal PVLAN.
The concept of PVLAN facilitates pseudo security zones in a transparent firewall. The term pseudo is mentioned because these zones will not communicate with each other, but only with the inside interface. The inside interface is in promiscuous mode. The VLANs defined in a PVLAN represents the pseudo security zone.
Was this article helpful?