Friday, July 3, 2015

Securing VLANs with Private VLANs, RACLS, and VACLs

I only knew and read about Private VLAN (PVLAN) in CCNP SWITCH and haven't implemented it in the real world not until it was decided not too long ago to use this feature in one of our clients. PVLAN is an elegant design wherein you save IP subnet assignment and isolate on Layer 2 at the same time.
 

ALS1#show vtp status
VTP Version                     : 2
Configuration Revision          : 3
Maximum VLANs supported locally : 1005
Number of existing VLANs        : 7
VTP Operating Mode              : Client
VTP Domain Name                 : SWPOD
VTP Pruning Mode                : Disabled
VTP V2 Mode                     : Enabled
VTP Traps Generation            : Disabled
MD5 digest                      : 0x0A 0x4B 0x30 0x9A 0xFC 0x3F 0x22 0x8E
Configuration last modified by 172.16.1.3 at 3-1-93 00:35:06


DLS1#show vlan brief

VLAN Name                             Status    Ports
---- -------------------------------- --------- -------------------------------
1    default                          active    Fa0/1, Fa0/2, Fa0/3, Fa0/4
                                                Fa0/5, Fa0/6, Fa0/13, Fa0/14
                                                Fa0/15, Fa0/16, Fa0/17, Fa0/18
                                                Fa0/19, Fa0/20, Fa0/21, Fa0/22
                                                Fa0/23, Fa0/24, Gi0/1, Gi0/2
100  Staff                            active
200  Student                          active
1002 fddi-default                     act/unsup
1003 trcrf-default                    act/unsup
1004 fddinet-default                  act/unsup
1005 trbrf-default                    act/unsup


DLS1#show interfaces trunk

Port        Mode             Encapsulation  Status        Native vlan
Fa0/7       on               802.1q         trunking      1
Fa0/8       on               802.1q         trunking      1
Fa0/9       on               802.1q         trunking      1
Fa0/10      on               802.1q         trunking      1
Fa0/11      on               802.1q         trunking      1
Fa0/12      on               802.1q         trunking      1

Port        Vlans allowed on trunk
Fa0/7       1-4094
Fa0/8       1-4094
Fa0/9       1-4094
Fa0/10      1-4094
Fa0/11      1-4094
Fa0/12      1-4094

Port        Vlans allowed and active in management domain
Fa0/7       1,100,200
Fa0/8       1,100,200
Fa0/9       1,100,200
Fa0/10      1,100,200
Fa0/11      1,100,200

Port        Vlans allowed and active in management domain
Fa0/12      1,100,200

Port        Vlans in spanning tree forwarding state and not pruned
Fa0/7       1,100,200
Fa0/8       1,100,200
Fa0/9       1,100,200
Fa0/10      1,100,200
Fa0/11      1,100,200
Fa0/12      1,100,200


DLS2#show standby brief
                     P indicates configured to preempt.
                     |
Interface   Grp Prio P State    Active          Standby         Virtual IP
Vl1         1   100  P Standby  172.16.1.3      local           172.16.1.1
Vl100       1   100  P Standby  172.16.100.3    local           172.16.100.1
Vl200       1   150  P Active   local           172.16.200.3    172.16.200.1


DLS1(config)#vlan 150
DLS1(config-vlan)#name Server-farm
DLS1(config-vlan)#exit
DLS1(config)#interface vlan 150
DLS1(config-if)#
*Mar  1 00:13:05.618: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan150, changed state to down
DLS1(config-if)#ip address 172.16.150.3 255.255.255.0
*Mar  1 00:13:32.839: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan150, changed state to up
DLS1(config-if)#standby 1 ip 172.16.150.1
DLS1(config-if)#standby 1 priority 100
DLS1(config-if)#standby 1 preempt
DLS1(config-if)#
*Mar  1 00:14:19.026: %HSRP-5-STATECHANGE: Vlan150 Grp 1 state Speak -> Standby
*Mar  1 00:14:19.530: %HSRP-5-STATECHANGE: Vlan150 Grp 1 state Standby -> Active


DLS2(config)#interface vlan 150
DLS2(config-if)#
*Mar  1 00:15:33.786: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan150, changed state to up
DLS2(config-if)#ip address 172.16.150.4 255.255.255.0
DLS2(config-if)#standby 1 ip 172.16.150.1
DLS2(config-if)#standby 1 priority 150
DLS2(config-if)#standby 1 preempt
DLS2(config-if)#
*Mar  1 00:16:18.908: %HSRP-5-STATECHANGE: Vlan150 Grp 1 state Listen -> Active
DLS2(config-if)#end
DLS2#
*Mar  1 00:16:39.343: %SYS-5-CONFIG_I: Configured from console by console
DLS2#show standby ?
  BVI              Bridge-Group Virtual Interface
  FastEthernet     FastEthernet IEEE 802.3
  GigabitEthernet  GigabitEthernet IEEE 802.3z
  Port-channel     Ethernet Channel of interfaces
  Vlan             Catalyst Vlans
  all              Include groups in disabled state
  brief            Brief output
  capability       HSRP capability
  delay            Group initialisation delay
  internal         Internal HSRP information
  redirect         HSRP ICMP redirect information
  |                Output modifiers
  <cr>

DLS2#show standby vlan ?
  <1-4094>  Vlan interface number

DLS2#show standby vlan 150 ?
  <0-255>  group number
  all      Include groups in disabled state
  brief    Brief output
  |        Output modifiers
  <cr>

DLS2#show standby vlan 150 brief
                     P indicates configured to preempt.
                     |
Interface   Grp Prio P State    Active          Standby         Virtual IP
Vl150       1   150  P Active   local           172.16.150.3    172.16.150.1


DLS1#show vtp status
VTP Version                     : running VTP2
Configuration Revision          : 4
Maximum VLANs supported locally : 1005
Number of existing VLANs        : 8
VTP Operating Mode              : Server
VTP Domain Name                 : SWPOD
VTP Pruning Mode                : Disabled
VTP V2 Mode                     : Enabled
VTP Traps Generation            : Disabled
MD5 digest                      : 0x8D 0x7E 0xE7 0x9C 0x10 0xB8 0x90 0x47
Configuration last modified by 172.16.1.3 at 3-1-93 00:13:01
Local updater ID is 172.16.1.3 on interface Vl1 (lowest numbered VLAN interface found)


DLS2#show vtp status
VTP Version                     : running VTP2
Configuration Revision          : 4
Maximum VLANs supported locally : 1005
Number of existing VLANs        : 8
VTP Operating Mode              : Server
VTP Domain Name                 : SWPOD
VTP Pruning Mode                : Disabled
VTP V2 Mode                     : Enabled
VTP Traps Generation            : Disabled
MD5 digest                      : 0x8D 0x7E 0xE7 0x9C 0x10 0xB8 0x90 0x47
Configuration last modified by 172.16.1.3 at 3-1-93 00:13:01
Local updater ID is 172.16.1.4 on interface Vl1 (lowest numbered VLAN interface found)


DLS1(config)#vlan 150
DLS2(config-vlan)#?
VLAN configuration commands:
  are           Maximum number of All Route Explorer hops for this VLAN (or
                zero if none specified)
  backupcrf     Backup CRF mode of the VLAN
  bridge        Bridging characteristics of the VLAN
  exit          Apply changes, bump revision number, and exit mode
  media         Media type of the VLAN
  mtu           VLAN Maximum Transmission Unit
  name          Ascii name of the VLAN
  no            Negate a command or set its defaults
  parent        ID number of the Parent VLAN of FDDI or Token Ring type VLANs
  private-vlan  Configure a private VLAN
  remote-span   Configure as Remote SPAN VLAN
  ring          Ring number of FDDI or Token Ring type VLANs
  said          IEEE 802.10 SAID
  shutdown      Shutdown VLAN switching
  state         Operational state of the VLAN
  ste           Maximum number of Spanning Tree Explorer hops for this VLAN (or
                zero if none specified)
  stp           Spanning tree characteristics of the VLAN
  tb-vlan1      ID number of the first translational VLAN for this VLAN (or
                zero if none)
  tb-vlan2      ID number of the second translational VLAN for this VLAN (or
                zero if none)

DLS1(config-vlan)#private-vlan ?
  association  Configure association between private VLANs
  community    Configure the VLAN as a community private VLAN
  isolated     Configure the VLAN as an isolated private VLAN
  primary      Configure the VLAN as a primary private VLAN

DLS1(config-vlan)#private-vlan primary
%Private VLANs can only be configured when VTP is in transparent mode.


DLS1(config)#vtp mode transparent      // NEED TO BE SET TO DEFINE PVLAN
Setting device to VTP TRANSPARENT mode.

DLS2(config)#vtp mode transparent
Setting device to VTP TRANSPARENT mode.


DLS1(config)#vlan 151
DLS1(config-vlan)#?
VLAN configuration commands:
  are           Maximum number of All Route Explorer hops for this VLAN (or
                zero if none specified)
  backupcrf     Backup CRF mode of the VLAN
  bridge        Bridging characteristics of the VLAN
  exit          Apply changes, bump revision number, and exit mode
  media         Media type of the VLAN
  mtu           VLAN Maximum Transmission Unit
  name          Ascii name of the VLAN
  no            Negate a command or set its defaults
  parent        ID number of the Parent VLAN of FDDI or Token Ring type VLANs
  private-vlan  Configure a private VLAN
  remote-span   Configure as Remote SPAN VLAN
  ring          Ring number of FDDI or Token Ring type VLANs
  said          IEEE 802.10 SAID
  shutdown      Shutdown VLAN switching
  state         Operational state of the VLAN
  ste           Maximum number of Spanning Tree Explorer hops for this VLAN (or
                zero if none specified)
  stp           Spanning tree characteristics of the VLAN
  tb-vlan1      ID number of the first translational VLAN for this VLAN (or
                zero if none)
  tb-vlan2      ID number of the second translational VLAN for this VLAN (or
                zero if none)

DLS1(config-vlan)#private-vlan ?
  association  Configure association between private VLANs
  community    Configure the VLAN as a community private VLAN
  isolated     Configure the VLAN as an isolated private VLAN
  primary      Configure the VLAN as a primary private VLAN

DLS1(config-vlan)#private-vlan isolated    // DEFINE SECONDARY VLANS
DLS1(config-vlan)#exit
DLS1(config)#vlan 152
DLS1(config-vlan)#private-vlan community
DLS1(config-vlan)#exit
DLS1(config)#vlan 150
DLS1(config-vlan)#private-vlan primary
DLS1(config-vlan)#private-vlan association ?
  WORD    VLAN IDs of the private VLANs to be configured
  add     Add a VLAN to private VLAN list
  remove  Remove a VLAN from private VLAN list

DLS1(config-vlan)#private-vlan association 151,152     // CONFIGURE PRIMARY VLAN LAST AND ASSOCIATED SECONDARY VLANS


DLS2(config)#vlan 151
DLS2(config-vlan)#private-vlan isolated
DLS2(config-vlan)#exit
DLS2(config)#vlan 152
DLS2(config-vlan)#private-vlan community
DLS2(config-vlan)#exit
DLS2(config)#vlan 150
DLS2(config-vlan)#private-vlan primary
DLS2(config-vlan)#private-vlan association 151,152


DLS1(config)#interface vlan 150
DLS1(config-if)#private-vlan ?
  mapping  Set the private VLAN SVI interface mapping

DLS1(config-if)#private-vlan mapping ?
  WORD    Secondary VLAN IDs of the private VLAN SVI interface mapping
  add     Add a VLAN to private VLAN list
  remove  Remove a VLAN from private VLAN list

DLS1(config-if)#private-vlan mapping 151-152    // PERMITS PVLAN TRAFFIC TO BE SWITCHED THROUGH LAYER 3
DLS1(config-if)#
*Mar  1 00:25:38.403: %PV-6-PV_MSG: Created a private vlan mapping, Primary 150, Secondary 151
*Mar  1 00:25:38.411: %PV-6-PV_MSG: Created a private vlan mapping, Primary 150, Secondary 152


DLS2(config)#interface vlan 150
DLS2(config-if)#private-vlan mapping 151-152
DLS2(config-if)#
*Mar  1 00:27:00.561: %PV-6-PV_MSG: Created a private vlan mapping, Primary 150, Secondary 151
*Mar  1 00:27:00.561: %PV-6-PV_MSG: Created a private vlan mapping, Primary 150, Secondary 152


DLS1#show vlan ?
  access-map    Vlan access-map
  brief         VTP all VLAN status in brief
  dot1q         Display dot1q parameters
  filter        VLAN filter information
  id            VTP VLAN status by VLAN id
  ifindex       SNMP ifIndex
  internal      VLAN internal usage
  mtu           VLAN MTU information
  name          VTP VLAN status by VLAN name
  private-vlan  Private VLAN information
  remote-span   Remote SPAN VLANs
  summary       VLAN summary information
  |             Output modifiers
  <cr>

DLS1#show vlan private-vlan

Primary Secondary Type              Ports
------- --------- ----------------- ------------------------------------------
150     151       isolated
150     152       community


DLS2(config)#interface fastethernet0/6
DLS2(config-if)#switchport ?
  access         Set access mode characteristics of the interface
  backup         Set backup for the interface
  block          Disable forwarding of unknown uni/multi cast addresses
  host           Set port host
  mode           Set trunking mode of the interface
  nonegotiate    Device will not engage in negotiation protocol on this
                 interface
  port-security  Security related command
  priority       Set appliance 802.1p priority
  private-vlan   Set the private VLAN configuration
  protected      Configure an interface to be a protected port
  trunk          Set trunking characteristics of the interface
  voice          Voice appliance attributes
  <cr>

DLS2(config-if)#switchport mode ?
  access        Set trunking mode to ACCESS unconditionally
  dot1q-tunnel  set trunking mode to TUNNEL unconditionally
  dynamic       Set trunking mode to dynamically negotiate access or trunk mode
  private-vlan  Set private-vlan mode
  trunk         Set trunking mode to TRUNK unconditionally

DLS2(config-if)#switchport mode private-vlan ?
  host         Set the mode to private-vlan host
  promiscuous  Set the mode to private-vlan promiscuous

DLS2(config-if)#switchport mode private-vlan host   // SETS THE PVLAN MODE ON THE INTERFACE
DLS2(config-if)#switchport private-vlan ?
  association       Set the private VLAN association
  host-association  Set the private VLAN host association
  mapping           Set the private VLAN promiscuous mapping

DLS2(config-if)#switchport private-vlan host-association ?
  <1006-4094>  Primary extended range VLAN ID of the private VLAN host port
               association
  <2-1001>     Primary normal range VLAN ID of the private VLAN port
               association

DLS2(config-if)#switchport private-vlan host-association 150 ?
  <1006-4094>  Secondary extended range VLAN ID of the private VLAN host port
               association
  <2-1001>     Secondary normal range VLAN ID of the private VLAN host port
               association

DLS2(config-if)#switchport private-vlan host-association 150 151    // ASSIGNS APPROPRIATE PRIMARY AND SECONDARY VLANS ON THE INTERFACE
DLS2(config-if)#exit
DLS2(config)#interface range fastethernet0/18-20
DLS2(config-if-range)#switchport mode private-vlan host
DLS2(config-if-range)#switchport private-vlan host-association 150 152

DLS2#show vlan private-vlan      // VERIFY PORTS ARE CONFIGURED FOR PVLAN AND ASSOCIATED VLANS

Primary Secondary Type              Ports
------- --------- ----------------- ------------------------------------------
150     151       isolated          Fa0/6
150     152       community         Fa0/18, Fa0/19, Fa0/20


SERVER IN ISOLATED PVLAN 151


C:\Users\Server-151>ipconfig

Windows IP Configuration


Ethernet adapter Local Area Connection:

   Connection-specific DNS Suffix  . :
   Link-local IPv6 Address . . . . . : fe80::4562:9b92:c15f:91ff%10
   IPv4 Address. . . . . . . . . . . : 172.16.150.6
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : 172.16.150.1


C:\Users\Server-151>ping 172.16.150.1    // CAN PING VLAN 150 DEFAULT GATEWAY

Pinging 172.16.150.1 with 32 bytes of data:
Reply from 172.16.150.1: bytes=32 time=1ms TTL=255
Reply from 172.16.150.1: bytes=32 time=1ms TTL=255
Reply from 172.16.150.1: bytes=32 time=1ms TTL=255
Reply from 172.16.150.1: bytes=32 time=1ms TTL=255

Ping statistics for 172.16.150.1:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 1ms, Maximum = 1ms, Average = 1ms


C:\Users\John Lloyd>ping 172.16.150.18    // CAN'T PING HOST IN COMMUNITY PVLAN 152

Pinging 172.16.150.18 with 32 bytes of data:
Reply from 172.16.150.6: Destination host unreachable.
Reply from 172.16.150.6: Destination host unreachable.
Reply from 172.16.150.6: Destination host unreachable.
Reply from 172.16.150.6: Destination host unreachable.

Ping statistics for 172.16.150.18:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),


HOST-A IN COMMUNITY PVLAN 152

H:\Server-152-A>ipconfig

Windows IP Configuration


Ethernet adapter Local Area Connection:

   Connection-specific DNS Suffix  . :
   Link-local IPv6 Address . . . . . : fe80::9416:ccf3:aa3:6460%11
   IPv4 Address. . . . . . . . . . . : 172.16.150.18
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : 172.16.150.1


H:\Server-152-A>ping 172.16.150.1     // CAN PING VLAN 150 DEFAULT GATEWAY

Pinging 172.16.150.1 with 32 bytes of data:
Reply from 172.16.150.1: bytes=32 time=1ms TTL=255
Reply from 172.16.150.1: bytes=32 time=1ms TTL=255
Reply from 172.16.150.1: bytes=32 time=1ms TTL=255
Reply from 172.16.150.1: bytes=32 time=3ms TTL=255

Ping statistics for 172.16.150.1:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 1ms, Maximum = 3ms, Average = 1ms


H:\Server-152-A>ping 172.16.150.6    // CAN'T PING HOST IN ISOLATED PVLAN 151

Pinging 172.16.150.6 with 32 bytes of data:
Reply from 172.16.150.18: Destination host unreachable.
Reply from 172.16.150.18: Destination host unreachable.
Reply from 172.16.150.18: Destination host unreachable.
Reply from 172.16.150.18: Destination host unreachable.

Ping statistics for 172.16.150.6:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),


H:\Server-152-A>ping 172.16.150.19    // CAN PING HOST B IN COMMUNITY PVLAN 152

Pinging 172.16.150.19 with 32 bytes of data:
Reply from 172.16.150.19: bytes=32 time<1ms TTL=128
Reply from 172.16.150.19: bytes=32 time=1ms TTL=128
Reply from 172.16.150.19: bytes=32 time=1ms TTL=128
Reply from 172.16.150.19: bytes=32 time<1ms TTL=128

Ping statistics for 172.16.150.19:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 0ms, Maximum = 1ms, Average = 0ms


HOST B IN PVLAN 152

C:\Users\Server-152-B>ipconfig

Windows IP Configuration


Ethernet adapter Local Area Connection:

   Connection-specific DNS Suffix  . :
   Link-local IPv6 Address . . . . . : fe80::4562:9b92:c15f:91ff%10
   IPv4 Address. . . . . . . . . . . : 172.16.150.19
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : 172.16.150.1


C:\Users\Server-152-B>ping 172.16.150.1    // CAN PING VLAN 150 DEFAULT GATEWAY

Pinging 172.16.150.1 with 32 bytes of data:
Reply from 172.16.150.1: bytes=32 time=1ms TTL=255
Reply from 172.16.150.1: bytes=32 time=3ms TTL=255
Reply from 172.16.150.1: bytes=32 time=1ms TTL=255
Reply from 172.16.150.1: bytes=32 time=1ms TTL=255

Ping statistics for 172.16.150.1:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 1ms, Maximum = 3ms, Average = 1ms


C:\Users\Server-152-B>ping 172.16.150.18    // CAN PING HOST A ON COMMUNITY PVLAN 152

Pinging 172.16.150.18 with 32 bytes of data:
Reply from 172.16.150.18: bytes=32 time=2ms TTL=128
Reply from 172.16.150.18: bytes=32 time=1ms TTL=128
Reply from 172.16.150.18: bytes=32 time=1ms TTL=128
Reply from 172.16.150.18: bytes=32 time=1ms TTL=128

Ping statistics for 172.16.150.18:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 1ms, Maximum = 2ms, Average = 1ms


DLS1(config)#access-list 100 permit tcp 172.16.200.0 0.0.0.255 172.16.100.0 0.0.0.255 established
DLS1(config)#access-list 100 permit icmp 172.16.200.0 0.0.0.255 172.16.100.0 0.0.0.255 echo-reply
DLS1(config)#access-list 100 deny ip 172.16.200.0 0.0.0.255 172.16.100.0 0.0.0.255
DLS1(config)#access-list 100 permit ip any any
DLS1(config)#interface vlan 100
DLS1(config-if)#ip access-group 100 in
DLS1(config-if)#interface vlan 200
DLS1(config-if)#ip access-group 100 in


DLS2(config)#access-list 100 permit tcp 172.16.200.0 0.0.0.255 172.16.100.0 0.0.0.255 established
DLS2(config)#access-list 100 permit icmp 172.16.200.0 0.0.0.255 172.16.100.0 0.0.0.255 echo-reply
DLS2(config)#access-list 100 deny ip 172.16.200.0 0.0.0.255 172.16.100.0 0.0.0.255
DLS2(config)#access-list 100 permit ip any any
DLS2(config)#access-list 100 permit ip any any
DLS2(config)#interface vlan 100
DLS2(config-if)#ip access-group 100 in
DLS2(config-if)#interface vlan 200
DLS2(config-if)#ip access-group 100 in


DLS1#show access-list
Extended IP access list 100
    10 permit tcp 172.16.200.0 0.0.0.255 172.16.100.0 0.0.0.255 established
    20 permit icmp 172.16.200.0 0.0.0.255 172.16.100.0 0.0.0.255 echo-reply
    30 deny ip 172.16.200.0 0.0.0.255 172.16.100.0 0.0.0.255
    40 permit ip any any (162 matches)

DLS1#show ip interface vlan 100
Vlan100 is up, line protocol is up
  Internet address is 172.16.100.3/24
  Broadcast address is 255.255.255.255
  Address determined by non-volatile memory
  MTU is 1500 bytes
  Helper address is not set
  Directed broadcast forwarding is disabled
  Multicast reserved groups joined: 224.0.0.2
  Outgoing access list is not set  
  Inbound  access list is 100  
  Proxy ARP is enabled
  Local Proxy ARP is disabled
  Security level is default
  Split horizon is enabled
  ICMP redirects are always sent
  ICMP unreachables are always sent
  ICMP mask replies are never sent
  IP fast switching is enabled
  IP CEF switching is enabled
  IP CEF switching turbo vector
  IP Null turbo vector
  IP multicast fast switching is enabled
  IP multicast distributed fast switching is disabled
  IP route-cache flags are Fast, CEF
  Router Discovery is disabled
  IP output packet accounting is disabled
  IP access violation accounting is disabled
  TCP/IP header compression is disabled
  RTP/IP header compression is disabled
  Probe proxy name replies are disabled
  Policy routing is disabled
  Network address translation is disabled
  BGP Policy Mapping is disabled
  Input features: Access List
  Output features: Check hwidb
  WCCP Redirect outbound is disabled
  WCCP Redirect inbound is disabled
  WCCP Redirect exclude is disabled


ALS1(config)#interface fastethernet0/6
ALS1(config-if)#switchport mode access
ALS1(config-if)#switchport access vlan 100
ALS1(config-if)#spanning-tree portfast
%Warning: portfast should only be enabled on ports connected to a single
 host. Connecting hubs, concentrators, switches, bridges, etc... to this
 interface  when portfast is enabled, can cause temporary bridging loops.
 Use with CAUTION

%Portfast has been configured on FastEthernet0/6 but will only
 have effect when the interface is in a non-trunking mode.


ALS2(config)#interface fastethernet0/6
ALS2(config-if)#switchport mode access
ALS2(config-if)#switchport access vlan 200
ALS2(config-if)#spanning-tree portfast
%Warning: portfast should only be enabled on ports connected to a single
 host. Connecting hubs, concentrators, switches, bridges, etc... to this
 interface  when portfast is enabled, can cause temporary bridging loops.
 Use with CAUTION

%Portfast has been configured on FastEthernet0/6 but will only
 have effect when the interface is in a non-trunking mode.


HOST A ON VLAN 100


C:\Users\John Lloyd>ipconfig

Windows IP Configuration


Ethernet adapter Local Area Connection:

   Connection-specific DNS Suffix  . :
   Link-local IPv6 Address . . . . . : fe80::4562:9b92:c15f:91ff%10
   IPv4 Address. . . . . . . . . . . : 172.16.100.5
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : 172.16.100.1


C:\Users\John Lloyd>ping 172.16.200.8    // PING TO HOST B ON VLAN 200 ALLOWED

Pinging 172.16.200.8 with 32 bytes of data:
Reply from 172.16.200.8: bytes=32 time=1ms TTL=127
Reply from 172.16.200.8: bytes=32 time=1ms TTL=127
Reply from 172.16.200.8: bytes=32 time<1ms TTL=127
Reply from 172.16.200.8: bytes=32 time<1ms TTL=127

Ping statistics for 172.16.200.8:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 0ms, Maximum = 1ms, Average = 0ms


HOST B ON VLAN 200

H:\>ipconfig

Windows IP Configuration


Ethernet adapter Local Area Connection:

   Connection-specific DNS Suffix  . :
   Link-local IPv6 Address . . . . . : fe80::9416:ccf3:aa3:6460%11
   IPv4 Address. . . . . . . . . . . : 172.16.200.8
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : 172.16.200.1


H:\>ping 172.16.100.5    // PING TO HOST A ON VLAN 100 DENIED

Pinging 172.16.100.5 with 32 bytes of data:
Reply from 172.16.200.4: Destination net unreachable.
Reply from 172.16.200.4: Destination net unreachable.
Reply from 172.16.200.4: Destination net unreachable.
Reply from 172.16.200.4: Destination net unreachable.

Ping statistics for 172.16.100.5:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),


DLS1(config)#ip access-list extended TEMP-HOST
DLS1(config-ext-nacl)#permit ip host 172.16.100.150 172.16.100.0 0.0.0.255    // DEFINE ACL TO DEFINE TRAFFIC BETWEEN HOST AND VLAN 100 SUBNET
DLS1(config-ext-nacl)#exit
DLS1(config)#vlan ?
  WORD        ISL VLAN IDs 1-4094
  access-map  Create vlan access-map or enter vlan access-map command mode
  dot1q       dot1q parameters
  filter      Apply a VLAN Map
  internal    internal VLAN

DLS1(config)#vlan access-map ?
  WORD  Vlan access map tag

DLS1(config)#vlan access-map BLOCK-TEMP ?
  <0-65535>  Sequence to insert to/delete from existing vlan access-map entry
  <cr>

DLS1(config)#vlan access-map BLOCK-TEMP 10    // VACL; DEFAULT SEQUENCE STARTS AND INCREMENTS IN 10
DLS1(config-access-map)#?
Vlan access-map configuration commands:
  action   Take the action
  default  Set a command to its defaults
  exit     Exit from vlan access-map configuration mode
  match    Match values.
  no       Negate a command or set its defaults

DLS1(config-access-map)#match ?
  ip   IP based match
  mac  MAC based match

DLS1(config-access-map)#match ip ?
  address  Match IP address to access control.

DLS1(config-access-map)#match ip address ?
  <1-199>      IP access list (standard or extended)
  <1300-2699>  IP expanded access list (standard or extended)
  WORD         Access-list name

DLS1(config-access-map)#match ip address TEMP-HOST
DLS1(config-access-map)#action ?
  drop     Drop packets
  forward  Forward packets

DLS1(config-access-map)#action drop
DLS1(config-access-map)#vlan access-map BLOCK-TEMP 20    // ALLOWS ALL OTHER TRAFFIC; IF NOT ADDED, AN IMPLICIT DENY CATCHES AND DENIES ALL TRAFFIC
DLS1(config-access-map)#action forward
DLS1(config-access-map)#exit
DLS1(config)#vlan filter ?
  WORD  VLAN map name

DLS1(config)#vlan filter BLOCK-TEMP ?
  vlan-list  VLANs to apply filter to

DLS1(config)#vlan filter BLOCK-TEMP vlan-list ?
  <1-4094>  VLAN id
  all       Add this filter to all VLANs

DLS1(config)#vlan filter BLOCK-TEMP vlan-list 100    // DEFINE THE VLAN TO APPLY VACL

DLS1#show vlan access-map BLOCK-TEMP
Vlan access-map "BLOCK-TEMP"  10
  Match clauses:
    ip  address: TEMP-HOST
  Action:
    drop
Vlan access-map "BLOCK-TEMP"  20
  Match clauses:
  Action:
    forward

DLS1(config)#interface range fastethernet0/1-2
DLS1(config-if-range)#switchport mode access
DLS1(config-if-range)#switchport access vlan 100
DLS1(config-if-range)#spanning-tree portfast
%Warning: portfast should only be enabled on ports connected to a single
 host. Connecting hubs, concentrators, switches, bridges, etc... to this
 interface  when portfast is enabled, can cause temporary bridging loops.
 Use with CAUTION

%Portfast will be configured in 2 interfaces due to the range command
 but will only have effect when the interfaces are in a non-trunking mode.


HOST A IN VLAN 100


C:\Users\HOST-A>ipconfig

Windows IP Configuration


Ethernet adapter Local Area Connection:

   Connection-specific DNS Suffix  . :
   Link-local IPv6 Address . . . . . : fe80::4562:9b92:c15f:91ff%10
   IPv4 Address. . . . . . . . . . . : 172.16.100.150
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : 172.16.100.1


C:\Users\HOST-A>ping 172.16.100.1    // CAN'T PING VLAN 100 DEFAULT GATEWAY

Pinging 172.16.100.1 with 32 bytes of data:
Request timed out.
Request timed out.
Request timed out.
Request timed out.

Ping statistics for 172.16.100.1:
    Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),


C:\Users\HOST-A>ping 172.16.100.20    // CAN'T PING HOST B

Pinging 172.16.100.20 with 32 bytes of data:
Request timed out.
Request timed out.
Request timed out.
Request timed out.

Ping statistics for 172.16.100.20:
    Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),


HOST B IN VLAN 100

H:\>ipconfig

Windows IP Configuration


Ethernet adapter Local Area Connection:

   Connection-specific DNS Suffix  . :
   Link-local IPv6 Address . . . . . : fe80::9416:ccf3:aa3:6460%11
   IPv4 Address. . . . . . . . . . . : 172.16.100.20
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : 172.16.100.1

Tunnel adapter isatap.{308C6312-E0CC-42FE-ACA0-E00A2450F476}:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :

Tunnel adapter Teredo Tunneling Pseudo-Interface:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :


H:\>ping 172.16.100.1     // CAN PING VLAN 100 DEFAULT GATEWAY

Pinging 172.16.100.1 with 32 bytes of data:
Reply from 172.16.100.1: bytes=32 time=1ms TTL=255
Reply from 172.16.100.1: bytes=32 time=1ms TTL=255
Reply from 172.16.100.1: bytes=32 time=1ms TTL=255
Reply from 172.16.100.1: bytes=32 time=2ms TTL=255

Ping statistics for 172.16.100.1:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 1ms, Maximum = 2ms, Average = 1ms


H:\>ping 172.16.100.150    // CAN'T PING HOST A

Pinging 172.16.100.150 with 32 bytes of data:
Request timed out.
Request timed out.
Request timed out.
Request timed out.

Ping statistics for 172.16.100.150:
    Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),

No comments:

Post a Comment