I only knew and read about Private VLAN (PVLAN) in CCNP SWITCH and haven't implemented it in the real world not until it was decided not too long ago to use this feature in one of our clients. PVLAN is an elegant design wherein you save IP subnet assignment and isolate on Layer 2 at the same time.
ALS1#show vtp status
VTP Version : 2
Configuration Revision : 3
Maximum VLANs supported locally : 1005
Number of existing VLANs : 7
VTP Operating Mode : Client
VTP Domain Name : SWPOD
VTP Pruning Mode : Disabled
VTP V2 Mode : Enabled
VTP Traps Generation : Disabled
MD5 digest : 0x0A 0x4B 0x30 0x9A 0xFC 0x3F 0x22 0x8E
Configuration last modified by 172.16.1.3 at 3-1-93 00:35:06
DLS1#show vlan brief
VLAN Name Status Ports
---- -------------------------------- --------- -------------------------------
1 default active Fa0/1, Fa0/2, Fa0/3, Fa0/4
Fa0/5, Fa0/6, Fa0/13, Fa0/14
Fa0/15, Fa0/16, Fa0/17, Fa0/18
Fa0/19, Fa0/20, Fa0/21, Fa0/22
Fa0/23, Fa0/24, Gi0/1, Gi0/2
100 Staff active
200 Student active
1002 fddi-default act/unsup
1003 trcrf-default act/unsup
1004 fddinet-default act/unsup
1005 trbrf-default act/unsup
DLS1#show interfaces trunk
Port Mode Encapsulation Status Native vlan
Fa0/7 on 802.1q trunking 1
Fa0/8 on 802.1q trunking 1
Fa0/9 on 802.1q trunking 1
Fa0/10 on 802.1q trunking 1
Fa0/11 on 802.1q trunking 1
Fa0/12 on 802.1q trunking 1
Port Vlans allowed on trunk
Fa0/7 1-4094
Fa0/8 1-4094
Fa0/9 1-4094
Fa0/10 1-4094
Fa0/11 1-4094
Fa0/12 1-4094
Port Vlans allowed and active in management domain
Fa0/7 1,100,200
Fa0/8 1,100,200
Fa0/9 1,100,200
Fa0/10 1,100,200
Fa0/11 1,100,200
Port Vlans allowed and active in management domain
Fa0/12 1,100,200
Port Vlans in spanning tree forwarding state and not pruned
Fa0/7 1,100,200
Fa0/8 1,100,200
Fa0/9 1,100,200
Fa0/10 1,100,200
Fa0/11 1,100,200
Fa0/12 1,100,200
DLS2#show standby brief
P indicates configured to preempt.
|
Interface Grp Prio P State Active Standby Virtual IP
Vl1 1 100 P Standby 172.16.1.3 local 172.16.1.1
Vl100 1 100 P Standby 172.16.100.3 local 172.16.100.1
Vl200 1 150 P Active local 172.16.200.3 172.16.200.1
DLS1(config)#vlan 150
DLS1(config-vlan)#name Server-farm
DLS1(config-vlan)#exit
DLS1(config)#interface vlan 150
DLS1(config-if)#
*Mar 1 00:13:05.618: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan150, changed state to down
DLS1(config-if)#ip address 172.16.150.3 255.255.255.0
*Mar 1 00:13:32.839: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan150, changed state to up
DLS1(config-if)#standby 1 ip 172.16.150.1
DLS1(config-if)#standby 1 priority 100
DLS1(config-if)#standby 1 preempt
DLS1(config-if)#
*Mar 1 00:14:19.026: %HSRP-5-STATECHANGE: Vlan150 Grp 1 state Speak -> Standby
*Mar 1 00:14:19.530: %HSRP-5-STATECHANGE: Vlan150 Grp 1 state Standby -> Active
DLS2(config)#interface vlan 150
DLS2(config-if)#
*Mar 1 00:15:33.786: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan150, changed state to up
DLS2(config-if)#ip address 172.16.150.4 255.255.255.0
DLS2(config-if)#standby 1 ip 172.16.150.1
DLS2(config-if)#standby 1 priority 150
DLS2(config-if)#standby 1 preempt
DLS2(config-if)#
*Mar 1 00:16:18.908: %HSRP-5-STATECHANGE: Vlan150 Grp 1 state Listen -> Active
DLS2(config-if)#end
DLS2#
*Mar 1 00:16:39.343: %SYS-5-CONFIG_I: Configured from console by console
DLS2#show standby ?
BVI Bridge-Group Virtual Interface
FastEthernet FastEthernet IEEE 802.3
GigabitEthernet GigabitEthernet IEEE 802.3z
Port-channel Ethernet Channel of interfaces
Vlan Catalyst Vlans
all Include groups in disabled state
brief Brief output
capability HSRP capability
delay Group initialisation delay
internal Internal HSRP information
redirect HSRP ICMP redirect information
| Output modifiers
<cr>
DLS2#show standby vlan ?
<1-4094> Vlan interface number
DLS2#show standby vlan 150 ?
<0-255> group number
all Include groups in disabled state
brief Brief output
| Output modifiers
<cr>
DLS2#show standby vlan 150 brief
P indicates configured to preempt.
|
Interface Grp Prio P State Active Standby Virtual IP
Vl150 1 150 P Active local 172.16.150.3 172.16.150.1
DLS1#show vtp status
VTP Version : running VTP2
Configuration Revision : 4
Maximum VLANs supported locally : 1005
Number of existing VLANs : 8
VTP Operating Mode : Server
VTP Domain Name : SWPOD
VTP Pruning Mode : Disabled
VTP V2 Mode : Enabled
VTP Traps Generation : Disabled
MD5 digest : 0x8D 0x7E 0xE7 0x9C 0x10 0xB8 0x90 0x47
Configuration last modified by 172.16.1.3 at 3-1-93 00:13:01
Local updater ID is 172.16.1.3 on interface Vl1 (lowest numbered VLAN interface found)
DLS2#show vtp status
VTP Version : running VTP2
Configuration Revision : 4
Maximum VLANs supported locally : 1005
Number of existing VLANs : 8
VTP Operating Mode : Server
VTP Domain Name : SWPOD
VTP Pruning Mode : Disabled
VTP V2 Mode : Enabled
VTP Traps Generation : Disabled
MD5 digest : 0x8D 0x7E 0xE7 0x9C 0x10 0xB8 0x90 0x47
Configuration last modified by 172.16.1.3 at 3-1-93 00:13:01
Local updater ID is 172.16.1.4 on interface Vl1 (lowest numbered VLAN interface found)
DLS1(config)#vlan 150
DLS2(config-vlan)#?
VLAN configuration commands:
are Maximum number of All Route Explorer hops for this VLAN (or
zero if none specified)
backupcrf Backup CRF mode of the VLAN
bridge Bridging characteristics of the VLAN
exit Apply changes, bump revision number, and exit mode
media Media type of the VLAN
mtu VLAN Maximum Transmission Unit
name Ascii name of the VLAN
no Negate a command or set its defaults
parent ID number of the Parent VLAN of FDDI or Token Ring type VLANs
private-vlan Configure a private VLAN
remote-span Configure as Remote SPAN VLAN
ring Ring number of FDDI or Token Ring type VLANs
said IEEE 802.10 SAID
shutdown Shutdown VLAN switching
state Operational state of the VLAN
ste Maximum number of Spanning Tree Explorer hops for this VLAN (or
zero if none specified)
stp Spanning tree characteristics of the VLAN
tb-vlan1 ID number of the first translational VLAN for this VLAN (or
zero if none)
tb-vlan2 ID number of the second translational VLAN for this VLAN (or
zero if none)
DLS1(config-vlan)#private-vlan ?
association Configure association between private VLANs
community Configure the VLAN as a community private VLAN
isolated Configure the VLAN as an isolated private VLAN
primary Configure the VLAN as a primary private VLAN
DLS1(config-vlan)#private-vlan primary
%Private VLANs can only be configured when VTP is in transparent mode.
DLS1(config)#vtp mode transparent // NEED TO BE SET TO DEFINE PVLAN
Setting device to VTP TRANSPARENT mode.
DLS2(config)#vtp mode transparent
Setting device to VTP TRANSPARENT mode.
DLS1(config)#vlan 151
DLS1(config-vlan)#?
VLAN configuration commands:
are Maximum number of All Route Explorer hops for this VLAN (or
zero if none specified)
backupcrf Backup CRF mode of the VLAN
bridge Bridging characteristics of the VLAN
exit Apply changes, bump revision number, and exit mode
media Media type of the VLAN
mtu VLAN Maximum Transmission Unit
name Ascii name of the VLAN
no Negate a command or set its defaults
parent ID number of the Parent VLAN of FDDI or Token Ring type VLANs
private-vlan Configure a private VLAN
remote-span Configure as Remote SPAN VLAN
ring Ring number of FDDI or Token Ring type VLANs
said IEEE 802.10 SAID
shutdown Shutdown VLAN switching
state Operational state of the VLAN
ste Maximum number of Spanning Tree Explorer hops for this VLAN (or
zero if none specified)
stp Spanning tree characteristics of the VLAN
tb-vlan1 ID number of the first translational VLAN for this VLAN (or
zero if none)
tb-vlan2 ID number of the second translational VLAN for this VLAN (or
zero if none)
DLS1(config-vlan)#private-vlan ?
association Configure association between private VLANs
community Configure the VLAN as a community private VLAN
isolated Configure the VLAN as an isolated private VLAN
primary Configure the VLAN as a primary private VLAN
DLS1(config-vlan)#private-vlan isolated // DEFINE SECONDARY VLANS
DLS1(config-vlan)#exit
DLS1(config)#vlan 152
DLS1(config-vlan)#private-vlan community
DLS1(config-vlan)#exit
DLS1(config)#vlan 150
DLS1(config-vlan)#private-vlan primary
DLS1(config-vlan)#private-vlan association ?
WORD VLAN IDs of the private VLANs to be configured
add Add a VLAN to private VLAN list
remove Remove a VLAN from private VLAN list
DLS1(config-vlan)#private-vlan association 151,152 // CONFIGURE PRIMARY VLAN LAST AND ASSOCIATED SECONDARY VLANS
DLS2(config)#vlan 151
DLS2(config-vlan)#private-vlan isolated
DLS2(config-vlan)#exit
DLS2(config)#vlan 152
DLS2(config-vlan)#private-vlan community
DLS2(config-vlan)#exit
DLS2(config)#vlan 150
DLS2(config-vlan)#private-vlan primary
DLS2(config-vlan)#private-vlan association 151,152
DLS1(config)#interface vlan 150
DLS1(config-if)#private-vlan ?
mapping Set the private VLAN SVI interface mapping
DLS1(config-if)#private-vlan mapping ?
WORD Secondary VLAN IDs of the private VLAN SVI interface mapping
add Add a VLAN to private VLAN list
remove Remove a VLAN from private VLAN list
DLS1(config-if)#private-vlan mapping 151-152 // PERMITS PVLAN TRAFFIC TO BE SWITCHED THROUGH LAYER 3
DLS1(config-if)#
*Mar 1 00:25:38.403: %PV-6-PV_MSG: Created a private vlan mapping, Primary 150, Secondary 151
*Mar 1 00:25:38.411: %PV-6-PV_MSG: Created a private vlan mapping, Primary 150, Secondary 152
DLS2(config)#interface vlan 150
DLS2(config-if)#private-vlan mapping 151-152
DLS2(config-if)#
*Mar 1 00:27:00.561: %PV-6-PV_MSG: Created a private vlan mapping, Primary 150, Secondary 151
*Mar 1 00:27:00.561: %PV-6-PV_MSG: Created a private vlan mapping, Primary 150, Secondary 152
DLS1#show vlan ?
access-map Vlan access-map
brief VTP all VLAN status in brief
dot1q Display dot1q parameters
filter VLAN filter information
id VTP VLAN status by VLAN id
ifindex SNMP ifIndex
internal VLAN internal usage
mtu VLAN MTU information
name VTP VLAN status by VLAN name
private-vlan Private VLAN information
remote-span Remote SPAN VLANs
summary VLAN summary information
| Output modifiers
<cr>
DLS1#show vlan private-vlan
Primary Secondary Type Ports
------- --------- ----------------- ------------------------------------------
150 151 isolated
150 152 community
DLS2(config)#interface fastethernet0/6
DLS2(config-if)#switchport ?
access Set access mode characteristics of the interface
backup Set backup for the interface
block Disable forwarding of unknown uni/multi cast addresses
host Set port host
mode Set trunking mode of the interface
nonegotiate Device will not engage in negotiation protocol on this
interface
port-security Security related command
priority Set appliance 802.1p priority
private-vlan Set the private VLAN configuration
protected Configure an interface to be a protected port
trunk Set trunking characteristics of the interface
voice Voice appliance attributes
<cr>
DLS2(config-if)#switchport mode ?
access Set trunking mode to ACCESS unconditionally
dot1q-tunnel set trunking mode to TUNNEL unconditionally
dynamic Set trunking mode to dynamically negotiate access or trunk mode
private-vlan Set private-vlan mode
trunk Set trunking mode to TRUNK unconditionally
DLS2(config-if)#switchport mode private-vlan ?
host Set the mode to private-vlan host
promiscuous Set the mode to private-vlan promiscuous
DLS2(config-if)#switchport mode private-vlan host // SETS THE PVLAN MODE ON THE INTERFACE
DLS2(config-if)#switchport private-vlan ?
association Set the private VLAN association
host-association Set the private VLAN host association
mapping Set the private VLAN promiscuous mapping
DLS2(config-if)#switchport private-vlan host-association ?
<1006-4094> Primary extended range VLAN ID of the private VLAN host port
association
<2-1001> Primary normal range VLAN ID of the private VLAN port
association
DLS2(config-if)#switchport private-vlan host-association 150 ?
<1006-4094> Secondary extended range VLAN ID of the private VLAN host port
association
<2-1001> Secondary normal range VLAN ID of the private VLAN host port
association
DLS2(config-if)#switchport private-vlan host-association 150 151 // ASSIGNS APPROPRIATE PRIMARY AND SECONDARY VLANS ON THE INTERFACE
DLS2(config-if)#exit
DLS2(config)#interface range fastethernet0/18-20
DLS2(config-if-range)#switchport mode private-vlan host
DLS2(config-if-range)#switchport private-vlan host-association 150 152
DLS2#show vlan private-vlan // VERIFY PORTS ARE CONFIGURED FOR PVLAN AND ASSOCIATED VLANS
Primary Secondary Type Ports
------- --------- ----------------- ------------------------------------------
150 151 isolated Fa0/6
150 152 community Fa0/18, Fa0/19, Fa0/20
SERVER IN ISOLATED PVLAN 151
C:\Users\Server-151>ipconfig
Windows IP Configuration
Ethernet adapter Local Area Connection:
Connection-specific DNS Suffix . :
Link-local IPv6 Address . . . . . : fe80::4562:9b92:c15f:91ff%10
IPv4 Address. . . . . . . . . . . : 172.16.150.6
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 172.16.150.1
C:\Users\Server-151>ping 172.16.150.1 // CAN PING VLAN 150 DEFAULT GATEWAY
Pinging 172.16.150.1 with 32 bytes of data:
Reply from 172.16.150.1: bytes=32 time=1ms TTL=255
Reply from 172.16.150.1: bytes=32 time=1ms TTL=255
Reply from 172.16.150.1: bytes=32 time=1ms TTL=255
Reply from 172.16.150.1: bytes=32 time=1ms TTL=255
Ping statistics for 172.16.150.1:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 1ms, Maximum = 1ms, Average = 1ms
C:\Users\John Lloyd>ping 172.16.150.18 // CAN'T PING HOST IN COMMUNITY PVLAN 152
Pinging 172.16.150.18 with 32 bytes of data:
Reply from 172.16.150.6: Destination host unreachable.
Reply from 172.16.150.6: Destination host unreachable.
Reply from 172.16.150.6: Destination host unreachable.
Reply from 172.16.150.6: Destination host unreachable.
Ping statistics for 172.16.150.18:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
HOST-A IN COMMUNITY PVLAN 152
H:\Server-152-A>ipconfig
Windows IP Configuration
Ethernet adapter Local Area Connection:
Connection-specific DNS Suffix . :
Link-local IPv6 Address . . . . . : fe80::9416:ccf3:aa3:6460%11
IPv4 Address. . . . . . . . . . . : 172.16.150.18
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 172.16.150.1
H:\Server-152-A>ping 172.16.150.1 // CAN PING VLAN 150 DEFAULT GATEWAY
Pinging 172.16.150.1 with 32 bytes of data:
Reply from 172.16.150.1: bytes=32 time=1ms TTL=255
Reply from 172.16.150.1: bytes=32 time=1ms TTL=255
Reply from 172.16.150.1: bytes=32 time=1ms TTL=255
Reply from 172.16.150.1: bytes=32 time=3ms TTL=255
Ping statistics for 172.16.150.1:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 1ms, Maximum = 3ms, Average = 1ms
H:\Server-152-A>ping 172.16.150.6 // CAN'T PING HOST IN ISOLATED PVLAN 151
Pinging 172.16.150.6 with 32 bytes of data:
Reply from 172.16.150.18: Destination host unreachable.
Reply from 172.16.150.18: Destination host unreachable.
Reply from 172.16.150.18: Destination host unreachable.
Reply from 172.16.150.18: Destination host unreachable.
Ping statistics for 172.16.150.6:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
H:\Server-152-A>ping 172.16.150.19 // CAN PING HOST B IN COMMUNITY PVLAN 152
Pinging 172.16.150.19 with 32 bytes of data:
Reply from 172.16.150.19: bytes=32 time<1ms TTL=128
Reply from 172.16.150.19: bytes=32 time=1ms TTL=128
Reply from 172.16.150.19: bytes=32 time=1ms TTL=128
Reply from 172.16.150.19: bytes=32 time<1ms TTL=128
Ping statistics for 172.16.150.19:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 1ms, Average = 0ms
HOST B IN PVLAN 152
C:\Users\Server-152-B>ipconfig
Windows IP Configuration
Ethernet adapter Local Area Connection:
Connection-specific DNS Suffix . :
Link-local IPv6 Address . . . . . : fe80::4562:9b92:c15f:91ff%10
IPv4 Address. . . . . . . . . . . : 172.16.150.19
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 172.16.150.1
C:\Users\Server-152-B>ping 172.16.150.1 // CAN PING VLAN 150 DEFAULT GATEWAY
Pinging 172.16.150.1 with 32 bytes of data:
Reply from 172.16.150.1: bytes=32 time=1ms TTL=255
Reply from 172.16.150.1: bytes=32 time=3ms TTL=255
Reply from 172.16.150.1: bytes=32 time=1ms TTL=255
Reply from 172.16.150.1: bytes=32 time=1ms TTL=255
Ping statistics for 172.16.150.1:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 1ms, Maximum = 3ms, Average = 1ms
C:\Users\Server-152-B>ping 172.16.150.18 // CAN PING HOST A ON COMMUNITY PVLAN 152
Pinging 172.16.150.18 with 32 bytes of data:
Reply from 172.16.150.18: bytes=32 time=2ms TTL=128
Reply from 172.16.150.18: bytes=32 time=1ms TTL=128
Reply from 172.16.150.18: bytes=32 time=1ms TTL=128
Reply from 172.16.150.18: bytes=32 time=1ms TTL=128
Ping statistics for 172.16.150.18:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 1ms, Maximum = 2ms, Average = 1ms
DLS1(config)#access-list 100 permit tcp 172.16.200.0 0.0.0.255 172.16.100.0 0.0.0.255 established
DLS1(config)#access-list 100 permit icmp 172.16.200.0 0.0.0.255 172.16.100.0 0.0.0.255 echo-reply
DLS1(config)#access-list 100 deny ip 172.16.200.0 0.0.0.255 172.16.100.0 0.0.0.255
DLS1(config)#access-list 100 permit ip any any
DLS1(config)#interface vlan 100
DLS1(config-if)#ip access-group 100 in
DLS1(config-if)#interface vlan 200
DLS1(config-if)#ip access-group 100 in
DLS2(config)#access-list 100 permit tcp 172.16.200.0 0.0.0.255 172.16.100.0 0.0.0.255 established
DLS2(config)#access-list 100 permit icmp 172.16.200.0 0.0.0.255 172.16.100.0 0.0.0.255 echo-reply
DLS2(config)#access-list 100 deny ip 172.16.200.0 0.0.0.255 172.16.100.0 0.0.0.255
DLS2(config)#access-list 100 permit ip any any
DLS2(config)#access-list 100 permit ip any any
DLS2(config)#interface vlan 100
DLS2(config-if)#ip access-group 100 in
DLS2(config-if)#interface vlan 200
DLS2(config-if)#ip access-group 100 in
DLS1#show access-list
Extended IP access list 100
10 permit tcp 172.16.200.0 0.0.0.255 172.16.100.0 0.0.0.255 established
20 permit icmp 172.16.200.0 0.0.0.255 172.16.100.0 0.0.0.255 echo-reply
30 deny ip 172.16.200.0 0.0.0.255 172.16.100.0 0.0.0.255
40 permit ip any any (162 matches)
DLS1#show ip interface vlan 100
Vlan100 is up, line protocol is up
Internet address is 172.16.100.3/24
Broadcast address is 255.255.255.255
Address determined by non-volatile memory
MTU is 1500 bytes
Helper address is not set
Directed broadcast forwarding is disabled
Multicast reserved groups joined: 224.0.0.2
Outgoing access list is not set
Inbound access list is 100
Proxy ARP is enabled
Local Proxy ARP is disabled
Security level is default
Split horizon is enabled
ICMP redirects are always sent
ICMP unreachables are always sent
ICMP mask replies are never sent
IP fast switching is enabled
IP CEF switching is enabled
IP CEF switching turbo vector
IP Null turbo vector
IP multicast fast switching is enabled
IP multicast distributed fast switching is disabled
IP route-cache flags are Fast, CEF
Router Discovery is disabled
IP output packet accounting is disabled
IP access violation accounting is disabled
TCP/IP header compression is disabled
RTP/IP header compression is disabled
Probe proxy name replies are disabled
Policy routing is disabled
Network address translation is disabled
BGP Policy Mapping is disabled
Input features: Access List
Output features: Check hwidb
WCCP Redirect outbound is disabled
WCCP Redirect inbound is disabled
WCCP Redirect exclude is disabled
ALS1(config)#interface fastethernet0/6
ALS1(config-if)#switchport mode access
ALS1(config-if)#switchport access vlan 100
ALS1(config-if)#spanning-tree portfast
%Warning: portfast should only be enabled on ports connected to a single
host. Connecting hubs, concentrators, switches, bridges, etc... to this
interface when portfast is enabled, can cause temporary bridging loops.
Use with CAUTION
%Portfast has been configured on FastEthernet0/6 but will only
have effect when the interface is in a non-trunking mode.
ALS2(config)#interface fastethernet0/6
ALS2(config-if)#switchport mode access
ALS2(config-if)#switchport access vlan 200
ALS2(config-if)#spanning-tree portfast
%Warning: portfast should only be enabled on ports connected to a single
host. Connecting hubs, concentrators, switches, bridges, etc... to this
interface when portfast is enabled, can cause temporary bridging loops.
Use with CAUTION
%Portfast has been configured on FastEthernet0/6 but will only
have effect when the interface is in a non-trunking mode.
HOST A ON VLAN 100
C:\Users\John Lloyd>ipconfig
Windows IP Configuration
Ethernet adapter Local Area Connection:
Connection-specific DNS Suffix . :
Link-local IPv6 Address . . . . . : fe80::4562:9b92:c15f:91ff%10
IPv4 Address. . . . . . . . . . . : 172.16.100.5
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 172.16.100.1
C:\Users\John Lloyd>ping 172.16.200.8 // PING TO HOST B ON VLAN 200 ALLOWED
Pinging 172.16.200.8 with 32 bytes of data:
Reply from 172.16.200.8: bytes=32 time=1ms TTL=127
Reply from 172.16.200.8: bytes=32 time=1ms TTL=127
Reply from 172.16.200.8: bytes=32 time<1ms TTL=127
Reply from 172.16.200.8: bytes=32 time<1ms TTL=127
Ping statistics for 172.16.200.8:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 1ms, Average = 0ms
HOST B ON VLAN 200
H:\>ipconfig
Windows IP Configuration
Ethernet adapter Local Area Connection:
Connection-specific DNS Suffix . :
Link-local IPv6 Address . . . . . : fe80::9416:ccf3:aa3:6460%11
IPv4 Address. . . . . . . . . . . : 172.16.200.8
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 172.16.200.1
H:\>ping 172.16.100.5 // PING TO HOST A ON VLAN 100 DENIED
Pinging 172.16.100.5 with 32 bytes of data:
Reply from 172.16.200.4: Destination net unreachable.
Reply from 172.16.200.4: Destination net unreachable.
Reply from 172.16.200.4: Destination net unreachable.
Reply from 172.16.200.4: Destination net unreachable.
Ping statistics for 172.16.100.5:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
DLS1(config)#ip access-list extended TEMP-HOST
DLS1(config-ext-nacl)#permit ip host 172.16.100.150 172.16.100.0 0.0.0.255 // DEFINE ACL TO DEFINE TRAFFIC BETWEEN HOST AND VLAN 100 SUBNET
DLS1(config-ext-nacl)#exit
DLS1(config)#vlan ?
WORD ISL VLAN IDs 1-4094
access-map Create vlan access-map or enter vlan access-map command mode
dot1q dot1q parameters
filter Apply a VLAN Map
internal internal VLAN
DLS1(config)#vlan access-map ?
WORD Vlan access map tag
DLS1(config)#vlan access-map BLOCK-TEMP ?
<0-65535> Sequence to insert to/delete from existing vlan access-map entry
<cr>
DLS1(config)#vlan access-map BLOCK-TEMP 10 // VACL; DEFAULT SEQUENCE STARTS AND INCREMENTS IN 10
DLS1(config-access-map)#?
Vlan access-map configuration commands:
action Take the action
default Set a command to its defaults
exit Exit from vlan access-map configuration mode
match Match values.
no Negate a command or set its defaults
DLS1(config-access-map)#match ?
ip IP based match
mac MAC based match
DLS1(config-access-map)#match ip ?
address Match IP address to access control.
DLS1(config-access-map)#match ip address ?
<1-199> IP access list (standard or extended)
<1300-2699> IP expanded access list (standard or extended)
WORD Access-list name
DLS1(config-access-map)#match ip address TEMP-HOST
DLS1(config-access-map)#action ?
drop Drop packets
forward Forward packets
DLS1(config-access-map)#action drop
DLS1(config-access-map)#vlan access-map BLOCK-TEMP 20 // ALLOWS ALL OTHER TRAFFIC; IF NOT ADDED, AN IMPLICIT DENY CATCHES AND DENIES ALL TRAFFIC
DLS1(config-access-map)#action forward
DLS1(config-access-map)#exit
DLS1(config)#vlan filter ?
WORD VLAN map name
DLS1(config)#vlan filter BLOCK-TEMP ?
vlan-list VLANs to apply filter to
DLS1(config)#vlan filter BLOCK-TEMP vlan-list ?
<1-4094> VLAN id
all Add this filter to all VLANs
DLS1(config)#vlan filter BLOCK-TEMP vlan-list 100 // DEFINE THE VLAN TO APPLY VACL
DLS1#show vlan access-map BLOCK-TEMP
Vlan access-map "BLOCK-TEMP" 10
Match clauses:
ip address: TEMP-HOST
Action:
drop
Vlan access-map "BLOCK-TEMP" 20
Match clauses:
Action:
forward
DLS1(config)#interface range fastethernet0/1-2
DLS1(config-if-range)#switchport mode access
DLS1(config-if-range)#switchport access vlan 100
DLS1(config-if-range)#spanning-tree portfast
%Warning: portfast should only be enabled on ports connected to a single
host. Connecting hubs, concentrators, switches, bridges, etc... to this
interface when portfast is enabled, can cause temporary bridging loops.
Use with CAUTION
%Portfast will be configured in 2 interfaces due to the range command
but will only have effect when the interfaces are in a non-trunking mode.
HOST A IN VLAN 100
C:\Users\HOST-A>ipconfig
Windows IP Configuration
Ethernet adapter Local Area Connection:
Connection-specific DNS Suffix . :
Link-local IPv6 Address . . . . . : fe80::4562:9b92:c15f:91ff%10
IPv4 Address. . . . . . . . . . . : 172.16.100.150
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 172.16.100.1
C:\Users\HOST-A>ping 172.16.100.1 // CAN'T PING VLAN 100 DEFAULT GATEWAY
Pinging 172.16.100.1 with 32 bytes of data:
Request timed out.
Request timed out.
Request timed out.
Request timed out.
Ping statistics for 172.16.100.1:
Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),
C:\Users\HOST-A>ping 172.16.100.20 // CAN'T PING HOST B
Pinging 172.16.100.20 with 32 bytes of data:
Request timed out.
Request timed out.
Request timed out.
Request timed out.
Ping statistics for 172.16.100.20:
Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),
HOST B IN VLAN 100
H:\>ipconfig
Windows IP Configuration
Ethernet adapter Local Area Connection:
Connection-specific DNS Suffix . :
Link-local IPv6 Address . . . . . : fe80::9416:ccf3:aa3:6460%11
IPv4 Address. . . . . . . . . . . : 172.16.100.20
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 172.16.100.1
Tunnel adapter isatap.{308C6312-E0CC-42FE-ACA0-E00A2450F476}:
Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Tunnel adapter Teredo Tunneling Pseudo-Interface:
Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
H:\>ping 172.16.100.1 // CAN PING VLAN 100 DEFAULT GATEWAY
Pinging 172.16.100.1 with 32 bytes of data:
Reply from 172.16.100.1: bytes=32 time=1ms TTL=255
Reply from 172.16.100.1: bytes=32 time=1ms TTL=255
Reply from 172.16.100.1: bytes=32 time=1ms TTL=255
Reply from 172.16.100.1: bytes=32 time=2ms TTL=255
Ping statistics for 172.16.100.1:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 1ms, Maximum = 2ms, Average = 1ms
H:\>ping 172.16.100.150 // CAN'T PING HOST A
Pinging 172.16.100.150 with 32 bytes of data:
Request timed out.
Request timed out.
Request timed out.
Request timed out.
Ping statistics for 172.16.100.150:
Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),