CCIE R&S Advanced Technologies Class v4.5 - Protected Ports, Private VLANs

Transcript

1	Introduction	0h 43m
2	Using the Cisco Documentation	0h 52m
3	Ethernet Overview, Layer 2 Switchports, Trunking, ISL, 802.1q, DTP	0h 47m
4	VTP, VTP Authentication, VTP Pruning	1h 02m
5	VTP Prune Eligible List, VTP Transparent, VTP Troubleshooting, Trunk Allowed List, Extended VLANs	0h 48m
6	VLAN and VTP Review	0h 19m
7	SVIs, Native Routed Interfaces, Router-on-a-Stick	0h 46m
8	Layer 2 EtherChannel, EtherChannel Load Balancing, Layer 3 EtherChannel	0h 57m
9	802.1q Tunneling, Layer 2 Protocol Tunneling, EtherChannel over 802.1q Tunneling	1h 03m
10	STP Root Bridge Election, STP Root Port Election, STP Designated Port Election, STP Priority, STP Cost, STP Port-Priority	1h 46m
11	STP Review	0h 12m
12	STP Timers, STP PortFast	0h 34m
13	STP UplinkFast	0h 11m
14	STP BackboneFast	0h 12m
15	STP BPDU Filter	0h 13m
16	STP BPDU Guard	0h 11m
17	STP Root Guard	0h 11m
18	STP Loop Guard, Unidirectional Link Detection (UDLD)	0h 11m
19	Multiple Spanning-Tree Protocol (MST)	0h 40m
20	Rapid Spanning-Tree Protocol (RSTP), Rapid-PVST	0h 18m
21	MST with Multiple Regions	0h 33m
22	Flex Links	0h 16m
23	Frame Relay	0h 39m
24	Frame Relay Configuration Part 1	0h 34m
25	Frame Relay Configuration Part 2	0h 41m
26	Frame Relay Switching	0h 27m
27	Back-to-Back Frame Relay	0h 08m
28	Frame-Relay End-to-End Keepalives	0h 18m
29	PPP, PPP PAP Authentication, PPP CHAP Authentication	0h 59m
30	PPPoFR, PPPoE	0h 40m
31	Transparent Bridging, IRB	0h 32m
32	Fallback Bridging	0h 14m
33	IP Routing Overview, Switching Paths, Static Routing	0h 42m
34	Static Routing Examples	0h 25m
35	IP Default-Gateway, IP Default-Network	0h 14m
36	On-Demand Routing (ODR)	0h 07m
37	Floating Static Routes	0h 10m
38	Backup Interface	0h 29m
39	Enhanced Object Tracking, IP SLA, Reliable Static Routing	0h 21m
40	Policy Routing	0h 43m
41	GRE Tunneling, GRE Recursive Routing Errors	0h 27m
42	Reliable Backup Interface with GRE	0h 25m
43	RIP Overview, RIP Versions, RIP Auto-Summary	0h 48m
44	RIP Split-Horizon, RIP Timers	0h 22m
45	RIP Broadcast Updates, IP Directed Broadcast, IP Broadcast-Address, Smurf Attacks, Fraggle Attacks	0h 16m
46	RIP Unicast Updates	0h 03m
47	RIP Offset-List	0h 18m
48	RIP Authentication	0h 11m
49	RIP Summarization	0h 10m
50	Prefix-Lists, RIP Distribute-List Filtering, RIP Administrative Distance Filtering	0h 48m
51	RIP Default Routing, RIP Conditional Default Routing	0h 18m
52	RIP Triggered, RIP Validate Update Source,	0h 12m
53	EIGRP Overview	0h 29m
54	EIGRP Auto-Summary	0h 07m
55	EIGRP Split-Horizon	0h 11m
56	EIGRP Update Types, EIGRP Neighbor, EIGRP Passive-Interface	0h 24m
57	EIGRP Hello-Interval, EIGRP Hold-Time	0h 05m
58	EIGRP Authentication	0h 11m
59	EIGRP Time Based Authentication	0h 25m
60	EIGRP Path Selection, EIGRP Metric Weights, EIGRP Traffic Engineering	0h 47m
61	EIGRP Unequal Cost Load Balancing, EIGRP Variance	0h 19m
62	EIGRP QUERY, EIGRP Summarization, EIGRP Leak-Map	0h 28m
63	EIGRP Stub Router Advertisement	0h 22m
64	EIGRP Default Routing	0h 13m
65	EIGRP Route Filtering	0h 11m
66	EIGRP Router-ID	0h 07m
67	Miscellaneous EIGRP Features	0h 02m
68	OSPF Overview	0h 27m
69	Establishing OSPF Adjacencies, Understanding the OSPF Database	0h 43m
70	OSPF Network Type Broadcast, OSPF DR/BDR Election, OSPF over NBMA, OSPF Network Type Non-Broadcast and Point-to-Multipoint	0h 56m
71	OSPF Network Type Point-to-Point, OSPF Network Type Mismatch	0h 13m
72	OSPF Network Type Point-to-Multipoint Non-Broadcast, OSPF Per Neighbor Cost	0h 17m
73	OSPF Network Type Loopback	0h 02m
74	OSPF Path Selection	0h 27m
75	OSPF Convergence Timers	0h 09m
76	OSPF Authentication	0h 12m
77	OSPF Summarization	0h 32m
78	OSPF Stub Areas, OSPF Totally Stubby Areas, OSPF NSSAs, OSPF Totally NSSAs	0h 40m
79	Controlling OSPF NSSA Redistribution	0h 02m
80	OSPF Type 7 to 5 Translator Election, OSPF LSA Type 3 Filter, OSPF Forwarding Address Suppression	0h 24m
81	Route Redistribution Overview	0h 36m
82	Route Redistribution Configuration & Verification, Connected Redistribution	0h 22m
83	OSPF External Path Selection, TCL PING Scripting	0h 33m
84	Routing Loops Overview, EIGRP Route Loop Prevention	0h 55m
85	Metric Based Routing Loops, Route Tagging	0h 46m
86	Administrative Distance Based Routing Loops, Debug IP Routing, IP Route Profile	0h 58m
87	BGP Overview, BGP Peering Types	0h 51m
88	Establishing BGP Peerings, EBGP Multihop, BGP Neighbor Disable Connected Check, BGP TTL Security	0h 49m
89	BGP 4-Byte ASNs	0h 20m
90	BGP Local AS, BGP Peer Groups	0h 30m
91	BGP Next-Hop Self, BGP Next-Hop Processing	0h 30m
92	BGP Route Reflectors	0h 37m
93	Large Scale BGP Route Reflectors with Clusters	0h 34m
94	BGP Confederation	0h 37m
95	BGP NLRI Advertisements, BGP Network Statement, BGP Redistribution	0h 43m
96	BGP Aggregation, BGP Aggregation & Summary-Only, BGP Aggregation & Unsuppress-Map	0h 46m
97	BGP Origin, BGP Aggregation & AS-Set, BGP Aggregation & Advertise-Map	0h 22m
98	BGP Conditional Route Injection	0h 21m
99	BGP Bestpath Selection, BGP Multipath, BGP Weight	0h 53m
100	BGP Local Preference, BGP Local Preference and Communities, BGP AS-Path Prepending,	0h 30m
101	BGP MED, BGP MED Missing As Worst, BGP Deterministic MED	0h 17m
102	BGP Communites, BGP Regular Expressions	0h 43m
103	BGP Filtering, BGP Convergence Timers, BGP Default Routing, Miscellaneous BGP Features	0h 24m
104	MPLS Overview, MPLS Label Distribution Protocol (LDP)	1h 05m
105	MPLS Tunnels, MPLS Penultimate Hop Popping (PHP)	0h 40m
106	MPLS Layer 3 VPNs Overview, VRF Lite	0h 36m
107	MPLS Layer 3 VPNs and VPNv4 BGP	1h 08m
108	MPLS Layer 3 VPN Verification & Troubleshooting	0h 49m
109	MPLS Layer 3 VPN OSPF PE-CE Routing Overview	0h 06m
110	MPLS Layer 3 VPN OSPF PE-CE Routing Path Selection & Sham-Links	2h 01m
111	MPLS Layer 3 VPN OSPF PE-CE Routing Loop Prevention & Down-Bit, OSPF Capability VRF-Lite	0h 40m
112	IPv6 Overview, IPv6 ICMPv6 ND, IPv6 over NBMA	0h 44m
113	IPv6 Routing Overview, IPv6 Static Routing	0h 28m
114	IPv6 RIPng	0h 20m
115	IPv6 EIGRPv6	0h 09m
116	IPv6 OSPFv3	0h 31m
117	MP-BGP for IPv6	0h 26m
118	IPv6 Tunneling	1h 13m
119	Multicast Overview, IGMP	0h 34m
120	PIM Overview	0h 18m
121	PIM Dense Mode	1h 03m
122	PIM Sparse Mode	0h 30m
123	PIM Sparse Mode Configuration	0h 36m
124	PIM Sparse Mode RPF & RP Troubleshooting	0h 27m
125	Auto-RP, Multicast over GRE Tunnels	0h 53m
126	Bootstrap Router (BSR), Bidirectional PIM, Source Specific Multicast (SSM)	0h 40m
127	MSDP, Anycast RP	0h 27m
128	IPv6 Multicast Routing	0h 24m
129	QoS Overview, IntServ QoS, DiffServ QoS, IP Precedence, DSCP, MQC, HQF	0h 41m
130	MQC Classification	0h 44m
131	FIFO, FQ, WFQ, CBWFQ, HQF	0h 50m
132	LLQ	0h 23m
133	WRED	0h 31m
134	Traffic Shaping, Traffic Policing	0h 40m
135	Frame Relay Traffic Shaping (FRTS)	0h 33m
136	RSVP	0h 07m
137	Catalyst 3560 QoS	1h 00m
138	IOS Security Overview, Access Lists (ACLs)	0h 58m
139	Time Based ACLs, Dynamic ACLs	0h 33m
140	Reflexive ACLs	0h 21m
141	TCP Intercept, Content Based Access Control (CBAC)	0h 34m
142	Zone Based Policy Firewall (ZBPF)	1h 09m
143	AAA, Local Authentication, Local Authorization, Role Based CLI Access	0h 43m
144	Port Security, Static CAM Entries, Storm Control, 802.1X Authentication, PACLs, RACLs, VLAN Access Maps (VACLs)	0h 48m
145	DHCP Snooping, Dynamic ARP Inspection (DAI), IP Source Guard	0h 12m
146	Protected Ports, Private VLANs	0h 25m
147	IP Services Overview, HSRP	1h 10m
148	VRRP, GLBP	0h 28m
149	NAT	0h 42m
150	DHCP, DNS	0h 30m
151	NetFlow	0h 09m
152	WCCP, Miscellaneous IP Services	0h 06m
153	System Management Overview, NTP, NTP Authentication	0h 24m
154	SNMP, RMON	0h 38m
155	Syslog, Telnet, SSH, Banners	0h 21m
156	EEM Scripting, Miscellaneous System Management	0h 26m
Total Duration		81h 42m

Slides - Diagrams

Slides - Introduction

Slides - Ethernet Switching

Slides - Advanced Ethernet Switching

Slides - Frame Relay

Slides - PPP

Slides - Transport Bridging

Slides - Redistribution

Slides - IOS Security

Slides - Layer 2 Security

Slides - IP Services

Slides - System Management

0:00:13	Our last topics here for Layer 2 security
0:00:17	are the port protection and the VLAN or the
0:00:20	private VLAN feature.
0:00:23	Now port protection is used to filter traffic between devices
0:00:27	that are in the same VLAN
0:00:31	where typically this is used on the links that connect to
0:00:34	your servers so that they are allowed to talk to the
0:00:37	router on the segment, but not directly between each other.
0:00:42	So the idea behind this is that if one of the servers becomes
0:00:44	compromised, it would not be able to do a denial of service
0:00:47	attack against another server that is on the same LAN.
0:00:53	Now the configuration of port protection is very straightforward.
0:00:56	We just say switchport protected which means that devices in that
0:01:00	same VLAN that are both protected ports, they would not be able to
0:01:04	talk to each other.
0:01:07	The problem with this though is that it is only limited to one
0:01:09	switch, so if the servers are located on different switches
0:01:13	and they're being connected with a Layer 2 trunk link
0:01:17	then port protection is not going to work.
0:01:21	Now also there's a potential security hole with this
0:01:24	where the unknown packets, unknown unicast and multicast
0:01:27	packets still are allowed to flood between the interfaces
0:01:31	because that's how the switch normally does its
0:01:33	Mac address learning.
0:01:35	So typically when you say switchport protected
0:01:38	you would also say switchport block multicast and switchport
0:01:41	block unicast which is essentially disabling Mac address learning
0:01:45	for unknown unicast and multicast frames.
0:01:51	But in the documentation, this is also going to be
0:01:56	located under the port based traffic control.
0:01:58	So the same document where the storm control and the port
0:02:03	security is. This is configuring protected ports and then configuring
0:02:07	port blocking.
0:02:10	But if we look at their configuration example here
0:02:14	for configuring protected ports
0:02:17	again, it's only one command here.
0:02:19	You just say switchport protected.
0:02:24	So any links that are protected on the same switch that are
0:02:24	in the same VLAN, they will not be able to directly communicate with each other.
0:02:34	Now the private VLAN feature is going to take the same type of logic
0:02:38	but it is then going to extend it to multiple switches.
0:02:43	So private VLANs are still used for Layer 2 isolation
0:02:47	for ports that are in the same VLAN, but it's going to
0:02:50	allow us to span it between multiple switches.
0:02:55	Now one of the advantages of this is for shared hosting environments
0:03:00	where we have different web servers for example that are
0:03:03	on the same LAN, typically to segment these,
0:03:07	we would have to put them in separate Layer 3 segments
0:03:11	which means that we're going to have to define different subnets
0:03:14	for that segment.
0:03:17	Now potentially the issue is that if the servers are allocated
0:03:21	public addresses, then when you do the subnetting even if you
0:03:26	define it as /30 or /29
0:03:28	some of those addresses are going to be lost
0:03:30	for the network number and for the broadcast number.
0:03:35	So private VLANs would allow the servers to be in the same subnet
0:03:39	and in the same VLAN, but not have Layer 2 connectivity to each other.
0:03:46	So this would also be applicable for any type of shared office
0:03:50	environment or like a hotel network where the hotel
0:03:54	rooms are on the same physical segment and on the same Layer 2
0:03:58	LAN, but you wouldn't want one hotel room to talk to another
0:04:02	one over the wired ports, so you could put them in a private
0:04:06	VLAN where the end hosts are in the same subnet, but
0:04:10	they cannot directly communicate with each other.
0:04:14	Now to do this, we're going to take our main VLAN
0:04:17	and we're going to split down into sub VLANs
0:04:20	and these sub VLANs are going to come into two different
0:04:24	forms. They're known as community and isolated.
0:04:31	Where the primary VLAN is typically the normal
0:04:35	access VLAN number that we would assign to the interface.
0:04:38	So this main VLAN, this is known as the primary one.
0:04:41	The secondary or the sub VLANs, these are community or isolated
0:04:46	which is then going to control what are the particular ports
0:04:50	that can talk to each other.
0:04:53	So inside the community and isolated VLANs, there's three different
0:04:56	types of ports that we can have.
0:04:59	We can have promiscuous ports that are going to allow communication
0:05:04	to anyone and host ports which are assigned to
0:05:09	either isolated or the community VLANs.
0:05:14	An isolated port means that it can only talk to the promiscuous port
0:05:19	where a community port would be allowed to talk
0:05:22	to ports that are inside the same community
0:05:26	and to the promiscuous port, but then no one else.
0:05:31	So to visualize this, let's look at a case where we have multiple
0:05:35	Layer 2 switches, we have switch 1 that is connecting to
0:05:39	switch 2
0:05:42	and we have a number of different devices on each of the switches.
0:05:46	So on switch 1 we have routers 1, 3 and 5
0:05:53	where on switch 2 we have routers 2, 4 and 6
0:06:03	On Router 1, we could say that this is the promiscuous port.
0:06:10	So essentially Router 1 would then be able to
0:06:12	communicate with all of the other interfaces, so routers
0:06:16	2 through 6, it's going to be able to talk to everyone.
0:06:22	We'll say that there is a community
0:06:25	that is made up of Router 3
0:06:29	and Router 2
0:06:31	so these are in community 1
0:06:36	We then have a second community that is going to be
0:06:38	made up of routers 4 and 5
0:06:41	This is community 2
0:06:46	and then lastly, Router 6
0:06:48	is going to be in the isolated VLAN.
0:06:52	So this is an isolated port.
0:06:56	Now the end result of this would be that Router 1
0:06:59	is going to be able to talk to everyone.
0:07:02	So it could send packets to routers 2 through 6
0:07:05	Router 2 and Router 3 are going to talk to each other
0:07:08	because they're inside the same community.
0:07:11	Router 4 and Router 5 would be able to talk to each other
0:07:13	because they're in the same community, then Router 6 would
0:07:17	be able to talk to no one except Router 1
0:07:22	So in order to do this, the first thing that you would
0:07:24	do is put all of the ports into the same primary VLAN
0:07:28	and make sure that we have connectivity between them.
0:07:32	So let's actually try this out here. We're going to have to
0:07:35	change around our topology.
0:07:37	And I'll say that on switch 1
0:07:40	we'll just have interfaces that are including 1 through 6
0:07:46	I'll just set these back to the default.
0:07:51	So on switch 1 and switch 2
0:07:54	all of those links that connect to the routers, those are going
0:07:56	back to the default, so it means they're essentially all now in just VLAN 1
0:08:02	Next I'll do on the routers is reset their Ethernet interfaces
0:08:10	and put them into the same subnet, so Router 1 is going to be the address
0:08:14	10.0.0.1/24
0:08:19	Router 2
0:08:22	will be 10.0.0.2
0:08:31	Likewise three is going to be 10.0.0.3
0:08:44	Four is 10.0.0.4
0:08:50	and Router 5 and Router 6
0:09:10	Now once they convert spanning tree, we should be able to
0:09:14	see that all of these routers are going to have connectivity to each other.
0:09:17	So if we send packets to the broadcast address
0:09:20	from Router 6, we should get responses in from
0:09:23	routers 1 through 5
0:09:27	which we do.
0:09:29	If we were to send them unicast packets, we should be able to send
0:09:32	packets to 1, 2, 3, 4, 5
0:09:37	and then here we're locally on Router 6
0:09:41	So pretty simple configuration. All six of the devices are in the same
0:09:44	VLAN, they're in the same subnet, so normally they're all going to have
0:09:48	connectivity to each other.
0:09:50	The next thing we're going to do is define the primary VLAN
0:09:56	and define the sub VLANs.
0:09:59	Now in order to do this, to give them the attribute that
0:10:02	is specific to either the community or isolated
0:10:07	the switches are going to have to be in VTP transparent mode.
0:10:11	So on switch 1 and switch 2, we need to say the VTP
0:10:15	mode is transparent.
0:10:24	Now this would then imply if the switches do not support
0:10:27	VTP version 3, then they're not going to be able to
0:10:31	dynamically advertise the private VLAN information
0:10:34	through VTP, so essentially we just need to make sure
0:10:38	that whatever the VLAN database is that switch 1
0:10:40	has, it's the same as switch 2
0:10:45	So now we'll define what is our primary VLAN.
0:10:49	I'll say that this is VLAN 10
0:10:55	VLAN 10 is going to be a private VLAN
0:10:57	but this is the primary VLAN
0:11:01	so this is the main VLAN that the other sub VLANs
0:11:04	are going to be part of.
0:11:07	I then need to define the other sub VLANs
0:11:11	which is going to be VLAN 20
0:11:15	I'll say that this a community. VLAN 30 will be a community.
0:11:21	And then VLAN 40 will be the isolated VLAN.
0:11:29	Now under VLAN 10, since we can have multiple primary
0:11:34	VLANs that are associated with different communities or
0:11:37	different isolated VLANs
0:11:39	we need to tell the switch what are the particular sub VLANs that are
0:11:42	associated with this, so we say the private VLAN association
0:11:46	in this case is VLANs 20, 30 and 40
0:11:55	so this identical configuration needs to be applied on switch 1
0:12:00	as well.
0:12:07	So we'll say vlan 10
0:12:09	that's the primary VLAN
0:12:15	which is really consisting of VLANs 20, 30 and 40
0:12:26	There's a question here, "With VTP version 3, are we still limited to transparent mode?"
0:12:32	As far as I know, you are not.
0:12:36	Right now there's very limited code versions that actually support it.
0:12:40	But one of the ideas is that you should be able to advertise
0:12:43	this private VLAN information, so then of course if you're
0:12:46	in transparent mode, you're not going to be able to advertise
0:12:48	the information, so you should be able to send this as a
0:12:52	normal VLAN attribute whether you are a VTP server or you're a VTP client.
0:12:58	But currently, the lower level platforms don't support it.
0:13:01	If you look up the documentation for VTP version 3, then that would be
0:13:06	more appropriate for that.
0:13:09	Ok, so now we know what are the VLAN definitions.
0:13:13	Next thing is that we would need to define on the interface
0:13:16	are the ports going to be promiscuous or are they the host ports that are
0:13:20	in either the community or the isolated VLAN.
0:13:25	So I want the link to be from the Router 1
0:13:27	to be promiscuous, I want this to be able to talk
0:13:30	to everyone.
0:13:32	So I'll say that on Router 1 or on the connection to Router 1
0:13:37	that this is the switch port mode instead of access
0:13:44	this is a private VLAN port.
0:13:47	Specifically this is a promiscuous port.
0:13:51	This means that this is going to be made up of VLAN 10
0:13:54	which is the primary VLAN
0:13:56	but also includes the sub VLANs of 20, 30 and 40
0:14:01	so this is what the switchport private vlan
0:14:03	mapping command is going to be for.
0:14:06	switchport private vlan mapping
0:14:09	the primary VLAN is 10
0:14:12	The secondary VLANs are 20, 30 and 40
0:14:21	Now the link to Router 2 and Router 3 these are going to be
0:14:25	in the first community, so specifically in our case this is
0:14:28	going to be VLAN 20
0:14:32	The links to Router 4 and Router 5 these are going to be in VLAN 30
0:14:37	then Router 6 the isolated this is going to be in 40
0:14:42	So next on the link to Router 3 we'll say that the switch port
0:14:46	mode is private VLAN, but we are in end host because
0:14:51	we are either in a community or in isolated.
0:14:55	So there's no specific command that goes on
0:14:57	the Layer 2 switch port that tells it whether it's community
0:15:00	or isolated. It's simply based on the switch port private VLAN
0:15:08	the host association.
0:15:10	We specify what is the primary VLAN and then what is the sub VLAN
0:15:14	which in this case is 20
0:15:17	So this configuration that is going onto Router 3
0:15:22	this is going to be the identical one that we would apply
0:15:24	to Router 2's port.
0:15:30	Then likewise, the links between router 4 and 5
0:15:35	the configuration is the same. The only difference
0:15:38	is that the sub VLAN number is changing.
0:15:42	So this is going to go on the link to Router 4
0:15:47	and the link to Router 5
0:15:51	Router 6 is going to be in that isolated VLAN
0:15:55	so it's host association is 40
0:15:59	So at the Layer 2 port, there's no differences between the configuration.
0:16:03	The only thing that we're basically changing is just what the VLAN number is.
0:16:07	The only port that has the special config is the one
0:16:10	that is the promiscuous port.
0:16:13	So essentially this belongs to all of the VLANS.
0:16:20	Now the end result of this should be that Router 1
0:16:24	is able to reach any of these hosts.
0:16:39	So we can reach three
0:16:50	We cannot reach four.
0:16:54	We can reach five
0:17:05	and we can't reach six, so probably what I should have checked before
0:17:09	is what are the router's configs on this particular segment.
0:17:13	So let's make sure that there's no filtering or anything here
0:17:17	on the links directly.
0:17:26	So most of this is pretty basic config. This should be fine.
0:17:32	And it's possible that the switches are still just converging
0:17:37	the spanning tree for those VLANs.
0:17:44	So let's try this one more time. On Router 1
0:17:47	let's ping the all host broadcast.
0:17:51	So I'm able to get responses in from three and five
0:17:57	where three is -- three and five are on the same switch.
0:18:04	So this may be that there's a problem in the trunk link
0:18:09	between them.
0:18:14	So on switch 1, let's look at the show spanning tree
0:18:23	let's just say show spanning tree.
0:18:28	And most likely what the problem's going to be is
0:18:30	that we are probably transiting over switches that don't actually
0:18:34	have these VLANs.
0:18:38	So what I would need to do is basically make sure
0:18:41	that switch 1 and switch 2 are forwarding directly to each other.
0:18:45	And one of the ways I could do this is basically just to shut
0:18:47	down the other links, so on switch 1 I'll say interface
0:18:50	range Fast Ethernet 14 to 21
0:18:54	I will shut those down.
0:19:00	So now essentially the only possible interface that's between
0:19:03	them is port numbered 13 here.
0:19:11	So I could tell this just by looking at Router 1
0:19:14	that it had connectivity to the hosts that were in the
0:19:17	same Layer 2 switch, so then that would lead me to
0:19:22	look at what's going on with the Layer 2 trunk link between
0:19:26	the switches.
0:19:32	Now the reason that this was not a problem before
0:19:35	was because all of the hosts were in VLAN 1
0:19:37	and VLAN 1 was forwarding over the other routers
0:19:42	or the other Layer 2 switches.
0:19:45	But once I changed them into VLANs 10, 20, 30, 40
0:19:48	I didn't define these on switch 3 and switch 4
0:19:52	so the traffic would have been lost when it was trunking
0:19:54	over those devices, so now let's see on Router 1 we should
0:19:57	be able to get responses in from all of them which we can.
0:20:05	If we do the same ping from everyone, so on the access server
0:20:10	I'll just send ping 255.255.255.255
0:20:14	Again, what we should see is that Router 1 has connectivity
0:20:17	to everyone. Router 3 should have connectivity to one and
0:20:23	two which it does.
0:20:28	Router 2 likewise should have connectivity to one
0:20:31	and three.
0:20:36	Five should have connectivity to one and four.
0:20:41	Four should have connectivity to one and five and then
0:20:43	Router 6 should be able to talk to no one except Router 1
0:20:49	So the key point being here that even though they're in
0:20:51	the same Layer 3 network, they're technically in separate
0:20:55	Layer 2 networks.
0:20:59	Where effectively on Router 1's port we have overlapping VLANs
0:21:02	we're essentially assigning VLANs 20, 30 and 40
0:21:09	so the traffic from 20 is going between routers
0:21:14	two and three.
0:21:15	Traffic for 30 is going between four and five and then 40 is isolated.
0:21:20	Now with the isolated VLAN we can use this over and over
0:21:24	to other ports which means that two ports that are
0:21:28	in VLAN 40 they will not have communication to each other.
0:21:33	So if we were to go to switch 2,
0:21:36	and look at the show run interface Fast Ethernet 6
0:21:39	if I were to take this same config and apply this onto
0:21:44	two's interface and four's interface
0:21:49	so now all three of those hosts, routers 2, 4 and 6
0:21:53	they're all in VLAN 20
0:21:56	but if we look at who they can reach, now it's going to
0:21:59	change so that it's only going to be Router 1
0:22:05	And this will be after the spanning tree is going to reconverge.
0:22:21	So we can see Router 2 can reach one.
0:22:27	Router 3 can still reach one and -- actually just one now.
0:22:33	Router 4 should be able to reach just one
0:22:38	as is Router 6
0:22:39	so for the isolated VLAN, technically you only need
0:22:42	one of them. You only need to create additional VLANs
0:22:46	if you want them to be in community with each other
0:22:50	which means that they would have connectivity to
0:22:52	other ports that are in the same VLAN.
0:22:57	Now documentation wise, this is going to be under the
0:23:00	switching configuration guide and then under a separate section
0:23:03	here for configuring private VLANs.
0:23:08	So you should fairly be able to look at their
0:23:11	example and then kind of change it around with the
0:23:14	numbers that you would need for the particular question
0:23:17	if you were tested on this. Now there's a question here
0:23:20	"What's the difference between the association and the host
0:23:24	association?"
0:23:26	This would be if we are applying this to a Layer 3
0:23:33	interface, so if we look for the association command
0:23:45	Private VLAN association. Associate the secondary VLAN's with the primary
0:23:49	VLAN, so this is under the VLAN configuration. Then the host
0:23:53	association is the one that actually goes onto the port.
0:24:01	So one of the commands is under the VLAN itself, so in the VLAN
0:24:04	database and the other one is at the port level.
0:24:08	Now you can also do this on a Layer 3 switch virtual
0:24:11	interface where the syntax is a little bit different. You say
0:24:15	that the private VLAN mapping
0:24:18	and add the secondary VLANs
0:24:21	because the interface VLAN it's already going to know
0:24:24	what its primary VLAN number is because it's based
0:24:28	on whatever just the VLAN number is on the interface.
0:24:32	Then we would specify what are the secondary VLANs
0:24:36	with the private VLAN mapping.

Now Viewing

CCIE R&S Advanced Technologies Class v4.5
Title:	CCIE R&S Advanced Technologies Class v4.5
Duration:	81h 42m
The CCIE Routing & Switching Advanced Technologies Class is the first step in understanding CCIE level technologies and is a companion to the Advanced Technologies Lab Workbook. Each technology you need to know for the CCIE Routing & Switching lab will be described in detail using an instructor led hands on demonstration. The class consists of over 80 hours of in depth explanations and examples.
Get instant access to our entire library!
	Sign Up
Download this Course
$299.00	Add to Cart

Protected Ports, Private VLANs

Create Bookmark