Private VLANs (PVLAN) prevent layer 2 connectivity between hosts on a switch in the same VLAN/subnet; this provides security and removes the need to re-IP address. This is useful in certain scenarios when it is not desirable for the host machines to be able to communicate with each other e.g DMZ or ISP environments (web hosting). In an enterprise environment with multiple services in a DMZ a server may have no need to communicate with another server in a DMZ, a PVLAN can be configured to isolate the servers from one another whilst permitting traffic to the upstream router/firewall.
Consists of multiple secondary Private VLANs
Carries traffic from promiscuous ports to isolated, community and other promiscuous ports in the same Primary Private VLAN
Secondary Private VLAN
Is a child VLAN of the Primary and can be mapped to only one Primary Private VLAN
Uses the same IP subnet as the Primary Private VLAN
The hosts are assigned to the Secondary Private VLAN
Continue reading CCNP SWITCH: Private VLANs (PVLAN)
An attacker could connect a rogue DHCP server onto a network replying to client DHCP requests that designates an incorrect default gateway and DNS severs, leading to a man-in-the-middle attack enabling the hacker to gain sensitive information such as usernames and passwords. DHCP Snooping can prevent this by trusting the switch port(s) a legitimate DHCP server is connect to, with all other switch ports defined as un-trusted. An un-trusted port is blocked from sending any DHCP server responses and can only request and IP address.
DHCP snooping builds a binding table which contains the client MAC address, IP address, lease time, binding type, VLAN number and port ID recorded as clients request a DHCP address when plugged into an un-trusted port. All ports are un-trusted unless specifically configured as trusted.
Enable DHCP Snooping and enable on the VLAN
Switch (config)# ip dhcp snooping
Switch (config)# ip dhcp snooping vlan 10
Continue reading CCNP SWITCH: DHCP Snooping and Dynamic ARP Inspection
Enable Portfast per interface
Switch (config)# interface range fastethernet 0/1-48
Switch (config-if)# spanning-tree portfast
Enable Portfast globally on all access ports (NOTE – this will not enable portfast on trunk link until you configure “spanning-tree portfast trunk” on the interface)
Switch (config)# spanning-tree portfast default
Switch (config)# show spanning-tree interface fastethernet 0/4 portfast
Switch (config)# show spanning-tree summary
Continue reading CCNP SWITCH: Portfast, BPDUGuard, RootGuard
VLAN ACLs (VACLs) provide traffic filtering for all packets within the same VLAN or that are routed into or out of the VLAN, where as a normal ACL can only be applied to routed packets only. VACLs are also known as VLAN access-maps, they are similar to route maps and use route-map conventions in which sequences are checked in order. When traffic is matched the switch will process and take the required action (Forward, Redirect or Drop).
In the scenario below all computers in VLAN 10 will be blocked communicating on TCP 3389 (Remote Desktop) and TCP 80 (HTTP) and permit all other traffic to other computers within the same VLAN.
Define IP access list to identify ‘permit’ the source, destination and port(s)
3560-1(config)# ip access-list extended ACL-VLAN-10
3560-1(config-ext-nacl)# permit tcp 192.168.10.0 0.0.0.255 192.168.10.0 0.0.0.255 eq 3389
3560-1(config-ext-nacl)# permit tcp 192.168.10.0 0.0.0.255 192.168.10.0 0.0.0.255 eq 80
Continue reading CCNP SWITCH: VLAN Access Control Lists (VACL)