Private VLANs (PVLAN) prevent layer 2 connectivity between hosts on a switch in the same VLAN/subnet; this provides security and removes the need to re-IP address. This is useful in certain scenarios when it is not desirable for the host machines to be able to communicate with each other e.g DMZ or ISP environments (web hosting). In an enterprise environment with multiple services in a DMZ a server may have no need to communicate with another server in a DMZ, a PVLAN can be configured to isolate the servers from one another whilst permitting traffic to the upstream router/firewall.

Primary VLAN

Consists of multiple secondary Private VLANs
Carries traffic from promiscuous ports to isolated, community and other promiscuous ports in the same Primary Private VLAN

Secondary Private VLAN

Is a child VLAN of the Primary and can be mapped to only one Primary Private VLAN
Uses the same IP subnet as the Primary Private VLAN
The hosts are assigned to the Secondary Private VLAN

Continue reading “CCNP SWITCH: Private VLANs (PVLAN)”


CCNP SWITCH: DHCP Snooping and Dynamic ARP Inspection

DHCP Snooping

An attacker could connect a rogue DHCP server onto a network replying to client DHCP requests that designates an incorrect default gateway and DNS severs, leading to a man-in-the-middle attack enabling the hacker to gain sensitive information such as usernames and passwords. DHCP Snooping can prevent this by trusting the switch port(s) a legitimate DHCP server is connect to, with all other switch ports defined as un-trusted. An un-trusted port is blocked from sending any DHCP server responses and can only request and IP address.

DHCP snooping builds a binding table which contains the client MAC address, IP address, lease time, binding type, VLAN number and port ID recorded as clients request a DHCP address when plugged into an un-trusted port. All ports are un-trusted unless specifically configured as trusted.

Enable DHCP Snooping and enable on the VLAN

Switch (config)# ip dhcp snooping
Switch (config)# ip dhcp snooping vlan 10

Continue reading “CCNP SWITCH: DHCP Snooping and Dynamic ARP Inspection”

CCNP SWITCH: Portfast, BPDUGuard, RootGuard


Enable Portfast per interface

Switch (config)# interface range fastethernet 0/1-48
Switch (config-if)# spanning-tree portfast

Enable Portfast globally on all access ports (NOTE – this will not enable portfast on trunk link until you configure “spanning-tree portfast trunk” on the interface)

Switch (config)# spanning-tree portfast default

Troubleshooting commands

Switch (config)# show spanning-tree interface fastethernet 0/4 portfast
Switch (config)# show spanning-tree summary

Continue reading “CCNP SWITCH: Portfast, BPDUGuard, RootGuard”

CCNP SWITCH: VLAN Access Control Lists (VACL)

VLAN ACLs (VACLs) provide traffic filtering for all packets within the same VLAN or that are routed into or out of the VLAN, where as a normal ACL can only be applied to routed packets only. VACLs are also known as VLAN access-maps, they are similar to route maps and use route-map conventions in which sequences are checked in order. When traffic is matched the switch will process and take the required action (Forward, Redirect or Drop).

In the scenario below all computers in VLAN 10 will be blocked communicating on TCP 3389 (Remote Desktop) and TCP 80 (HTTP) and permit all other traffic to other computers within the same VLAN.

VACL Configuration

Define IP access list to identify ‘permit’ the source, destination and port(s)

3560-1(config)# ip access-list extended ACL-VLAN-10
3560-1(config-ext-nacl)# permit tcp eq 3389
3560-1(config-ext-nacl)# permit tcp eq 80
3560-1(config-ext-nacl)# exit

Continue reading “CCNP SWITCH: VLAN Access Control Lists (VACL)”