Cisco CCIE Security 350-701 Topic: L2-Security Advanced Part 3
December 16, 2022

10. Dynamic ARP Inspection – Configuration

In this video, we’ll verify the dynamic art inspection feature on the Cisco switches. Now, “dynamic art inspection” is a feature on the Cisco switches that prevents ARP spoofing attacks. Let us now attempt to validate this. Let me give you some general ideas about the basic setup I’ll be using in this lab. I now have a router one and a router two connected on ports one and two. And then I have zero by five, which is connecting to my PC, and they’re using the iPad addresses as given in the diagram here.

Now, I want to ensure that if any false ARP information comes from this particular port, if it is any false ARP information with some other address than what we have mining here, any other Mac address, I want to ensure that the switch should block the particular traffic. I want each and every port to go through a dynamic ARP inspection, and if that inspection matches the database, matches the source IP and the Mac, then only that port has to permit the traffic if it is not matching the database. In that case, I want the switch to drop the traffic.

Now, the basic thing here is, if you just come down here, I have configured both these ports; in fact, even port number five is already configured with an access port and enabled with the port fast feature. And on the routers, we already have the IP addresses pre configured. So if you go and verify the connectivity between these devices here on the router, I should be able to ping to one computer and also be able to ping to 150 and also 110, which is a computer connected to the PC from where I’m accessing these devices via telnet.

Now, the next thing what we are going to do is we are going to configure the switch one to prevent the ARP poisoning attacks on the Vantec. Now for that, first we need to enable the DHCP snooping feature. Now, without the concentration of transports on the switch, ensure that ARP security is enforced. If you recall, we discussed in the dynamicARP section that information binding can be done manually or by using some ARP access lists.

Now in this scenario, we are going to use ARP seals, or it can also use dynamic DHCP configurations, where it is going to verify the source IP and the Mac address. Now, even though we are enabling DSCP snooping, for future configurations it may verify the DSCP. So the first thing we are going to do is enable the DSCP snooping tab. So IP DHCP snooping, and then we’ll enable it for Vladim. Now, once we enable the DHCP snooping feature, we’re still able to communicate with the particular devices. Now, as we don’t have real DHCP configurations,

What we’re going to do is make a manual binding out of some arpac. Now I’m going to bind one IP address here. One is bound to a Mac address, whatever the Mac address on this particular port is. And then I am doing the same thing for one and two as well. Now, once we enable dynamic art inspection on this particular switch, we won’t enable steel. Once we enable dynamic art inspection, each and everyport has to verify based on this database.

Now, the first thing we are going to do is create the binding database, and we are going to create three entries here because I have three devices: one, one, two, and 10 here. So let us proceed to the switch. If you’re not aware of the Mac addresses, we can just simply generate some ping messages to all the devices, and I can use the Shaw IP ARP command to verify the Mac addresses. I can create an entry like an ARP access list. I can simply say ARP for “permit” and I can use a question mark to say “permit.” I’m going to say permit; I’m going to say IP.

And the IPRs range from 1-9 to 116-1. and then the prefix IP host. I have to use the option of an IP host. And then, because we are defining a single host here and the Mac address, the Mac host is the Mac address of the sender’s Mac address. Now, in my scenario, if I check the ARP tables, the Mac address of the one is this one. I’m going to copy and paste the Mac address, and then I’m going to generate a log message also for verification. Now, we can verify this log message by using the show log command. In addition, I’m going to allow 192 1612. If it is coming from a Mac host, and the Mac address of one and two is this one, then I’m going to log in.

So I’m going to create a database. And in that database, I’m saying that if an ARP request comes from someone with this Mac address, only it will be permitted. If the ARP request comes from one or both of these Mac addresses, it will be allowed only if it does not match the database. If the ARP request is coming from one with a different Mac address than this, it’s simply going to drop that particular traffic, and we can also do the same thing for this port as well. But I’m not going to confirm this port. So we can either bind the Mac address here or I can confirm this particular port as a trust port.

Now, whichever port is designated as a trust will not participate in the dynamic ARP inspection validation. So that’s just an alternate option. I’m going to say on the interface of zero by five, I’m going to say ARP, IP, and ARP inspection trust. Now there are two options to overcome this. As an example, when I use a telnet connection, I’m establishing a tenant connection from this PC to this switch. Now, if I don’t add the entry for this specific PC IP address, that is 110 with the Mac address, I’ll get an error. In that case, it’s going to simply drop the tenant connection here. To enable the telephone connection, I can either manually associate the IP address 110 with the Mac address. That is one option I have.

Or I can simply bypass the inspection by using a command called IP ARP inspection trust. Now, there are some interfaces, like gateways. Probably, you don’t want those particular gateway interfaces to do the inspection. In that case, we can set those specific interfaces as IP ARP inspection trust.

After we’ve configured this, the next step will be to enable ARP inspection on the Vlantin. So I’m going to configure mode, I’m going to say IP ARP inspection Vlantin, and then I’m going to say IP ARP inspection filter. and I’m going to filter the ARP ACL. Whatever I’m working on right now is called “ARP VLAN 10.” I’m going to filter on VLAN 10. So that means I’m going to create an inspection for the VLAN, and whatever the statements I define as a permit in that array will be validated, and they will be able to communicate. Now, once you enable this, let’s go to one of the PCs here, one, one, and I’m going to clear the ARP.

 Let me just clear the ARP cache, and I’ll try to ping one into one section. I can still ping to one and two, and I can still ping to 110. So you can see that even though 110 is not added to the binding list because we have configured it as a trusted port, it will not go through ARP inspection, whereas these two ports will go through ARP inspection by default. Now, for further verification, what I can do is go and change the binding entries. Now, for verification, what I can do is use a command called “shoe IP ARP inspection.” Actually, ARP show ARP the show IP ARP inspection must be performed on the switch. So I should be on the switch for the ARP inspection for the Vlantin. Now, as you can see, it is saying that the inspection is enabled for Vlantane, it is active with the ACL match, and it’s going to deny all the traffic except whatever is defined in the ARP Vlant access list.

Now, what I’m going to do is, for further verification, simply go and change the Mac address on entries. like if you verify the IP and show the ARP access list. You can now see the entry: it will allow the host with this Mac address. So I’m going to change the entry and say “IP ARP access list.” It’s just ARP access list. And then I’m going to define the ARP name as VLAN 10. Then I’m going to delete this entry and replace it with a different Mac address. So I’ll say that some Mac addresses are valid and others are not. Now, if you verify the Show ARP access list, I can verify that the traffic is coming from one source. It has to match this Mac address. And if you want to verify these show logs, I can see the log information here. Let me just go to the router page and generate the traffic. So on the outer one, I have a device with this IP address.

So I’m going to try to ping one and two. Let me clear the ARP. When I try to ping one or two of them, I get an error message. And the reason is because the traffic is supposed to come from one direction. And if the traffic is coming from one source, it has to match the Mac address binding whatever we have given here. Now, in my scenario, if you check the Show ARPaccess list, the binding from one has to come with AAA’s Mac address, or whatever we’ve configured here.

And if it is not matching, it is not going to allow the critical communication if I try to remove this IP access list and then the name. I’m going to remove this entry, and then I’m going to add the previous one, which was a valid entry. If I add this and verify the Show ARPaccess list, I should be able to communicate if I try to generate traffic again. So you can see I’m able to communicate. Now, this is a way we can verify the dynamic R inspection, where we can enable the dynamic R inspection and manually only change the Mac entries in the ARP seals for verification.

11. Protected Ports- Private VLAN Edge

protected ports, also referred to as private VLAN edges. So it is a feature used by administrators to prevent users from communicating with each other within the same VLAN. Let’s say, as an example, these are the three devices in my network; let’s say they all belong to VLAN 10, and my requirement is that they are in the same VLAN as well as in the same network. By default, all three devices within the same VLAN can communicate with each other. But I want to isolate the communication between these two devices; I don’t want them to talk to each other, but they still should be able to communicate with the server.

Or another example is that you’ve got a mail server and a web server, and you don’t want these two devices, these two servers, to intercommunicate with each other even though they are in the same VLAN, but both can still send and receive traffic from the internet. So it can also be used in some service portal scenarios where you connect multiple customers and want to isolate the traffic between all the customers. So we can simply configure all the ports as protected. So whichever port is enabled with a protected port will not be able to communicate with another protected port. As a result, if it is protected, no communication takes place. Whereas the protected port will be able to communicate with the ports that are not enabled with protected, which means the normal ports can still communicate with protected. So whichever of the two ports you don’t want to communicate with, simply configure them as protected so they don’t talk to each other. like the same thing. And this is a normal port, an unprotected port, as we call it, which is like a normal port. Now, conflation-wise, again, by default, all the ports will be unprotected. So let’s say I don’t want ports 1 and 3 to talk to each other even though they are in the same subnet and the same VLAN. So we simply go to that interface, which says switch port protected. Again, this feature only works within the same switch, so it doesn’t apply for two devices between different switches.

12. Private VLAN

VLANs provide port isolation within the same VLAN. more similar to the switch port protected feature, but more advanced than that. So let’s see what exactly the private VLAN is capable of doing. Assume I have all of the devices in my land connected, and you can see that different colours represent different things, but they are all in the same subnet. But my requirement is that they should not talk to each other. Like these two devices and this one, these three can communicate with each other. And I want these orange devices to talk to each other. However, while these three devices should not communicate with each other or with any other devices, Typically, they are all configured in the same subnet and land in the same way. But still, I want to isolate the traffic between these devices. At the same time, all of these people should be able to connect to the server, which is on port number 10.

Or maybe you can say this is connecting to a router, the default gateway from where you access the internet, or maybe to an IS building. So I want to isolate the traffic between these. Practically, I don’t want to go with separate VLANs because maybe they all belong to the accounts department, but I want to make sure that within the same department, I want to isolate the traffic so it can be done with the protected features, which would be protected features or private VLANs. So private VLANs are a more advanced option in general. So let’s see how this can be done. So the first thing we need to do is ensure that they are all in the same VLAN, so we need to create a VLAN 10. So in our case, the VLAN is referred to as a primary VLAN. So in my scenario, all these devices, all the ports, from port number one (let’s write down port number one to port number ten), they all belong to VLAN ten.

So logically, they all belong to the same VLAN as well as the same subnet. Now we’ll create some secondary lands to create some isolation. So within the VLAN, we’ll create some secondary lands. You can use any number. like I’m using VLAN 100, VLAN 200, and VLAN 400. Each represents a separate subdivision, which we refer to as secondary wheel ends. Now, how many secondary wheel lands I need to create depends on how many options and separations you want to make. As an example, this is one, the green, and this is two. So I need two, of course; three; four; and five. Of course, I don’t need this because I can use a feature called isolation. Again, I’ll talk about this. So mostly here, I need a three-second revealance. Probably again, I’ll explain how I get three. And then once we separate them, Now we must associate this secondary VLAN with some port behavior. There are various behaviors, such as isolated communities, and there is one more called promiscuity.

So let’s try to understand what is isolated first. So isolated means we’ll be communicating with a specific port in an isolated port, the VLAN port. So, that means one isolated port will not communicate with any other isolated port by default. Take an example. I bought these four computers, and I don’t want them to communicate with each other, even though they are in the same VLAN and subnet. So we’ll simply confirm that it’s isolated. So one isolated port, even though they will all create one isolated VLAN. And I’ll assign that VLAN as isolated, which means these four ports belong to isolated VLAN 500. However, they do not communicate with one another, acting more like a separate port and a protected feature in general. So for an isolated VLAN, you need to create only one because we don’t need multiple. There will be only one isolated VLAN that you create. So if you get back to my topology here, in my scenario, I want to make sure that this port number seven should not communicate with eight. So we’ll configure this port to be isolated, and it is. And this port has been shut down. So these three ports will be configured as isolated, so they don’t talk to each other. That’s what we want. Now, the next thing is that we have another VLAN called “community.”

So community is similar to grouping. So let’s get back to my scenario. I want to make sure that this port number one and this port number two can talk to each other. Of course, port number six is the same as colour number six, indicating that you want them to communicate with one another. So I cannot confirm isolating because if I confirm isolating, then it will also deny the communication between these two hosts as well as this host. So isolated is it that one single port will not communicate with any other port except promisecase, which I’ll discuss next. So in my case, I need to configure this port in the community. So we’ll say community. So we need to create a community VLAN 100. And we associate if you associate any port with this VLAN number, any number, it can be like in my case, I’m going to say that these three ports belong to community 100, sorry, not three.

So ports 1, 2, and 6 must be used. So port number one, community 100, port number one, port number two, and port number six, which means that ports assigned to the same community member, such as community 100, can communicate with each other, but they cannot and will not communicate with any isolated port. Of course, isolated ports will not talk to these ports. So they are logically separated. So likewise, I can create another community like community 200. I’ll also assign ports three, four, and five to community 200. So, for example, how many groups do you have? That’s how many community VLANs we’ll need to set up. So in my example, I’m creating just two. If you have more devices, you can create more.

So an isolated VLAN will be the only one. The number of community VLANs you can create is limited by the number of groups of devices you want to communicate with. Now, finally, the last one. There is something called “server” here on port number 10. And I want all the users to be able to communicate, or selected users to select ports. So we configure this as a promiscuous port promise case. doesn’t belong to any VLAN. So this is more like a trunk port. More like a trunk port, which will carry all the secondary VLAN traffic. And we specify that any traffic coming from 100, which means one to three, one to six ports, as well as secondary VLAN 200 and 500, should be permitted to send and receive data from this port. So this will ensure that the secondary VLANs, like these three devices and these three devices, as well as the remaining devices, can communicate on this port.

And let’s say that if you don’t want this 100 to communicate, you can remove that secondary VLAN from the configuration. That is how the private Lamb operates. More appropriate solution if you want to apply some security within the VLAN itself and don’t want them to communicate with each other. This solution is also more applicable in some Ethernet van connections because most Ethernet van connections are made from the layer to the switch. Probably you can use different VLANs for different customers, but you can simply say this port is isolated, so connecting to customer A and customer B is isolated. And these two ports in a community of 100, and perhaps these three ports in a community of 200, and I want all customers to be able to access the internet as promised through the JS port, which can also be used in the layer. Two van connections, most of which are Metro Ethernet van connections, where you can also use a standard 3560 switch and configure private VLANs to isolate the traffic of different van connections provided to the service portal. 

13. Private VLAN – Configuration

In this video, we’ll talk about dynamic ARP inspection, which is going to prevent ARP spoofing attacks. Now, what is an ARP spoofing attack? First, we’ll talk about ARP spoofing attacks and how they’re going to work, and then we’ll see a solution called Dai Dynamic Art Inspection. Let’s first try to understand ARP spoofing attacks. Now, an ARP spoofing attack is something that is generated based on the ARP messages, or the ARP request and reply messages. Now, ARP spoofing is something like this: it allows the particular host to spoof the Mac addresses for any specific IPR. Like, take an example in this scenario: there is a target computer source, and the source address is, let’s say, 190 to one six shade one one, and it is supposed to communicate with the router, which is 191-6110.

Now, the actual traffic that is coming from one to 100 will go directly from the switch to the router because, now, whenever you are sending a packet from one nine to 1611 and the destination is one to 16110, there is a protocol called ARP. Now that Arp’s protocol is going to resolve the IP to Mac Now, in that scenario, let’s say the Macaddress is AA and AB is the Macaddress of the source and destinations. And the device will send an ARP broadcast request indicating who is 100 and what is the Mac address, and the router will respond with the Mac address, and communication will occur between these two devices based on the Mac address. Now, ARP is a protocol that will help you resolve the IP to a Mac address in the lamb because the switches will only understand Mac addresses. But when you’re trying to communicate, we generally use IP addresses for communication.

Now, this ARP spoofing attack is something that is going to take advantage of this ARP protocol. Now, when a user like here on 1 sends a broadcast request to 10 requesting ARP, there might be an attacker sitting here. Now, the attacker will respond falsely, claiming to be 1100 and that the Mac is addressing something XY. Now, the target company is going to think that this is your gateway, or this is a gateway from where you have to go to an outside network. It’s going to send the traffic back to this user. And then again, this particular attacker is going to change the source address. He’s going to reply on behalf of this router as well when communication is happening between these two computers.

Now, at the source, the gateway, something is sent to the attacker, and the attacker is going to send it back to the router here, and then all the traffic is going through the attacker, and that’s what we call “man in the middle” attacks. Now, because of the false ARP information given by the attacker, the actual traffic that is supposed to go directly between these two users is delayed. It’s not going directly; it’s going via the attacker. Now we call this “poisoned ARP cache” or “ARP spoofing attacks.” Now we want to ensure that the switches have something to implement to ensure that this kind of attack does not happen in your land. Now, to prevent this kind of false ARP information provided by some attacker devices, we can use a solution called “dynamic ARP inspections.” Now, in the case of dynamic ARP inspection, we’ll create special entries from IP to Mac.And this IP-to-Mac information is billed dynamically by the switch. Now the switch is going to keep track of the IP address and the Mac address of that particular device. This binding information can now be based on either DHCP or DNS.There are two different options we have.

So, if you have DHCP running in your network, DHCP will provide the IP address to the clients, and it will also keep track of the Mac address information.So it will check the Mac to IP information based on the DHCP server or if no DHCP server is running in your network. In that case, we can make manual binding entries by using some ARP ACLs. Now there are two different options we can use. We can either use an existing DHCP server or tell the switch if any ARPrequests are coming in on that specific port. I’m asking the switch to check with the DHCP database to see whether the IP address and the macros are the same or not. Alternatively, we can set up some ARP access lists on the switch for verification. Now, two options are available; for the time being, we’ll see both options here, and it’ll build some IP to Mac binding information. Now, once this IP to Mac binding information is done, if any ARP request comes from here, the switch is going to check; it’s going to do something called an inspection. And that inspection is if an ARP request is coming from here; if you’re saying hi to Mac B, if that hacker sends any information, it’s going to check the database and validate the ARP reply. Now, if it matches the database, which will allow the path traffic, if it matches the database, and if that particular ARP reply does not match the database in that scale, it will simply drop that particular traffic.

Now, the switch will validate the source IP and Mac information based on the binding information, which is accomplished via DHSCP or ARP seals. Now that’s how Switch is going to prevent these ARP spoofing attacks. Now, by default, whenever you enable this dynamic ARP inspection, all the ports will be referred to as untrusted ports. Now, when we say “untrusted,” that means each and every port has to go through dynamic ARP inspection checking. So that’s what we call it, as each and every interface will be referred to as untrusted, which means it has to go through a validation or verification of IP to mag information based on the binding database. Now, if you want to bypass this particular inspection on some specific ports, let’s say in my scenario I have a switch, I have a computer, and I have a server. Maybe I don’t want this particular port to go with dynamic or app inspection. We can configure that particular port as a trusted port.

 Now, whichever port has been configured as a rusted port will not accept dynamic R inspection verification. So that’s something we can do by using a dai dynamic ARP inspection; it’s going to prevent ARP spoofing attacks and create some IP-to-Mac binding information. Either can be done by a DHCP server, or we can do it manually by using an ARP access list. Now, DA associates the interface with a trusted or untrusted port, and once you configure it by default, it will be referred to as an untrusted port, and untrusted ports have to go through dynamic arc inspection verification, whereas if you configure any specific port as a trusted port, it will bypass the dynamic arc inspection validation.

Now, here, I’m not going to define “in case” if you want to use manual bindings. Now one option is to use DHCP binding information, which is automatically built by the DHCP server. And to make this possible, you just need to have the DHCP snooping feature enabled. And once you enable DHCP snooping, the switch is going to contact the DHCP, and it’s going to validate the IP to Mac information based on the DSCP binding information that has already been created by the DSCP. If you are not using the DSCPserver, we can manually configure an ARP access list, which we call a “manual access list,” in which we can specify the IP addresses of the hosts and the Mac addresses.Every untrusted port will go through this validation. which means if an ARB reply is coming from one source and matches this Mac address, then only it is going to permit that particular traffic. Or else, if it does not match the database, it’s going to simply drop that particular traffic. And we can implement this ACL for VLAN 10, or VLAN 20, or VLAN 30, whatever the VLAN on the switches is.

Now, this is the complete configuration, which is something that we are going to verify in our next videos in the lab in detail. Let me just give you an overview of the configuration. Now we are going to enable the DSCP snooping feature. Now just for the DSCP binding information because inthe big size networks you will be using someDSV servers and the Dscb server will be responsiblefor providing the IP address to the clients.When it provides the IP address, it is going to keep track of the Mac and the IP addresses given to those particular devices. Now, we need to ensure that if you want DSP binding to work, we need to enable this DHCP snooping feature. And then we can also create some manual entries. So probably in the lab, we are not going to use any DHCP information here. We’re going to use some manual bindings, so I’ve got two routers connected here and the Macaddresses, as shown in the diagram.Now I’m going to bind so that if any ARP replies come from this one computer and match this Mac address, it has to permit, and I’ll do the same for one and two.And then we need to apply this to the VLANTEN inspection for all the devices in the VLANTEN. And then we are going to filter the traffic, which means anything matching this source IP to Mac information should be permitted. Anything that does not match should be discarded.Now, we can even configure any particular port as a trusted port. By default, all the ports will be untrusted. In my final scenario, I’m going to use a computer to communicate with the rack switch.I want to ensure that in order for telnet to work, this particular port should bypass the dynamic ARP inspection validation. Now, we can go to that interface and simply configure this as a trust. Now, there are two options for making this work.

The one thing is, if you don’t want to bypass this, then you need to add this entry to the ARP seal. And if you want to bypass, then you need to configure this port as a trust. There are two options. We can either bypass the Dai inspection by configuring the port as trusted, or we can manually add the entry, which means that if the entry is present, you can still turn it.So there are two possible solutions we can go with. Now, in my lab scenarios, I’m going with the “trusted” option just to have one more option; we can also confirm it as trusted. So this is something we are going to verify more in detail with some live scenarios. And then for verification, we can use a command called Schwaiparp inspection for Vlant Ten. Now, here you’ll find some information, like the fact that ARP inspection is enabled for VLAN Ten, it’s going to verify the ARP ACL to match, and anything that matches is going to be permitted. And anything not matching is simply going to be denied.

14. Private VLAN – LAB

Verify the private VLAN configurations. So if you remember, we already discussed that private VLANs can be implemented to prevent hosts within the same VLAN from communicating directly. Now that we have two types of VLANs, we have something called private VLANs, primary VLANs, and secondary VLANs. So primary VLANs are the main VLANs, and we will create multiple secondary VLANs, and again, our secondary VLANs are divided into two categories: isolated and community VLANs.We can assign the secondary VLANs to any one of these categories. It is so isolated that it cannot communicate with any other isolated port.Community ports or community VLANs will communicate only within the same community.

Now every port can be confident, either because it can be promiscuous, which means it can communicate with all the hosts, including isolated ones, whereas the host ports can only communicate with promiscuous ports or they can only communicate within the same community. Private Freelance So this is our Lap scenario, which we are going to use for verifying the private VLANs. So for verifying private VLANs, you need to have a switch. So I got switch one, which is my 3560 switch, which is acting as my centralised device and is going to connect to all my customer sites. Let’s say we take an example here. Router one and two belong to one of my customers’ sites, ABC. And I want to ensure that any traffic coming from router one and router two should also be able to access that.

As a result, they all belong to the same physical subnet; they are all on the same subnet, and they all belong to the same primary VLAN. And in my scenario, I’m going to use the primary VLAN as VLAN number ten. Now, again, I’ll be creating some multiple secondary VLANs, and I want to ensure that the customer ABC should be able to communicate with the other sites within the same customer site. Let’s say router one and router two belong to the same company of the same organisation and they are connecting to a centralised which similar way. I got a company XYZ here, and I want to ensure that this router finds two servers belonging to those customer XYZ sites, and they should be able to communicate with each other automatically. At the same time, I got another customer. Let’s say this is my customer PQR, and this is my customer SUMX. I want to ensure that the traffic coming from this customer does not go to any of the other customer sites.

Okay? So that’s the reason I’m going to make it so isolated here. And then the same thing applies for the other four as well. So they are part of the same physical subnet, and they also belong to the same primary VLAN. Finally, all of the customer sites, such as ABC, XYZ, PQR, and some X sites, must be able to access internet traffic, which is connecting on switch three, which means that’s what I’m going to configure for this specific port, CareSports, as promised. So I’m creating multiple VLANs here. So VLAN 10 will be my primary VLAN. In that primary VLAN, I’m going to create one more secondary VLAN, which is 100, which belongs to this community, and they will only communicate within the same VLAN 100. And then I’m going to make one VLAN, which will be my isolated VLAN. And then finally, I’m going to make one more VLAN, which will be my community VLAN again, which will be 200.

These two users can now communicate and talk to each other, but they are completely isolated. They will not talk to any other site except the promiscuous port. So they all can access this. So these are verifications. So in the lab, I did most of the preconfigurations already, and I have my devices connected the same way. On the switch one, you can see it. And I also have the IP address pre configured.So I did that pre-configuration and did not do anything other than that. So just an impression on the customer side, and then all the physical connections are exactly the same. Let’s try to verify getting into the console screen here. So I came here to get my switch. You can see the output here. You can see the console connection here. It’s exactly the same as the CDP neighbours here. I have the diagram here. If I go to each device and verify show IP interface brief, you can see that switch one will connect to them all with the same exact ports. And I already have the iPad configured to sync here. And if I try to verify, I think they are on the same wheel, and I’ll try to verify the connection between router one and router two.

And I’ll try to verify the communication between router one and router three. and then switch four. Switch four is acting as my router four, which belongs to this side here. So, if I try wants to go to five, the communication is similar to that of six. So which is my switch number two? So I should see the reply “yes.” And finally, I have Switch 3, which is acting as my internet route. It is configured with an IP address of 192, 168, and 110. You can see that the communication should be there. So all the devices are connected properly in exactly the same way. And these are the ports that I’m using now. Anyway, by default, they belong to the same VLAN. And if I verify my VLAN configurations, they belong to the default VLAN, which is my VLAN one. Anyway, as long as they are part of the same VLAN, they can communicate. Now, my requirement is that I want to ensure that R1 and R2 should communicate with each other. They should be a part of the same community so that they can communicate with each other.

The same thing applies for finding switch two. And these two ports must be inisolated R three and switch four. And they all must be able to communicate with the promise here about sports. So I need to configure VTP in this scenario. So the first thing we are going to do here is configure the VTP mode as a transparent mode on all the ports connecting to the end devices in VLAN 10. So that means the first thing is that in order to configure the private VLAN, the switch has to be in transparent mode. And then we are going to assign all these ports, so whatever the ports connecting to the end devices are, they will be a part of the VLAN 10. That’s the first step that we’ll take. Let’s try to do that. So to do that, I’ll go to SwitchOne and say the interface range command. I’ll start with interface f zero by ones to three, which are my R one, R two, and R three connections, and then f zero by 22, which is connecting to switch four. And then F0 by 5, which is connecting to router 5,

Then change to the port, which is F0 by 24.Finally, multiply F by 20.I’m going to assign all these ports to my primary VLAN. So in my scenario, I’m going to use the primary VLAN as my VLAN 10. So they all belong to the same VLAN. So that means they can still communicate with each other. However, I want to ensure that they do not communicate with each other in accordance with my requirements by using private VLANs.The first thing to do is configure the switch. Whatever is configured with the private VLAN has to be in transparent mode. So that’s what I did here. So my switch here is in transparent mode. So the next step is to create VLAN 100205 as my secondary VLANs and use VLAN 100200 as my community VLANs. And VLAN 500 has to be my isolated VLAN. Okay, VLAN 100, 200, and 500 will act as my secondary VLANs.

And they should get associated with my primary VLAN, which is Vlante. And to make this possible, we’ll go here and configure these commands here.So the first thing is, we already made this VTP more transparent, and we have shifted the ports in respect to VLAN 10, all the ports. Now I need to say “VLAN 10.” The first step is to connect to VLAN 10, the primary private VLAN.So I’m going to say private VLAN, and then I’m going to say primary. Okay. So now VLAN 10 will be my primary VLAN. And then VLAN 100, which I’m going to create, will be my community VLAN. You can see here that I’m going to use villain 100 as my community VLAN. And then I’m going to create VLAN 200, which will also be my community VLAN for different customer sites. And then I’m going to create one more VLAN, VLAN 500, which will be my isolated VLAN.

So I’m going to say isolated done.So, if you want to check, I’ve now created four villains.So I created Villain Ten, which is my primary villain. And then I have just created villains 100, 200, and 500. They will be acting as my second VLAN. So as of now, they will be primary VLANs because I did not associate them. So what I’m going to do is associate my primary VLAN with my respective secondary VLANs. So the next step is for me to go to VLANTen and then say private VLAN association.And I’m going to add my secondary VLANs, VLAN 100 and 200. Okay, so it has to be separated by commas without any spaces here. Now, once we do this, to verify, we can give a command called “Show VLAN,” or private VLAN. When I try to verify, I see that this is my primary VLAN, VLAN Ten, and that I have three separate secondary VLANs that have been created and assigned as “community VLANs.”And then VLAN 500 will be my isolated VLAN.

Okay? So the next step is, once we create a primary VLAN and then we have associated our secondary VLANs, the next step is we need to assign our specific ports into the respective VLANs—respective port types, we can say. So the first step is what we’ll do, which is try to configure this port number 20 here. This port 20 will be set up as a promise case port.Promise case ports are no longer assigned to any VLAN.It’s a type of port that can be accessed by any other type of secondary VLAN. So port number 20, which is connected to my switch three, And we need to make switchports more private with VLAN promiscuity. And then we had to do mapping. So I’ll go to my switch one, and I’ll try to configure this respective port, which is number 20, which is connecting to my switch three. And I’ll say switchboard mode, switch port.And then I’m going to say privateVLAN, and this port is promiscuous mode. After that switch port, create a private VLAN. And then I’m going to say association mapping.

So when you are doing the isolated or committee port, we use the host command. So we are going to say “mapping,” “map our primary VLAN,” which is our primary VLAN 10. And then I’m going to map my secondary VLAN. Secondary VLAN means that any VLAN traffic from the secondary VLAN can be allowed here.So in my scenario here, it will be 100, 205, of which 100 will be our secondary VLANs, and traffic from these VLANs will be permitted. So I’m going to say 100, comma 200, and then 500. So once we configure our specific port into Protocol, the book command is going to assign the port to a primary VLAN, and it’s going to map your VLAN 100 to 200. The following step will be to attempt to configure ports F0-1 and F0-2, which are connected to routers 1 and 2 in the same community or organization.And I want them to be a part of the community vlan, and that vlan is 100. So let’s try to configure those two ports so that they can only communicate with each other and not with the promiscuous.

So I’m going to say, “Interface range 0 by one, switch port mode.” And if it’s a private VLAN, the private VLAN is in host mode. So whenever you are assigning any specific port other than promiscuous, we generally configure it as a host. If you are assigning a promiscuous port, then we configure it in promiscuous mode. In switchboard mode, only the command is executed. Remember that in switch port private VLAN, we have to say “host association.” And then we need to define my primary VLAN, and then we have to define the secondary VLAN. So I’m going to add these ports one and two to the VLAN secondary VLAN 100, which is another community VLAN.The same thing we need to do for the remaining two ports Here. I’m going to do the same thing for Community VLAN 500 if you verify the commands.

So, for interface F zero by five commas, do the same thing.F zero by 24 is my port, which is connecting to switch to a router file. And then the command will be the same: switchboard mode, private VLAN host. And then I’m going to say witchboard’s private VLAN host association. But this time I’m going to associate it with my community VLAN, VLAN 200. So already we’ve defined that VLAN 200 belongs to the Community VLAN. So we’ve already done that. The next step is to make these two ports connecting to router 3 and switch 4 part of isolated. So I’ll start with F 0 by 3 and then F 0 by 22.Now here, too, the commands will be similar. If you verify the commands, we need to simply say “Switchboard, more private VLAN host, sorry, not this one.” Switchboard more private VLAN hosts, then switchboard private Villan hosts association and VLAN 500 association. As a result, we do not define it precisely as isolated.

When we define 200, it will automatically be your community VLAN. Okay, let’s do this. Switchboard more private VLAN hosts, followed by switchboard private VLAN hosts associationMy primary VLAN is 10, and my secondary VLAN will be 500. So, as you may recall, we previously associated VLAN 100 with Community. And what are the ports assigned to that? Port numbers one, two, and 20 So in this promise case, you can see promiscuous ports listed in all the secondary VLAN categories. and you can see VLAN 200. That is my community VLAN here. 5th, 20th, and 24th ports In the same way, I have isolated ports, and they will be isolated from each other; they will not communicate with 322 and 0 by 20. The final step is to verify everything. So we did ask for our requirements.

Now, if you verify, show the private VLAN. We did that just now. When you run this command again, it should show interface status connected. It also lists your primary VLAN end and secondary VLAN here. Now, verification. When you try to verify router one, I’ll start with router one. Router one belongs to it, so it can communicate with one eight to 16812 because it’s part of the same community VLAN. It can then communicate with 110 as well. But if I try to communicate with one, three, or 141516, it will not be able to communicate. And the reason is that it’s just very simple. Because, despite being on the same subnet and in the same primary VLAN, they are still distinct. So we are just creating secondary VLANs inside that are separating the traffic. Similar ways you can try to communicate with 14:51:16 will be ineffective. So let me try to run a COVID check from Router Three, which will be my access port.

Let’s try verifying from the isolated ports. From router 3, I’ll try to ping Promiscuous Sport, which is 192168 110.I should be able to get the reply you can see; I’m able to communicate with host 110, but if I try to communicate with any other host here, I will not be able to communicate because an isolated port will not be able to communicate with any other isolated port here. We can do the same thing with any other host here. Finally, we’ll try to verify our community VLAN 200. I’ll go to router five, and we’ll try to communicate within the same community VLAN, which is one eight to 1616. I should be able to communicate with 1516. They should be able to communicate with one another while also having access to the promise port. They can communicate with the Promise Port as well. But if they try to communicate with any other community land, like VLAN 100 or an isolated network, they will not be able to access it. So this way, we are going to differentiate the traffic in the same VLAN by using the concept of a private VLAN.

Leave a Reply

How It Works

Step 1. Choose Exam
on ExamLabs
Download IT Exams Questions & Answers
Step 2. Open Exam with
Avanset Exam Simulator
Press here to download VCE Exam Simulator that simulates real exam environment
Step 3. Study
& Pass
IT Exams Anywhere, Anytime!