Rarely do hosts in a DMZ network need to communicate with each other. However, in order to properly secure hosts from each other, there needs to be some degree of isolation. Consider this: There are multiple http servers sitting behind a firewall in a DMZ network. If the firewall was penetrated and access was obtained to an ftp server in the same DMZ network, the potential would be there to hack any other machine in the DMZ from the compromised server. Because of this potential, a form of isolation has to be introduced to prevent this exposure.

This isolation can be accomplished through the use of private vlans. For this example, let’s assume no one host needs to communicated with another in the DMZ network. The only common communication needed between hosts is access to the network gateway, which in this case, would be a firewall interface.

The solution would be to implement private vlans. There are two vlans required, one to be used for a primary vlan and the other to be used as the isolated vlan. They would be defined in the following matter:

switch#config t
switch(config)#vlan 100
switch(config)#name Isolated_SysBackup
switch(config)#private-vlan isolated
switch(config)#vlan 101
switch(config)#name Primary_for_isolated_SysBackup
switch(config)#private-vlan primary
switch(config)#private-vlan association 100

The two previous vlans are needed for this basic private vlan implementation. One vlan is considered the primary vlan(101), its purpose is to carry traffic from promiscuous ports to isolated, community, and other promiscuous ports. The other vlan(100) is used to carry traffic from isolated ports to promiscuous ports. To simplify, vlan 101 carries traffic from the firewall interface to the DMZ host it is communicating with. Vlan 100 will carry traffic from the DMZ host to the firewall interface. Think of vlan 101 carrying traffic in one direction and vlan 100 carrying traffic in the other direction.

The firewall interface serving as the default gateway for all hosts in the dmz would be configured on the connected switchport with the following:

Switch#config t
Switch(config)#interface gig1/0/48
Switch(config-if)#description bna-fw-01 DMZ
Switch(config-if)#switchport mode private-vlan promiscuous
Switch(config-if)#private-vlan mapping 101 100

All the hosts that reside in the DMZ would have their switchports configured with the following:

switch#config t
switch(config)#interface GigabitEthernet1/0/1
switch(config-if)#description bna-dns-01 Primary
switch(config-if)#switchport private-vlan host-association 101 100
switch(config-if)#switchport mode private-vlan host

This will effectively prevent any host from talking to another host in the DMZ, however all hosts in the DMZ will communicate with a common firewall interface.

Alternative solution:

Many of the older switches do not support a full private vlan implementation. However, there is still a way to implement the same functionality using the limited private vlan implementation. The solution is to use protected ports, which is also referred to as private vlan edge ports.

Protected ports do not forward any traffic to protected ports on the same switch. This means that all traffic passing between protected ports—unicast, broadcast, and multicast—must be forwarded through a Layer 3 device. Protected ports can forward any type of traffic to nonprotected ports, and they forward as usual to all ports on other switches.

Only one vlan is required for this implementation, which would already exist (the DMZ hosts would already be a member of this vlan). Assume vlan 100 as the vlan defined on the switch, the ports connected to each DMZ host will be configured as:

switch#config t
switch(config)#interface GigabitEthernet1/0/1
switch(config-if)#switchport access vlan 100
switch(config-if)#switchport protected

The firewall interface is configured in the standard manner:

switch#config t
switch(config)#interface GigabitEthernet1/0/48
switch(config-if)#switchport access vlan 100

The drawback to using protected ports is that if you have multiple switches used your dmz network, hosts on one switch can communicate to hosts on another switch, even if they both have switchport protected configured. This scenario happens because the uplink port connecting the two switches is not a protected port. With this limitation in mind, there are some creative ways to work protecting hosts on multiple switches, but it will almost always involve combining technolgies , such as combining with vlan access lists at the distribution layer.

If you only have a few switches that make up your dmz environment and your stuck with having protected port usage only, consider using an aggregate switch.  Each of your dmz switches would be uplinked to the aggregate switch and the port protected command would be configured on the aggregate switch side of the uplinks.  The firewall interface would then plug into the aggregate switch (with no port protection configured).  In this scenerio, the aggregate/distribution switch is preventing a host on one switch from talking to the other.