0% found this document useful (0 votes)
50 views23 pages

12.VACL-Protected Port-Private VLAN

Uploaded by

anhtuan29
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPT, PDF, TXT or read online on Scribd
0% found this document useful (0 votes)
50 views23 pages

12.VACL-Protected Port-Private VLAN

Uploaded by

anhtuan29
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPT, PDF, TXT or read online on Scribd
You are on page 1/ 23

Minimizing Service Loss and Data Theft in a Campus Network

VLAN Access-List
Types of ACLs
Configuring VACLs

Switch(config)#vlan access-map map_name [seq#]

• Defines a VLAN access map


Switch(config-access-map)# match {ip address {1-199 |
1300-2699 | acl_name} | ipx address {800-999 | acl_name}|
mac address acl_name}

• Configures the match clause in a VLAN access map sequence


Switch(config-access-map)#action {drop [log]} | {forward
[capture]} | {redirect {type slot/port} | {port-channel
channel_id}}

• Configures the action clause in a VLAN access map sequence


Switch(config)#vlan filter map_name vlan_list list

• Applies the VLAN access map to the specified VLANs


Configuring VACL
• Create an access – list.
• Configure an access map.
• Create a VLAN filter.
• Example: Drop all traffic from network 10.1.9.0/24 on VLAN 10 and
20, and drop all traffic to backup server 0000.1111.4444
Switch(config)#access-list 1 permit 10.1.9.0 0.0.0.255
Switch(config)#mac access-list extended BACKUP_SERVER
Switch(config-ext-mac)#permit any host 0000.1111.4444
Switch(config)#vlan access-map EXAMPLE 10
Switch(config-map)#match ip address 1
Switch(config-map)#action drop
Switch(config-map)#vlan access-map EXAMPLE 20
Switch(config-map)#match mac address BACKUP_SERVER
Switch(config-map)#action drop
Switch(config-map)#vlan access-map EXAMPLE 30
Switch(config-map)#action forward
Switch(config-map)#exit
Switch(config)#vlan filter EXAMPLE vlan-list 10,20
Minimizing Service Loss and Data Theft in a Campus Network

Private VLAN
Access Switch: Protected Port

• Protected ports can


communicate only
with unprotected
ports
• Proteced ports are
useful for access
switches

Switch(config-if)# [no] switchport protected


Configure a protected or unprotected port
Configuring PVLANs

Switch(config-vlan)#private-vlan [primary | isolated |


community]
• Configures a VLAN as a PVLAN

Switch(config-vlan)#private-vlan association
{secondary_vlan_list | add svl | remove svl}

• Associates secondary VLANs with the primary VLAN

Switch#show vlan private-vlan type


• Verifies PVLAN configuration
Configuring PVLAN Ports

Switch(config-if)#switchport mode private-vlan {host |


promiscuous}
• Configures an interface as a PVLAN port

Switch(config-if)#switchport private-vlan host-association


{primary_vlan_ID secondary_vlan_ID

• Associates an isolated or community port with a PVLAN

Switch(config-if)#private-vlan mapping primary_vlan_ID


{secondary_vlan_list | add svl | remove svl}
• Maps a promiscuous PVLAN port to a PVLAN

Switch#show interfaces private-vlan mapping


• Verifies PVLAN port configuration
About PVLANs

• A primary VLAN is divided


into secondary VLANs
• These VLANs are isolated or
community VLANs
• The host on isolated VLANs
can communicate on with
promicuous ports
• The host on community
VLANs can communicate also
within same community
• PVLANs are not supported on
Catalyst 2960 Switches
PVLAN Port Types

• Isolated: Communicate
with only promiscuous
ports
• Promiscuous:
Communicate with all
other ports
• Community:
Communicate with other
members of community
and all promiscuous ports
Isolated PVLAN Configuration

• Set VTP transparent


• Create secondary VLANs
• Create a primary VLAN
• Associate the secondary and
primary VLANs
• Configure the port as host or
promicuous
• Configure the private VLAN
association on ports
• Configure the VLAN mapping
on an internal IP interface for
VLAN
Isolated PVLAN Configuration (1)

sw1(config)# vtp transparent


sw1(config)# vlan 201
sw1(config-vlan)# private-vlan isolated
sw1(config)# vlan 100
sw1(config-vlan)# private-vlan primary
sw1(config-vlan)# private-vlan association add 201

sw2(config)# vtp transparent


sw2(config)# vlan 201
sw2(config-vlan)# private-vlan isolated
sw2(config)# vlan 100
sw2(config-vlan)# private-vlan primary
sw2(config-vlan)# private-vlan association add 201

Configure the private VLANs and VLAN association


Isolated PVLAN Configuration (2)

sw2(config)# interface range fastethernet 0/1-2


sw2(config-range-if)# switchport mode private-vlan host
sw2(config-range-if)# switchport private-vlan host-associatioin 100 201

Configure the PVLAN host port


Switch#show interfaces fastEthernet 0/1 switchport
Name: fa0/1
Switchport: Enabled
Administrative Mode: private-vlan host
Operational Mode: down
Administrative Trunking Encapsulation: negotiate
Operational Trunking Encapsulation: on
Negotiation of Trunking: On
Access Mode VLAN: 1 (default)
Trunking Native Mode VLAN: 1 (default)
Administrative private-vlan host association: 201 (VLAN0201)
Administrative private-vlan mapping: none
Operational private-vlan: none
Trunking VLANs Enabled: ALL
Pruning VLANs Enabled: 2-1001
Isolated PVLAN Configuration (3)

sw2(config)# interface range fastethernet 0/12


sw2(config-if)# switchport mode private-vlan promicuous
sw2(config-if)# switchport private-vlan host mapping 100 201

Configure the PVLAN promicuous port


Switch#show interfaces fastEthernet 0/12 switchport
Name: fa0/12
Switchport: Enabled
Administrative Mode: private-vlan promicuous
Operational Mode: down
Administrative Trunking Encapsulation: negotiate
Operational Trunking Encapsulation: on
Negotiation of Trunking: On
Access Mode VLAN: 1 (default)
Trunking Native Mode VLAN: 1 (default)
Administrative private-vlan host association: non ((Inactive))
Administrative private-vlan mapping: 100 (VLAN0100) 201 (VLAN0201)
Operational private-vlan: none
Trunking VLANs Enabled: ALL
Pruning VLANs Enabled: 2-1001
Isolated PVLAN Verification

sw2# show vlan private-vlan


Primary Secondary Type Ports
------- --------- ---------------------- -----------------------------
100 201 isolated fa0/1,fa0/2

sw2# show vlan private-vlan type


Vlan Type
---- -----------------------
100 primary
201 isolated

Display the configured private VLANs, VLAN types,


and mappings
Community PVLAN Configuration

• Set VTP transparent


• Create secondary VLANs
• Create a primary VLAN
• Associate secondary and
primary VLANs
• Configure the port as host
or promicuous
• Configure the private VLAN
association on the ports
• Configure a VLAN mapping
on the internal IP interface
for VLAN
Community PVLAN Configuration (1)

sw1(config)# vtp transparent


sw1(config)# vlan 202
sw1(config-vlan)# private-vlan community
sw1(config)# vlan 100
sw1(config-vlan)# private-vlan primary
sw1(config-vlan)# private-vlan association add 202

sw2(config)# vtp transparent


sw2(config)# vlan 202
sw2(config-vlan)# private-vlan community
sw2(config)# vlan 100
sw2(config-vlan)# private-vlan primary
sw2(config-vlan)# private-vlan association add 202

Configure the private VLANs and VLAN association


Community PVLAN Configuration (2)

sw2(config)# interface range fastethernet 0/1-2


sw2(config-range-if)# switchport mode private-vlan host
sw2(config-range-if)# switchport private-vlan host-associatioin 100 202

Configure the PVLAN host port


Switch#show interfaces fastEthernet 0/1 switchport
Name: fa0/1
Switchport: Enabled
Administrative Mode: private-vlan host
Operational Mode: down
Administrative Trunking Encapsulation: negotiate
Operational Trunking Encapsulation: on
Negotiation of Trunking: On
Access Mode VLAN: 1 (default)
Trunking Native Mode VLAN: 1 (default)
Administrative private-vlan host association: 202 (VLAN0202)
Administrative private-vlan mapping: none
Operational private-vlan: none
Trunking VLANs Enabled: ALL
Pruning VLANs Enabled: 2-1001
Community PVLAN Configuration (3)

sw2(config)# interface range fastethernet 0/12


sw2(config-if)# switchport mode private-vlan promicuous
sw2(config-if)# switchport private-vlan host mapping 100 202

Configure the PVLAN promicuous port


Switch#show interfaces fastEthernet 0/12 switchport
Name: fa0/12
Switchport: Enabled
Administrative Mode: private-vlan promicuous
Operational Mode: down
Administrative Trunking Encapsulation: negotiate
Operational Trunking Encapsulation: on
Negotiation of Trunking: On
Access Mode VLAN: 1 (default)
Trunking Native Mode VLAN: 1 (default)
Administrative private-vlan host association: non ((Inactive))
Administrative private-vlan mapping: 100 (VLAN0100) 202 (VLAN0201)
Operational private-vlan: none
Trunking VLANs Enabled: ALL
Pruning VLANs Enabled: 2-1001
Community PVLAN Verification

sw2# show vlan private-vlan


Primary Secondary Type Ports
------- --------- ---------------------- -----------------------------
100 202 community fa0/1,fa0/2

sw2# show vlan private-vlan type


Vlan Type
---- -----------------------
100 primary
202 community

Display the configured private VLANs, VLAN types,


and mappings
PVLAN Example

• DNS, web, and SMTP servers are in DMZ and in same subnet
• DNS server can communicate with each other and with
router
• Web and SMTP servers can communicate only with router.
PVLAN Example (Cont.)

sw(config)# vtp transparent


sw(config)# vlan 201
sw(config-vlan)# private-vlan isolated
sw(config)# vlan 202
sw(config-vlan)# private-vlan community
sw(config)# vlan 100
sw(config-vlan)# private-vlan primary
sw(config-vlan)# private-vlan association 201,202

sw(config)# interface fastethernet 0/24


sw(config-if)# switchport mode private-vlan promicuous
sw(config-if)# switchport private-vlan host mapping 100 201,202

sw(config)# interface range fastethernet 0/1-2


sw(config-range-if)# switchport mode private-vlan host
sw(config-range-if)# switchport private-vlan host-associatioin 100 202

sw(config)# interface range fastethernet 0/3-4


sw(config-range-if)# switchport mode private-vlan host
sw(config-range-if)# switchport private-vlan host-associatioin 100 201

You might also like

pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy