Securing VLANs with Private VLANs, RACLs, and VACLs

DLS1(config)# int vlan 1 DLS1(config-if)# standby ? <0-255> group number authentication Authentication delay HSRP initialisation delay ip Enable HSRP and set the virtual IP address name Redundancy name string preempt Overthrow lower priority Active routers priority Priority level redirect Configure sending of ICMP Redirect messages with an HSRP virtual IP address as the gateway IP address timers Hello and hold timers track Priority tracking version HSRP version DLS1(config-if)# standby *Mar 1 00:25:49.644: %HSRP-5-STATECHANGE: Vlan1 Grp 1 state Speak -> Standby *Mar 1 00:25:50.139: %HSRP-5-STATECHANGE: Vlan1 Grp 1 state Standby -> Active

DLS1(config-if)# standby 1 ? authentication Authentication ip Enable HSRP and set the virtual IP address name Redundancy name string preempt Overthrow lower priority Active routers priority Priority level timers Hello and hold timers track Priority tracking

DLS1(config-if)# standby 1 ip ? A.B.C.D Virtual IP address

ALS2(config)#interface fa0/10 ALS2(config-if)# switchport port-security

switchport port-security command by default allows 1 mac adddress

ALS2#sh port-security int f 0/10 Port Security : Enabled Port Status : Secure-up Violation Mode : Shutdown Aging Time : 0 mins Aging Type : Absolute SecureStatic Address Aging : Disabled Maximum MAC Addresses : 1 Total MAC Addresses : 0 Configured MAC Addresses : 0 Sticky MAC Addresses : 0 Last Source Address:Vlan : 0000.0000.0000:0 Security Violation Count : 0

DLS1(config)#ip dhcp ? conflict DHCP address conflict parameters database Configure DHCP database agents excluded-address Prevent DHCP from assigning certain addresses limited-broadcast-address Use all 1's broadcast address ping Specify ping parameters used by DHCP pool Configure DHCP address pools relay DHCP relay agent parameters route Specify the type of routes for clients on unnumbered interfaces smart-relay Enable Smart Relay feature snooping DHCP Snooping DLS1(config)#ip dhcp relay ? information Relay agent information option override Override DHCP packet fields DLS1(config)#ip dhcp relay information ? check Validate relay information in BOOTREPLY option Insert relay information in BOOTREQUEST policy Define reforwarding policy trust-all Received DHCP packets may contain relay info option with zero giaddr DLS1(config)#ip dhcp relay information trust-all

ALS1(config-if)# ip dhcp snooping ? limit DHCP Snooping limit trust DHCP Snooping trust config vlan DHCP Snooping vlan ALS1(config-if)# ip dhcp snooping limit ? rate DHCP Snooping limit ALS1(config-if)# ip dhcp snooping limit rate ? <1-2048> DHCP snooping rate limit ALS1(config-if)# ip dhcp snooping limit rate 20

ALS1(config)#ip dhcp snooping vlan ? WORD DHCP Snooping vlan first number or vlan range, example: 1,3-5,7,9-11 ALS1(config)#ip dhcp snooping vlan 100, 200 % Command rejected. Bad vlan range. Supported vlan range is 1 to 4094. ALS1(config)#ip dhcp snooping vlan 100,200

ALS1(config)#aaa new-model ALS1(config)# aaa authentication dot1x default local ALS1(config)#dot ALS1(config)#dot1x ? credentials Configure 802.1X credentials profiles critical Set 802.1x Critical Authentication parameters guest-vlan Configure Guest Vlan and 802.1x Supplicant behavior system-auth-control Enable or Disable SysAuthControl ALS1(config)#dot1x sy ALS1(config)#dot1x system-auth-control ? ALS1(config)#dot1x system-auth-control

ALS2(config)#username janedoe password 0 cisco ALS2(config)# username johndoe password 0 cisco ALS2(config)# username joesmith password 0 cisco ALS2(config)# aaa new-model ALS2(config)# aaa authentication dot1x default local ALS2(config)# dot1x system-auth-control ALS2(config)# interface fastethernet 0/9 ALS2(config-if)#dot1x port-control auto ^ % Invalid input detected at '^' marker.

ALS2(config)#do sh dot1x Sysauthcontrol Enabled Dot1x Protocol Version 2 Critical Recovery Delay 100 Critical EAPOL Disabled ALS2(config)#

DLS1(config)#spa v 1 pri 8192 DLS1(config)#do sh sp v 1 VLAN0001 Spanning tree enabled protocol ieee Root ID Priority 8193 Address 0018.ba98.6880 This bridge is the root Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec



On another switch priority was 12289, the we appplied spanning-tree vlan 1,100 root primary command:

DLS2(config)#do sh spa v 1 VLAN0001 Spanning tree enabled protocol ieee Root ID Priority 4097 Address 0019.2fa7.b280 This bridge is the root Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec

So switch dynamicalyy lowered its prio to be primary to 4096




ALS1(config)#spanning-tree portfast bpduguard default ALS1(config)#do show spanning-tree summary Switch is in pvst mode Root bridge for: none Extended system ID is enabled Portfast Default is disabled PortFast BPDU Guard Default is enabled Portfast BPDU Filter Default is disabled Loopguard Default is disabled EtherChannel misconfig guard is enabled UplinkFast is disabled BackboneFast is disabled Configured Pathcost method used is short Name Blocking Listening Learning Forwarding STP Active ---------------------- -------- --------- -------- ---------- ---------- VLAN0001 3 0 0 7 10 VLAN0100 1 0 0 7 8 VLAN0200 1 0 0 5 6 ---------------------- -------- --------- -------- ---------- ---------- 3 vlans 5 0 0 19 24

ALS1(config-if-range)#udld port ? aggressive Enable UDLD protocol in aggressive mode on this inte ALS1(config-if-range)#udld port aggressive ALS1(config-if-range)#exit ALS1(config)#udld enable ALS1(config)#udld ? aggressive Enable UDLD protocol in aggressive mode on fiber ports except where locally configured enable Enable UDLD protocol on fiber ports except where locally configured message Set UDLD message parameters ALS1(config)#udld agg ALS1(config)#udld aggressive ?

switch1#write erase Erasing the nvram filesystem will remove all files! Continue? [confirm] [OK] Erase of nvram: complete switch1#delete vlan.dat Delete filename [vlan.dat]? Delete flash:vlan.dat? [confirm] switch1#reload

DLS1(config-if)# standby 1 ? authentication Authentication ip Enable HSRP and set the virtual IP address name Redundancy name string preempt Overthrow lower priority Active routers priority Priority level timers Hello and hold timers track Priority tracking

because of the higher priority(150), this switch is in Active state for vlan 200 only and the word local is in Active graph

DLS2#show standby brief P indicates configured to preempt. | Interface Grp Prio P State Active Standby Virtual IP Vl1 1 100 P Standby 172.16.1.3 local 172.16.1.1 Vl100 1 100 P Standby 172.16.100.3 local 172.16.100.1 Vl200 1 150 P Active local 172.16.200.3 172.16.200.1 DLS2#

Configure private VLANs

First, the vlan should be created. When creating new vlans, it is nesessary to quit config-vlan mode in order to see new vlan added to database

DLS1(config-vlan)#name server-farm DLS1(config-vlan)#exi DLS1(config)#do sh vlan VLAN Name Status Ports ---- -------------------------------- --------- --------- 1 default active Fa0/1, Fa Fa0/5, Fa Fa0/9, Fa Fa0/13, F Fa0/21, F Gi0/1, Gi 100 stuff active 150 server-farm active 200 students active 1002 fddi-default act/unsup 1003 trcrf-default act/unsup 1004 fddinet-default act/unsup 1005 trbrf-default act/unsup

State Active vs state Init: if the vlan was not created at all, it will be in "Init" mode:

Vlan100 - Group 1 State is Active 2 state changes, last state change 00:54:25 Virtual IP address is 172.16.100.1 Active virtual MAC address is 0000.0c07.ac01 Local virtual MAC address is 0000.0c07.ac01 (v1 default) Hello time 3 sec, hold time 10 sec Next hello sent in 2.807 secs Preemption enabled Active router is local Standby router is 172.16.100.4, priority 100 (expires in 7.584 sec) Priority 150 (configured 150) IP redundancy name is "hsrp-Vl100-1" (default) Vlan150 - Group 1 State is Init (interface down) 3 state changes, last state change 00:12:24 Virtual IP address is 172.16.150.1 Active virtual MAC address is unknown Local virtual MAC address is 0000.0c07.ac01 (v1 default) Hello time 3 sec, hold time 10 sec Preemption enabled Active router is unknown Standby router is unknown Priority 100 (default 100) IP redundancy name is "hsrp-Vl150-1" (default)

Promiscuous - can communicate with any private vlan

Community - can communicate with any other inside community + promiscuous

isolated - can communicate with only promiscuous


151 vlan vill be isolated

DLS1(config-vlan)#vlan 151 DLS1(config-vlan)#private-vlan ? association Configure association between private VLANs community Configure the VLAN as a community private VLAN isolated Configure the VLAN as an isolated private VLAN primary Configure the VLAN as a primary private VLAN DLS1(config-vlan)#private-vlan isolated

To define PVLANs we it is necessary for the switch VTP mode to be set to transparent

DLS1(config-vlan)#private-vlan isolated %Private VLANs can only be configured when VTP is in tran

analogically creating community:

DLS1(config)#vlan 152 DLS1(config-vlan)#private-vlan comm DLS1(config-vlan)#

creating primary and binding 2 previuos 151, 152 to primary 150

DLS1(config-vlan)#private-vlan primary DLS1(config-vlan)#pr ass ? WORD VLAN IDs of the private VLANs to be configured add Add a VLAN to private VLAN list remove Remove a VLAN from private VLAN list DLS1(config-vlan)#pr association 151 152 ^ % Invalid input detected at '^' marker. DLS1(config-vlan)#pr association 151,152 DLS1(config-vlan)#

The private-vlan mapping interface configuration command permits PVLAN traffic to be switched through Layer 3

DLS1(config-if)#private-vlan mapping ? WORD Secondary VLAN IDs of the private VLAN SVI interface mapping add Add a VLAN to private VLAN list remove Remove a VLAN from private VLAN list DLS1(config-if)#private-vlan mapping *Mar 1 02:11:38.142: %HSRP-5-STATECHANGE: Vlan150 Grp 1 state Speak -> Standby % Incomplete command. DLS1(config-if)#private-vlan mapping 151 ? DLS1(config-if)#private-vlan mapping 151 DLS1(config-if)# *Mar 1 02:11:57.377: %PV-6-PV_MSG: Created a private vlan mapping, Primary 150, Secondary 151private-vlan mapping 151 DLS1(config-if)#private-vlan mapping 151 , 152 ^ % Invalid input detected at '^' marker. DLS1(config-if)#private-vlan mapping 151-152

checking

DLS1(config-if)#do show vlan private-vlan Primary Secondary Type Ports ------- --------- ----------------- ------------------------------------------ 150 151 isolated 150 152 community DLS1(config-if)#

applying to interfaces

DLS1(config-if)#int f 0/1 DLS1(config-if)#switchport mode private-vlan ? host Set the mode to private-vlan host promiscuous Set the mode to private-vlan promiscuous DLS1(config-if)#switchport mode private-vlan host ? DLS1(config-if)#switchport mode private-vlan host DLS1(config-if)#switchport private-vlan host-association DLS1(config-if)#switchport private-vlan host-association ? <1006-4094> Primary extended range VLAN ID of the private VLAN host port association <2-1001> Primary normal range VLAN ID of the private VLAN port association DLS1(config-if)#switchport private-vlan host-association 150 151 DLS1(config-if)#

checking

DLS1(config-if)#do show vlan private-vlan Primary Secondary Type Ports ------- --------- ----------------- ------------------------------------------ 150 151 isolated Fa0/1 150 152 community DLS1(config-if)#

Configuring RACLs - Router access control lists - creating acl and then applying it as in

DLS1(config-if)#interface vlan 100 DLS1(config-if)#ip access-group 100 in DLS1(config-if)#

Configuiring VLAN ACL - VACLS. We bind together an access list named MyAccessList and map named MyMap

DLS1(config)#vlan access-map ? WORD Vlan access map tag DLS1(config)#vlan access-map MyMap ? <0-65535> Sequence to insert to/delete from existing vlan access-map entry DLS1(config)#vlan access-map MyMap DLS1(config-access-map)#match ? ip IP based match mac MAC based match DLS1(config-access-map)#match ip ? address Match IP address to access control. DLS1(config-access-map)#match ip add DLS1(config-access-map)#match ip address ? <1-199> IP access list (standard or extended) <1300-2699> IP expanded access list (standard or extended) WORD Access-list name

Specifing action

DLS1(config-access-map)#match ip address MyAccessList DLS1(config-access-map)#action ? drop Drop packets forward Forward packets DLS1(config-access-map)#action drop

or any other seq number

DLS1(config-access-map)#vlan access-map MyMap 22 DLS1(config-access-map)#action dr DLS1(config-access-map)#do show vlan access-map Vlan access-map "MyMap" 10 Match clauses: ip address: MyAccessList Action: drop Vlan access-map "MyMap" 22 Match clauses: Action: drop DLS1(config-access-map)#

We also need to add a line to the access map that allows all other traffic. This second statement will placed as sequence number with increment of 10

DLS1(config)#vlan access-map MyMap DLS1(config-access-map)#action forward DLS1(config-access-map)#exit


link