• RSS

  • Polls

    What Cisco Cert Are You Currently Studying?

    View Results

    Loading ... Loading ...
  • Search on CiscoBibles

  • Popular Posts

  • Recent Comments

  • Archives

  • Heat Map

  • « | Main | »

    CCNP BCMSN Notes – Securing with VLANs

    By Raiy Wong | November 9, 2009

    Access Lists (VACLs)

    VACLs can filter traffic within a VLAN and do not require a routed interface.

    A VACL can match traffic from a MAC, IP, or IPX access list.

    VACL configuration:

          clip_image002

    To apply a VACL to a VLAN:

         clip_image004

    Private VLANs

    Private VLANs (PVLANs) can be implemented to prevent hosts within a VLAN from communicating directly.

    Primary (regular) VLANs are associated with secondary (private) VLANs.

    A secondary VLAN can be one of two types:

             Isolated – Hosts associated with the VLAN can only reach the primary VLAN.

             Community – Hosts can communicate with the primary VLAN and other hosts within the secondary VLAN, but not with other secondary VLANs.

    PVLAN information is not communicated by VTP.

    PVLAN ports are configured to operate in one of two modes:

             Promiscuous – Port attaches to a router, firewall, etc; can communicate with all hosts

             Host – Can only communicate with a promiscuous port, or ports within the same community PVLAN

    Private VLAN Configuration

    Defining a secondary PVLAN:

         clip_image006

    Defining a primary PVLAN:

         clip_image008

    Designating a host port:

          clip_image010

    Designating a promiscuous port:

         clip_image012

    Host ports are associated with one primary and one secondary VLAN, whereas promiscuous ports are mapped to one primary and multiple secondary VLANs.

    Secondary VLANs can be mapped to an SVI like a promiscuous port, but without the need to specify the primary VLAN:

          clip_image014

    Securing VLAN Trunks

    Explicitly configure all access ports to protect against trunk spoofing:

        clip_image016

    VLAN hopping can be mitigated by ensuring an access VLAN is not used as the native VLAN of a trunk.


    [Report Dead Link] Please leave a comment or send email to report dead links, so that we will update new links within 24 hours.
    Share and Enjoy:
    • Print
    • Digg
    • StumbleUpon
    • del.icio.us
    • Facebook
    • Yahoo! Buzz
    • Twitter
    • Google Bookmarks
    • LinkedIn
    • email
    • Live
    • MySpace
    Tags: ,

    Topics: CCNP, CCNP Notes | No Comments »

    Comments

    You must be logged in to post a comment.