Thursday 20 July 2023

What is VLAN Access List? How to configure VACL?

 

VLAN Access List

VLAN ACL Is very useful when we want to filter traffic within the VLAN. When we configure VACL on the switch, all the packets entering the VLAN are checked against the VLAN access list. In VACL you cannot define the direction like router ACL. A VACL can either drop a matching packet, forward it, or redirect it to another interface. Notice that the VACL is applied globally to one or more VLANs listed and not to a VLAN interface switch virtual interface (SVI).

How to proceed

  • 1.      Configure ACL standard or extended as per your requirement for VACL.
  • 2.      Configure a VLAN access map for matching the IP hosts
  • 3.      Configure the action forward or drop
  • 4.      Apply the VACL map to the VLAN.
  • 5.      Verify the VACL map information.

 https://youtube.com/@internetworkss

 Topology: -



  • configure IP addresses on PCs as per the topology
  • configure the default gateway as per the topology
  • configure inter-VLAN- routing SVI
  • configure IP address 10.1.1.1 on VLAN 10
  • configure IP address 20.1.1.1 on VLAN 20
  • at this point make sure all four PCs can ping each other 
  • configure ACL 10 
  • configure VACL make sure PC1 cannot communicate with any VLAN 20 PC

Saturday 15 July 2023

What is Private VLAN? How to configure Private VLAN? #PVLAN

 By default, our traffic is allowed to move unrestricted within a VLAN. One host sends packets to another host and it's heard only by the destination host this is the beauty of layer 2 switching. However, if one host sends the broadcast packet, all the remaining hosts on that VLAN listen to that broadcast and reply as per the broadcast. We can solve this if the host is connected to a local switch with VACL or configured with more VLAN but it would be nice to have the capability to segment traffic within a single VLAN, without having to use multiple VLANs. The solution is Private VLAN.

Let’s understand private VLAN with an example.





 All the devices are on a single subnet and in a single VLAN 100. All the devices can communicate but we don’t want all devices to communicate. As per the requirement, we need server 1, and server 2 should be able to share and communicate with each other and gateway but not communicate with server 3. Server 3 can only communicate with the gateway and be Isolated. This can be done with Private VLANs.

The private VLAN always has one primary VLAN. Within the primary VLAN, you will find the promiscuous port. In my picture above you can see that there’s a router connected to a promiscuous port. All other ports are able to communicate with the promiscuous port. Within the primary VLAN, you will encounter one or more secondary VLANs, there are two types:




Community VLAN: In this VLAN all the ports can communicate with each other and also the promiscuous port but not with other communities.

Isolated VLAN: In this VLAN all the ports are isolated means cannot communicate with each other or any community VLAN but they can communicate with the promiscuous port. 


 let's see the configuration: -

Topology:





 

  • configure the topology as per the diagram 
  • assign the IP addresses 192.168.1.0/24 subnet for all the ports
  • configure fa0/0 default gateway 192.168.1.1 on the router
  • configure primary VLAN 100
  • configure gig 0/0 promiscuous port
  • configure Community VLAN 101 assign port r gig 0/1
  • configure Community VLAN 102 assigns port  gig 0/2
  • configure Isolated VLAN 103 assigns port gig 0/3
  • verify with show commands


Switch-1-(config)#vtp mode transparent
Device mode already VTP Transparent for VLANS.
Switch-1-(config)#VLAN 100
Switch-1-(config-vlan)#private-vlan primary
Switch-1-(config-vlan)#exit

Switch-1-(config)#VLAN 101
Switch-1-(config-vlan)#name first_community
Switch-1-(config-vlan)#private-vlan community
Switch-1-(config-vlan)#exit

Switch-1-(config)#VLAN 102
Switch-1-(config-vlan)#name second_community
Switch-1-(config-vlan)#private-vlan community
Switch-1-(config-vlan)#exit

Switch-1-(config)#VLAN 103
Switch-1-(config-vlan)#name isolate_community
Switch-1-(config-vlan)#private-vlan isolated
Switch-1-(config-vlan)#exit

Switch-1-(config)#vlan 100
Switch-1-(config-vlan)#private-vlan association 101,102,103
Switch-1-(config-vlan)#exit


Switch-1-(config)#interface gigabitEthernet 0/1
Switch-1-(config-if)#description this is a first-community-port
Switch-1-(config-if)#switchport private-vlan host-association 100 101
Switch-1-(config-if)#switchport mode private-vlan host
Switch-1-(config-if)#exit


Switch-1-(config)#interface gigabitEthernet 0/2
Switch-1-(config-if)#description this is a second-community-port
Switch-1-(config-if)#switchport private-vlan host-association 100 102
Switch-1-(config-if)#switchport mode private-vlan host
Switch-1-(config-if)#exit


Switch-1-(config)#interface gigabitEthernet 0/3
Switch-1-(config-if)#description this is a isolate-community-port
Switch-1-(config-if)#switchport private-vlan host-association 100 103
Switch-1-(config-if)#switchport mode private-vlan host
Switch-1-(config-if)#exit

switch-1-(config)#interface gigabitEthernet 0/0
switch-1-(config-if)#description this is a prom-port
switch-1-(config-if)#switchport private-vlan mapping 100 101,102,103
switch-1-(config-if)#switchport mode private-vlan promiscuous
switch-1-(config-if)#exit


switch-1-#show interfaces gigabitEthernet 0/0 switch
Name: Gi0/0
Switchport: Enabled
Administrative Mode: private-vlan promiscuous
Operational Mode: private-vlan promiscuous
Administrative Trunking Encapsulation: negotiate
Operational Trunking Encapsulation: native
Negotiation of Trunking: Off
Access Mode VLAN: 1 (default)
Trunking Native Mode VLAN: 1 (default)
Administrative Native VLAN tagging: enabled
Voice VLAN: none
Administrative private-vlan host-association: none
Administrative private-vlan mapping: 100 (VLAN100) 101 (first_community) 102 (second_community) 103 (isolate_community)
Administrative private-vlan trunk native VLAN: none
Administrative private-vlan trunk Native VLAN tagging: enabled
Administrative private-vlan trunk encapsulation: dot1q
Administrative private-vlan trunk normal VLANs: none
Administrative private-vlan trunk associations: none
Administrative private-vlan trunk mappings: none
Operational private-vlan: none
Trunking VLANs Enabled: ALL
Pruning VLANs Enabled: 2-1001
Capture Mode Disabled
Capture VLANs Allowed: ALL

Appliance trust: none



switch-1-#show interfaces gigabitEthernet 0/1 switchport
Name: Gi0/1
Switchport: Enabled
Administrative Mode: private-vlan host
Operational Mode: private-vlan host
Administrative Trunking Encapsulation: negotiate
Operational Trunking Encapsulation: native
Negotiation of Trunking: Off
Access Mode VLAN: 1 (default)
Trunking Native Mode VLAN: 1 (default)
Administrative Native VLAN tagging: enabled
Voice VLAN: none
Administrative private-vlan host-association: 100 (VLAN100) 101 (first_community)
Administrative private-vlan mapping: none
Administrative private-vlan trunk native VLAN: none
Administrative private-vlan trunk Native VLAN tagging: enabled
Administrative private-vlan trunk encapsulation: dot1q
Administrative private-vlan trunk normal VLANs: none
Administrative private-vlan trunk associations: none
Administrative private-vlan trunk mappings: none
Operational private-vlan: none
Trunking VLANs Enabled: ALL
Pruning VLANs Enabled: 2-1001
Capture Mode Disabled
Capture VLANs Allowed: ALL

Appliance trust: none


switch-1-#show interfaces gigabitEthernet 0/2 switchport
Name: Gi0/2
Switchport: Enabled
Administrative Mode: private-vlan host
Operational Mode: private-vlan host
Administrative Trunking Encapsulation: negotiate
Operational Trunking Encapsulation: native
Negotiation of Trunking: Off
Access Mode VLAN: 1 (default)
Trunking Native Mode VLAN: 1 (default)
Administrative Native VLAN tagging: enabled
Voice VLAN: none
Administrative private-vlan host-association: 100 (VLAN100) 102 (second_community)
Administrative private-vlan mapping: none
Administrative private-vlan trunk native VLAN: none
Administrative private-vlan trunk Native VLAN tagging: enabled
Administrative private-vlan trunk encapsulation: dot1q
Administrative private-vlan trunk normal VLANs: none
Administrative private-vlan trunk associations: none
Administrative private-vlan trunk mappings: none
Operational private-vlan: none
Trunking VLANs Enabled: ALL
Pruning VLANs Enabled: 2-1001
Capture Mode Disabled
Capture VLANs Allowed: ALL

Appliance trust: none



switch-1-#show interfaces gigabitEthernet 0/3 switchport
Name: Gi0/3
Switchport: Enabled
Administrative Mode: private-vlan host
Operational Mode: private-vlan host
Administrative Trunking Encapsulation: negotiate
Operational Trunking Encapsulation: native
Negotiation of Trunking: Off
Access Mode VLAN: 1 (default)
Trunking Native Mode VLAN: 1 (default)
Administrative Native VLAN tagging: enabled
Voice VLAN: none
Administrative private-vlan host-association: 100 (VLAN100) 103 (isolate_community)
Administrative private-vlan mapping: none
Administrative private-vlan trunk native VLAN: none
Administrative private-vlan trunk Native VLAN tagging: enabled
Administrative private-vlan trunk encapsulation: dot1q
Administrative private-vlan trunk normal VLANs: none
Administrative private-vlan trunk associations: none
Administrative private-vlan trunk mappings: none
Operational private-vlan: none
Trunking VLANs Enabled: ALL
Pruning VLANs Enabled: 2-1001
Capture Mode Disabled
Capture VLANs Allowed: ALL

Appliance trust: none





switch-1-#show vlan private-vlan type

Vlan Type
---- -----------------
100  normal
101  normal
102  normal
103  normal



switch-1-#show vlan

VLAN Name                             Status    Ports
---- -------------------------------- --------- -------------------------------
1    default                          active    Gi1/0, Gi1/1, Gi1/2, Gi1/3
                                                Gi2/0, Gi2/1, Gi2/2, Gi2/3
                                                Gi3/0, Gi3/1, Gi3/2, Gi3/3
100  VLAN100                          active
101  first_community                  active
102  second_community                 active
103  isolate_community                active



Primary Secondary Type              Ports
------- --------- ----------------- ------------------------------------------
100     101       non-operational   Gi0/0, Gi0/1
100     102       non-operational   Gi0/0, Gi0/2
100     103       non-operational   Gi0/0, Gi0/3


(In the type field you see non-operational, this is because I do not have an upgraded switch. you will see community, isolated, and pro port in the upgraded switch)


What is Cisco IOS Zone Based Firewall on router? How to configure ZBF on Cisco Routers?

 Zone Based Firewall ZBF (Zone Based Firewall) is the stateful firewall that is available on Cisco IOS routers, introduced in 2006. ZBF supp...