Tài liệu hạn chế xem trước, để xem đầy đủ mời bạn chọn Tải xuống
1
/ 63 trang
THÔNG TIN TÀI LIỆU
Thông tin cơ bản
Định dạng
Số trang
63
Dung lượng
2,3 MB
Nội dung
“Do I Know This Already?” Quiz 471 6. The vlan 100 command has just been entered. What is the next command needed to configure VLAN 100 as a secondary isolated VLAN? a. private-vlan isolated b. private-vlan isolated 100 c. pvlan secondary isolated d. No further configuration is necessary. 7. What type of port configuration should you use for private VLAN interfaces on a router? a. Host b. Gateway c. Promiscuous d. Transparent 8. Promiscuous ports must be to primary and secondary VLANs, and host ports must be . a. mapped, associated b. mapped, mapped c. associated, mapped d. associated, associated 9. Which of the following allows a port to be mirrored to another port on the same switch? a. VSPAN b. RSPAN c. SPAN d. CSPAN 10. What must be used to connect switches used for RSPAN? a. An 802.1Q trunk b. Access-mode switch ports (single VLAN) c. A private VLAN over a trunk d. An RSPAN VLAN over a trunk 1-58720-077-5.book Page 471 Tuesday, August 19, 2003 3:16 PM 472 Chapter 20: Securing with VLANs 11. What is the most important difference between an RSPAN VLAN and a regular VLAN? a. The RSPAN VLAN disables MAC address learning. b. The RSPAN VLAN uses static MAC address definitions. c. The RSPAN VLAN has the RSPAN source and destination MAC addresses defined in the CAM table. d. The RSPAN VLAN cannot be carried over a trunk link. 12. To configure an RSPAN session’s source switch, what is used for the session destination? a. The switch port leading to the destination switch b. The RSPAN VLAN c. The final destination switch port d. The next-hop router The answers to the “Do I Know This Already?” quiz are found in Appendix A, “Answers to Chapter ‘Do I Know This Already?’ Quizzes and Q&A Sections.” The suggested choices for your next step are as follows: ■ 10 or less overall score—Read the entire chapter. This includes the “Foundation Topics,” “Foundation Summary,” and “Q&A” sections. ■ 11 or 12 overall score—If you want more review on these topics, skip to the “Foundation Summary” section and then go to the “Q&A” section at the end of the chapter. Otherwise, move to Chapter 21, “Scenarios for Final Preparation.” 1-58720-077-5.book Page 472 Tuesday, August 19, 2003 3:16 PM VLAN Access Lists 473 Foundation Topics VLAN Access Lists Access lists can manage or control traffic as it passes through a switch. When normal access lists are configured on a Catalyst switch, they filter traffic through the use of the Ternary Content Addressable Memory (TCAM). Recall from Chapter 3, “Switch Operation,” that access lists (also known as router access lists or RACLs) are merged or compiled into the TCAM. Each ACL is applied to an interface according to the direction of traffic—inbound or outbound. Packets can then be filtered in hardware with no switching performance penalty. However, only packets that pass between VLANs can be filtered this way. Packets that stay in the same VLAN do not ever cross a VLAN or interface boundary and do not necessarily have a direction in relation to an interface. These packets might also be non-IP, non-IPX, or completely bridged; therefore, they never pass through the multilayer switching mechanism. VLAN access lists (VACLs) are filters that can directly affect how packets are handled within a VLAN. VACLs are somewhat different from RACLs or traditional access control lists. Although they too are merged into the TCAM, they can permit, deny, or redirect packets as they are matched. VACLs are also configured in a route map fashion, with a series of matching conditions and actions to take. VACL Configuration VACLs are configured as a VLAN access map, in much the same format as a route map. A VLAN access map consists of one or more statements, each having a common map name. First, you define the VACL with the following global configuration command: Switch(config)# vv vv ll ll aa aa nn nn aa aa cc cc cc cc ee ee ss ss ss ss mm mm aa aa pp pp map-name [ sequence-number ] Access map statements are evaluated in sequence, according to the sequence-number. Each statement can contain one or more matching conditions, followed by an action. Next, define the matching conditions that identify the traffic to be filtered. Matching is performed by access lists (IP, IPX, or MAC address ACLs), which you must configure independently. Config- ure a matching condition with the following access map configuration command: Switch(config-access-map)# mm mm aa aa tt tt cc cc hh hh {ii ii pp pp aa aa dd dd dd dd rr rr ee ee ss ss ss ss { acl-number | acl-name }} | {ii ii pp pp xx xx aa aa dd dd dd dd rr rr ee ee ss ss ss ss { acl-number | acl-name }} | {mm mm aa aa cc cc aa aa dd dd dd dd rr rr ee ee ss ss ss ss acl-name } 1-58720-077-5.book Page 473 Tuesday, August 19, 2003 3:16 PM 474 Chapter 20: Securing with VLANs You can repeat this command to define several matching conditions; the first match encountered triggers an action to take. Define the action with the following access map configuration command: Switch(config-access-map)# aa aa cc cc tt tt ii ii oo oo nn nn {dd dd rr rr oo oo pp pp | ff ff oo oo rr rr ww ww aa aa rr rr dd dd [cc cc aa aa pp pp tt tt uu uu rr rr ee ee ] | rr rr ee ee dd dd ii ii rr rr ee ee cc cc tt tt interface type mod/num } A VACL can either drop a matching packet, forward it, or redirect it to another interface. The TCAM performs the entire VACL match and action, as packets are switched or bridged within a VLAN, or routed into or out of a VLAN. Finally, you must apply the VACL to a VLAN interface using the following global configuration command: Switch(config)# vv vv ll ll aa aa nn nn ff ff ii ii ll ll tt tt ee ee rr rr map-name vv vv ll ll aa aa nn nn ll ll ii ii ss ss tt tt vlan-list Notice that the VACL is applied globally to one or more VLANs listed and not to a VLAN interface (SVI). Recall that VLANs can be present in a switch as explicit interfaces or as inherent Layer 2 entities. The VLAN interface is the point where packets enter or leave a VLAN, so it does not make sense to apply a VACL there. Instead, the VACL needs to function within the VLAN itself, where there is no inbound or outbound direction. For example, suppose you find a need to filter traffic within VLAN 99 so that host 192.168.99.17 is not allowed to contact any other host on its local subnet. An access list local-17 is created to identify traffic between this host and anything else on its local subnet. Then, a VLAN access map is defined: If the IP address is permitted by the local-17 access list, the packet is dropped; otherwise, it is forwarded. Example 20-1 shows the commands necessary for this example. Private VLANs Normally, traffic is allowed to move unrestricted within a VLAN. Packets sent from one host to another are normally heard only by the destination host, thanks to the nature of Layer 2 switching. Example 20-1 Filtering Traffic Within the Local Subnet Switch(config)# ii ii pp pp aa aa cc cc cc cc ee ee ss ss ss ss ll ll ii ii ss ss tt tt ee ee xx xx tt tt ee ee nn nn dd dd ee ee dd dd ll ll oo oo cc cc aa aa ll ll 11 11 77 77 Switch(config-acl)# pp pp ee ee rr rr mm mm ii ii tt tt ii ii pp pp hh hh oo oo ss ss tt tt 11 11 99 99 22 22 11 11 66 66 88 88 99 99 99 99 11 11 77 77 11 11 99 99 22 22 11 11 66 66 88 88 99 99 99 99 00 00 00 00 00 00 00 00 22 22 55 55 55 55 Swtich(config-acl)# ee ee xx xx ii ii tt tt Switch(config)# vv vv ll ll aa aa nn nn aa aa cc cc cc cc ee ee ss ss ss ss mm mm aa aa pp pp bb bb ll ll oo oo cc cc kk kk 11 11 77 77 11 11 00 00 Switch(config-access-map)# mm mm aa aa tt tt cc cc hh hh ii ii pp pp aa aa dd dd dd dd rr rr ee ee ss ss ss ss ll ll oo oo cc cc aa aa ll ll 11 11 77 77 Switch(config-access-map)# aa aa cc cc tt tt ii ii oo oo nn nn dd dd rr rr oo oo pp pp Switch(config-access-map)# vv vv ll ll aa aa nn nn aa aa cc cc cc cc ee ee ss ss ss ss mm mm aa aa pp pp bb bb ll ll oo oo cc cc kk kk 11 11 77 77 22 22 00 00 Switch(config-access-map)# aa aa cc cc tt tt ii ii oo oo nn nn ff ff oo oo rr rr ww ww aa aa rr rr dd dd Switch(config-access-map)# ee ee xx xx ii ii tt tt Switch(config)# vv vv ll ll aa aa nn nn ff ff ii ii ll ll tt tt ee ee rr rr bb bb ll ll oo oo cc cc kk kk 11 11 77 77 vv vv ll ll aa aa nn nn ll ll ii ii ss ss tt tt 99 99 99 99 1-58720-077-5.book Page 474 Tuesday, August 19, 2003 3:16 PM Private VLANs 475 However, if one host broadcasts a packet, all hosts on the VLAN must listen. You can use a VACL to filter packets between a source and destination in a VLAN if both connect to the local switch. Sometimes, it would be nice to have the ability to segment traffic within a single VLAN, without having to use multiple VLANs and a router. For example, in a single-VLAN server farm, all servers should be able to communicate with the router or gateway, but the servers should not have to listen to each other’s broadcast traffic. Taking this a step further, suppose each server belongs to a separate organization. Now each server should be isolated from the others but still be able to reach the gateway to find clients not on the local network. Another application is a service provider network. Here, the provider might want to use a single VLAN to connect to several customer networks. Each customer needs to be able to contact the provider’s gateway on the VLAN. Clearly, the customer sites do not need to interact with each other. Private VLANs (PVLANs) solve this problem on Catalyst switches. In a nutshell, a normal, or primary, VLAN can be logically associated with special unidirectional, or secondary, VLANs. Hosts associated with a secondary VLAN can communicate with ports on the primary VLAN (a router, for example), but not with another secondary VLAN. A secondary VLAN is configured as one of the following types: ■ Isolated—Any switch ports associated with an isolated VLAN can reach the primary VLAN but not any other secondary VLAN. In addition, hosts associated with the same isolated VLAN cannot reach each other. They are, in effect, isolated from everything except the primary VLAN. ■ Community—Any switch ports associated with a common community VLAN can communi- cate with each other and with the primary VLAN but not with any other secondary VLAN. This provides the basis for server farms and workgroups within an organization, while giving isola- tion between organizations. All secondary VLANs must be associated with one primary VLAN to set up the unidirectional relationship. Private VLANs are configured using special cases of regular VLANs. However, VLAN Trunking Protocol (VTP) does not pass any information about the private VLAN configuration. Each of the private VLANs must be configured locally on each switch that interconnects them. You must configure each switch port that uses a private VLAN with a VLAN association. You must also define the port with one of the following modes: ■ Promiscuous—The switch port connects to a router, firewall, or other common gateway device. This port can communicate with anything else connected to the primary or any secondary VLAN. In other words, the port is in promiscuous mode, where the rules of private VLANs are ignored. 1-58720-077-5.book Page 475 Tuesday, August 19, 2003 3:16 PM 476 Chapter 20: Securing with VLANs ■ Host—The switch port connects to a regular host that resides on an isolated or community VLAN. The port communicates only with a promiscuous port or ports on the same community VLAN. Figure 20-1 shows the basic private VLAN operation. Some host PCs connect to a secondary com- munity VLAN. The two community VLANs associate with a primary VLAN, where the router con- nects. The router connects to a promiscuous port on the primary VLAN. A single host PC connects to a secondary isolated VLAN, so it can communicate only with the router’s promiscuous port. Figure 20-1 Private VLAN Functionality Within a Switch Secondary VLAN 10 (Community) Secondary VLAN 20 (Community) Secondary VLAN 30 (Isolated) Host Ports Primary VLAN (Promiscuous) 1/1 1/2 1/3 1/4 1/5 2/1 1-58720-077-5.book Page 476 Tuesday, August 19, 2003 3:16 PM Private VLANs 477 Private VLAN Configuration Defining a private VLAN involves several configuration steps. These steps are described in the sections that follow so you can use them. Configure the Private VLANs To configure a private VLAN, begin by defining any secondary VLANs that are needed for isolation using the following configuration commands: Switch(config)# vv vv ll ll aa aa nn nn vlan-id Switch(config-vlan)# pp pp rr rr ii ii vv vv aa aa tt tt ee ee vv vv ll ll aa aa nn nn {ii ii ss ss oo oo ll ll aa aa tt tt ee ee dd dd | cc cc oo oo mm mm mm mm uu uu nn nn ii ii tt tt yy yy } The secondary VLAN can be an isolated VLAN (no connectivity between isolated ports) or a community VLAN (connectivity between member ports). Now, define the primary VLAN that will provide the underlying private VLAN connectivity using the following configuration commands: Switch(config)# vv vv ll ll aa aa nn nn vlan-id Switch(config-vlan)# pp pp rr rr ii ii vv vv aa aa tt tt ee ee vv vv ll ll aa aa nn nn pp pp rr rr ii ii mm mm aa aa rr rr yy yy Switch(config-vlan)# pp pp rr rr ii ii vv vv aa aa tt tt ee ee vv vv ll ll aa aa nn nn aa aa ss ss ss ss oo oo cc cc ii ii aa aa tt tt ii ii oo oo nn nn { secondary-vlan-list | aa aa dd dd dd dd secondary-vlan- list | rr rr ee ee mm mm oo oo vv vv ee ee secondary-vlan-list } Be sure to associate the primary VLAN with all of its component secondary VLANs using the association keyword. If the primary VLAN has already been configured, you can add (add) or remove (remove) secondary VLAN associations individually. These VLAN configuration commands set up only the mechanisms for unidirectional connectivity from the secondary VLANs to the primary VLAN. You must also associate the individual switch ports with their respective private VLANs. Associate Ports with Private VLANs First, define the function of the port that will participate on a private VLAN using the following configuration command: Switch(config-if)# ss ss ww ww ii ii tt tt cc cc hh hh pp pp oo oo rr rr tt tt mm mm oo oo dd dd ee ee pp pp rr rr ii ii vv vv aa aa tt tt ee ee vv vv ll ll aa aa nn nn {hh hh oo oo ss ss tt tt | pp pp rr rr oo oo mm mm ii ii ss ss cc cc uu uu oo oo uu uu ss ss } If the host connected to this port is a router, firewall, or common gateway for the VLAN, use the promiscuous keyword. This allows the host to reach all other promiscuous, isolated, or community ports associated with the primary VLAN. Otherwise, any isolated or community port must receive the host keyword. 1-58720-077-5.book Page 477 Tuesday, August 19, 2003 3:16 PM 478 Chapter 20: Securing with VLANs For a nonpromiscuous port (using the switchport mode private-vlan host command), you must associate the switch port with the appropriate primary and secondary VLANs. Remember, only the private VLANs themselves have been configured until now. The switch port must know how to interact with the various VLANs using the following interface configuration command: Switch(config-if)# ss ss ww ww ii ii tt tt cc cc hh hh pp pp oo oo rr rr tt tt pp pp rr rr ii ii vv vv aa aa tt tt ee ee vv vv ll ll aa aa nn nn hh hh oo oo ss ss tt tt aa aa ss ss ss ss oo oo cc cc ii ii aa aa tt tt ii ii oo oo nn nn primary-vlan-id secondary- vlan-id For a promiscuous port (using the switchport mode private-vlan promiscuous command), you must map the port to primary and secondary VLANs. Notice that promiscuous mode ports, or ports that can communicate with any other private VLAN device, are mapped, while other secondary VLAN ports are associated. One (promiscuous mode port) exhibits bidirectional behavior, while the other (secondary VLAN ports) exhibits unidirectional or logical behavior. Use the following interface configuration command to map promiscuous mode ports to primary and secondary VLANs: Switch(config-if)# ss ss ww ww ii ii tt tt cc cc hh hh pp pp oo oo rr rr tt tt pp pp rr rr ii ii vv vv aa aa tt tt ee ee vv vv ll ll aa aa nn nn mm mm aa aa pp pp pp pp ii ii nn nn gg gg { primary-vlan-id } { secondary- vlan-list } | {aa aa dd dd dd dd secondary-vlan-list } | {rr rr ee ee mm mm oo oo vv vv ee ee secondary-vlan-list } As an example, assume the switch in Figure 20-1 is configured as in Example 20-2. Host PCs on ports FastEthernet 1/1 and 1/2 are in community VLAN 10, hosts on ports FastEthernet 1/4 and 1/5 are in community VLAN 20, and the host on port FastEthernet 1/3 is in isolated VLAN 30. The router on port FastEthernet 2/1 is in promiscuous mode on primary VLAN 100. Each VLAN is assigned a role, and the primary VLAN is associated with its secondary VLANs. Then, each interface is associated with a primary and secondary VLAN (if a host is attached) or mapped to the primary and secondary VLANs (if a promiscuous host is attached). NOTE Configuring a static access VLAN on a switch port when the port is associated with private VLANs is not necessary. Instead, the port takes on membership in the primary and secondary VLANs simultaneously. This does not mean that the port has a fully functional assignment to multiple VLANs. Instead, it takes on only the unidirectional behavior between the secondary and primary VLANs. Example 20-2 Configuring Ports with Private VLANs Switch(config)# vv vv ll ll aa aa nn nn 11 11 00 00 Switch(config-vlan)# pp pp rr rr ii ii vv vv aa aa tt tt ee ee vv vv ll ll aa aa nn nn cc cc oo oo mm mm mm mm uu uu nn nn ii ii tt tt yy yy Switch(config)# vv vv ll ll aa aa nn nn 22 22 00 00 Switch(config-vlan)# pp pp rr rr ii ii vv vv aa aa tt tt ee ee vv vv ll ll aa aa nn nn cc cc oo oo mm mm mm mm uu uu nn nn ii ii tt tt yy yy Switch(config)# vv vv ll ll aa aa nn nn 33 33 00 00 Switch(config-vlan)# pp pp rr rr ii ii vv vv aa aa tt tt ee ee vv vv ll ll aa aa nn nn ii ii ss ss oo oo ll ll aa aa tt tt ee ee dd dd Switch(config)# vv vv ll ll aa aa nn nn 11 11 00 00 00 00 Switch(config-vlan)# pp pp rr rr ii ii vv vv aa aa tt tt ee ee vv vv ll ll aa aa nn nn pp pp rr rr ii ii mm mm aa aa rr rr yy yy Switch(config-vlan)# pp pp rr rr ii ii vv vv aa aa tt tt ee ee vv vv ll ll aa aa nn nn aa aa ss ss ss ss oo oo cc cc ii ii aa aa tt tt ii ii oo oo nn nn 11 11 00 00 ,, ,, 22 22 00 00 ,, ,, 33 33 00 00 1-58720-077-5.book Page 478 Tuesday, August 19, 2003 3:16 PM Private VLANs 479 Associate Secondary VLANs to a Primary VLAN SVI On switched virtual interfaces (SVIs), or VLAN interfaces configured with Layer 3 addresses, you must configure some additional private VLAN mapping. Consider the SVI for the primary VLAN, VLAN 100, that has an IP address and participates in routing traffic. Secondary VLANs 40 (an isolated VLAN) and 50 (a community VLAN) are associated at Layer 2 with primary VLAN 100 using the configuration in Example 20-3. Primary VLAN 200 can forward traffic at Layer 3, but the secondary VLAN associations with it are only good at Layer 2. To allow Layer 3 traffic switching coming from the secondary VLANs as well, you must add a private VLAN mapping to the primary VLAN (SVI) interface, using the following interface configuration command: Switch(config-if)# pp pp rr rr ii ii vv vv aa aa tt tt ee ee vv vv ll ll aa aa nn nn mm mm aa aa pp pp pp pp ii ii nn nn gg gg { secondary-vlan-list | aa aa dd dd dd dd secondary-vlan-list | rr rr ee ee mm mm oo oo vv vv ee ee secondary-vlan-list } The primary VLAN SVI function is extended to the secondary VLANs, instead of requiring SVIs for each of them. If some mapping has already been configured for the primary VLAN SVI, you can add (add) or remove (remove) secondary VLAN mappings individually. Switch(config-vlan)# ee ee xx xx ii ii tt tt Switch(config)# ii ii nn nn tt tt ee ee rr rr ff ff aa aa cc cc ee ee rr rr aa aa nn nn gg gg ee ee ff ff aa aa ss ss tt tt ee ee tt tt hh hh ee ee rr rr nn nn ee ee tt tt 11 11 // // 11 11 –– –– 11 11 // // 22 22 Switch(config-if)# ss ss ww ww ii ii tt tt cc cc hh hh pp pp oo oo rr rr tt tt pp pp rr rr ii ii vv vv aa aa tt tt ee ee vv vv ll ll aa aa nn nn hh hh oo oo ss ss tt tt aa aa ss ss ss ss oo oo cc cc ii ii aa aa tt tt ii ii oo oo nn nn 11 11 00 00 00 00 11 11 00 00 Switch(config)# ii ii nn nn tt tt ee ee rr rr ff ff aa aa cc cc ee ee rr rr aa aa nn nn gg gg ee ee ff ff aa aa ss ss tt tt ee ee tt tt hh hh ee ee rr rr nn nn ee ee tt tt 11 11 // // 44 44 –– –– 11 11 // // 55 55 Switch(config-if)# ss ss ww ww ii ii tt tt cc cc hh hh pp pp oo oo rr rr tt tt pp pp rr rr ii ii vv vv aa aa tt tt ee ee vv vv ll ll aa aa nn nn hh hh oo oo ss ss tt tt aa aa ss ss ss ss oo oo cc cc ii ii aa aa tt tt ii ii oo oo nn nn 11 11 00 00 00 00 22 22 00 00 Switch(config)# ii ii nn nn tt tt ee ee rr rr ff ff aa aa cc cc ee ee ff ff aa aa ss ss tt tt ee ee tt tt hh hh ee ee rr rr nn nn ee ee tt tt 11 11 // // 33 33 Switch(config-if)# ss ss ww ww ii ii tt tt cc cc hh hh pp pp oo oo rr rr tt tt pp pp rr rr ii ii vv vv aa aa tt tt ee ee vv vv ll ll aa aa nn nn hh hh oo oo ss ss tt tt aa aa ss ss ss ss oo oo cc cc ii ii aa aa tt tt ii ii oo oo nn nn 11 11 00 00 00 00 33 33 00 00 Switch(config)# ii ii nn nn tt tt ee ee rr rr ff ff aa aa cc cc ee ee ff ff aa aa ss ss tt tt ee ee tt tt hh hh ee ee rr rr nn nn ee ee tt tt 22 22 // // 11 11 Switch(config-if)# ss ss ww ww ii ii tt tt cc cc hh hh pp pp oo oo rr rr tt tt mm mm oo oo dd dd ee ee pp pp rr rr ii ii vv vv aa aa tt tt ee ee vv vv ll ll aa aa nn nn pp pp rr rr oo oo mm mm ii ii ss ss cc cc uu uu oo oo uu uu ss ss Switch(config-if)# ss ss ww ww ii ii tt tt cc cc hh hh pp pp oo oo rr rr tt tt pp pp rr rr ii ii vv vv aa aa tt tt ee ee vv vv ll ll aa aa nn nn mm mm aa aa pp pp pp pp ii ii nn nn gg gg 11 11 00 00 00 00 11 11 00 00 ,, ,, 22 22 00 00 ,, ,, 33 33 00 00 Example 20-3 Associating Secondary VLANs to a Primary VLAN vv vv ll ll aa aa nn nn 44 44 00 00 pp pp rr rr ii ii vv vv aa aa tt tt ee ee vv vv ll ll aa aa nn nn ii ii ss ss oo oo ll ll aa aa tt tt ee ee dd dd vv vv ll ll aa aa nn nn 55 55 00 00 pp pp rr rr ii ii vv vv aa aa tt tt ee ee vv vv ll ll aa aa nn nn cc cc oo oo mm mm mm mm uu uu nn nn ii ii tt tt yy yy vv vv ll ll aa aa nn nn 22 22 00 00 00 00 pp pp rr rr ii ii vv vv aa aa tt tt ee ee vv vv ll ll aa aa nn nn pp pp rr rr ii ii mm mm aa aa rr rr yy yy pp pp rr rr ii ii vv vv aa aa tt tt ee ee vv vv ll ll aa aa nn nn aa aa ss ss ss ss oo oo cc cc ii ii aa aa tt tt ii ii oo oo nn nn 44 44 00 00 ,, ,, 55 55 00 00 ii ii nn nn tt tt ee ee rr rr ff ff aa aa cc cc ee ee vv vv ll ll aa aa nn nn 22 22 00 00 00 00 ii ii pp pp aa aa dd dd dd dd rr rr ee ee ss ss ss ss 11 11 99 99 22 22 11 11 66 66 88 88 11 11 99 99 99 99 11 11 22 22 55 55 55 55 22 22 55 55 55 55 22 22 55 55 55 55 00 00 Example 20-2 Configuring Ports with Private VLANs (Continued) 1-58720-077-5.book Page 479 Tuesday, August 19, 2003 3:16 PM 480 Chapter 20: Securing with VLANs For the example, you would map the private VLAN with the following command: ii ii nn nn tt tt ee ee rr rr ff ff aa aa cc cc ee ee vv vv ll ll aa aa nn nn 22 22 00 00 00 00 pp pp rr rr ii ii vv vv aa aa tt tt ee ee vv vv ll ll aa aa nn nn mm mm aa aa pp pp pp pp ii ii nn nn gg gg 44 44 00 00 ,, ,, 55 55 00 00 Switch Port Monitoring Suppose a problem exists on your switched network and you want to use a network analyzer to gather data. Of interest is a conversation between two hosts connected to the switch, one on interface FastEthernet 1/1 and the other on FastEthernet 4/7. Both ports are assigned to VLAN 100. If you connect your analyzer to another port on VLAN 100, what will your packet capture show? Recall that, by definition, switches learn where MAC addresses are located and forward packets directly to those ports. The only time a packet is flooded to ports other than the specific destination is when the destination MAC address has not already been located or when the packet is destined for a broadcast or multicast address. Therefore, your packet capture shows only the broadcast and multicast packets that were flooded to the analyzer’s port. None of the interesting conversation will be overheard. Catalyst switches can use the Switched Port Analyzer (SPAN) feature to mirror traffic from one source switch port or VLAN to a destination port. This allows a monitoring device, such as a network analyzer, to be attached to the destination port for capturing traffic. When packets arrive on the source port or VLAN, they are specially marked so that they can be copied to the SPAN destination port as well as the true destination port. In this way, the packet capture receives an exact copy of the packets that are being forwarded from the source. SPAN is available in several different forms: ■ Local SPAN—Both the SPAN source and destination are located on the local switch. The source is one or more switch ports. ■ VLAN-based SPAN (VSPAN)—A variation of local SPAN where the source is a VLAN rather than a physical port. ■ Remote SPAN (RSPAN)—The SPAN source and destination are located on different switches. Mirrored traffic is copied over a special-purpose VLAN across trunks between switches from the source to the destination. The sections that follow describe each of these SPAN forms in more detail. 1-58720-077-5.book Page 480 Tuesday, August 19, 2003 3:16 PM [...]... Switches in Figure 20-3 Catalyst A vlan 99 9 remote-span monitor session 1 source interface fastethernet 1/1 both monitor session 1 destination remote vlan 99 9 Catalyst B vlan 99 9 remote-span Catalyst C vlan 99 9 remote-span monitor session 1 source remote vlan 99 9 monitor session 1 destination interface fastethernet 4/48 1-58720-077-5.book Page 488 Tuesday, August 19, 2003 3:16 PM 488 Chapter 20: Securing... private-vlan host-association primary-vlan-id secondaryvlan-id Associate promiscuous ports with private VLANs switchport private-vlan mapping {primary-vlan-id} {secondary-vlanlist} | {add secondary-vlan-list} | {remove secondary-vlan-list} Associate secondary VLANs with a Primary VLAN Layer 3 SVI private-vlan mapping {secondary-vlan-list | add secondary-vlan-list | remove secondary-vlan-list} I Switch port monitoring... 493 Tuesday, August 19, 2003 3:16 PM 1-58720-077-5.book Page 494 Tuesday, August 19, 2003 3:16 PM PART V: Scenarios for Final Preparation Chapter 21 Scenarios for Final Preparation 1-58720-077-5.book Page 495 Tuesday, August 19, 2003 3:16 PM The chapter in this part of the book emphasizes an overall understanding of switching concepts, configuration commands, and network operation Although the CCNP BCMSN. .. 487 Tuesday, August 19, 2003 3:16 PM Switch Port Monitoring 487 In Example 20-5, RSPAN is configured on all three switches shown in Figure 20-3 The source is connected to Catalyst A port FastEthernet 1/1 The destination is a network analyzer connected to port FastEthernet 4/48 on Catalyst C Catayst B simply passes the RSPAN session traffic over VLAN 99 9, transported by trunk links Example 20-5 Configuring... implemented as primary and secondary VLANs I Primary VLANs allow hosts to communicate with any other type of private (secondary) VLAN I Secondary VLANs allow hosts to communicate with ports on a primary VLAN but not with other secondary VLANs I Secondary VLANs are categorized as follows: — Isolated VLAN—Hosts can communicate only with the primary VLAN not any other isolated port or secondary VLAN — Community... network? Consider both devices and links Will PC-4 receive the broadcasts? 1-58720-077-5.book Page 499 Tuesday, August 19, 2003 3:16 PM Scenario 2: VLANs, Trunking, and VTP 499 Scenario 2: VLANs, Trunking, and VTP This scenario is designed to stir your thinking about VLAN and trunking connectivity You also need to examine switch configurations and apply them to a network diagram See the diagram shown in Figure... router (You can use IP addresses 192 .168.101.2 and 192 .168.102.2, if needed.) 2 GLBP is to be used in the network shown in Figure 21-5 Answer the following questions about this network Figure 21-5 Network Diagram for Scenario 5 Standby AVG / AVF AVG AVF VLAN 10 192 .168.10.10 VLAN 10 192 .168.10.11 VLAN 10 192 .168.10.12 Catalyst A Catalyst B Catalyst C GLBP Gateway 192 .168.10.1 VLAN 10 a What command... be rejected What command can accomplish this? 3 Configure a VLAN access control list that can perform packet filtering within a VLAN Users in the 192 .168. 191 .0 255.255.255.0 network should be allowed to use only HTTP (www) traffic to the web server 192 .168. 191 . 199 /24, on VLAN 180 How can you configure the VACL to accomplish this? 4 Assume that a server is connected to interface GigabitEthernet 3/3 on a Catalyst... functionality: HSRP and GLBP 1-58720-077-5.book Page 502 Tuesday, August 19, 2003 3:16 PM 502 Chapter 21: Scenarios for Final Preparation 1 A network consists of two VLANs: 101 and 102 Suppose the PCs in VLAN 101 ( 192 .168.101.0/24) use address 192 .168.101.1 as their default gateway The PCs in VLAN 102 ( 192 .168.102.0/24) use 192 .168.102.1 What commands are necessary to configure HSRP on a Catalyst switch... configuration commands, and network operation Although the CCNP BCMSN exam might not contain scenarios of this type, you can better prepare by thinking about the “bigger picture” of a network and how you can apply each switching topic 1-58720-077-5.book Page 496 Tuesday, August 19, 2003 3:16 PM 1-58720-077-5.book Page 497 Tuesday, August 19, 2003 3:16 PM CHAPTER 21 Scenarios for Final Preparation This chapter . hh hh oo oo ss ss tt tt 11 11 99 99 22 22 11 11 66 66 88 88 99 99 99 99 11 11 77 77 11 11 99 99 22 22 11 11 66 66 88 88 99 99 99 99 00 00 00 00 00 00 . rr rr ee ee mm mm oo oo tt tt ee ee vv vv ll ll aa aa nn nn 99 99 99 99 99 99 Catalyst B vv vv ll ll aa aa nn nn 99 99 99 99 99 99 rr rr ee ee mm mm oo oo tt tt ee ee . traffic over VLAN 99 9, transported by trunk links. Example 20-5 Configuring RSPAN on the Catalyst Switches in Figure 20-3 Catalyst A vv vv ll ll aa aa nn nn 99 99 99 99 99 99