Thanks Wilson,

Can you please tell realtime scenario requirements to use private vlans

Thanks
Shanil

Sent from Cisco Technical Support iPhone App

Hello Shanil.

The configuration takes place on the edge switchports where the hosts are connected. The only requirement is to have the proper switch/equipment to support that configuration.

Here is the compatibiltiy matrix where you can see what switches can take advantage of this feature:

http://www.cisco.com/en/US/products/hw/switches/ps708/products_tech_note09186a0080094830.shtml

Regards.

Wilson B.

Hello NetNavi.

Check the post above about MacSec for more information and let me know if you need further clarification, if so I will do my best,

In regards to best practices there is a Cisco document; it describes deployments and best practices in every scenario; Supplicants, authenticator, authentication services and other configurations. Please check it out:

http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6638/deploy_guide_c17-663760.html

In regards to Private VLANS:

What is a Private Vlan?

• A private Vlan is a way to isolate hosts within the same Vlan or broadcast domain. So even when you might have devices sharing the same broadcast domain they can be isolated, this isolated is configured based on sub-domains also most often called primary and secondary Vlans.

What is a primary Vlan?

• The primary Vlan is representation of the private Vlan, a primary Vlan has one or more secondary Vlans, a switch uses the primary Vlan to present traffic from the secondary Vlans to its neighboring devices.

What is a secondary Vlan?

• A secondary Vlan is a sub-domain of the primary Vlan. We could say that the secondary Vlans belongs to the primary. The must be associated to a primary Vlan. There are two types of secondary vlans: Isolated and Community secondary Vlans.

What does it happen to host within a secondary isolated Vlan?

• Host within the isolated vlan; can’t communicate to neither other host in the same isoalted vlan nor host in a community vlan.

What does it happen to host within the secondary community Vlan?

• Host within the community Vlan can communicate with other host assigned to the same community vlan, but they can’t talk to host in other community vlans.

What are the benefits of implementing private Vlans?

• Scalability: The most common scenario is a service provider. Imagine all customers of a service provider connected through DSL, cable modem… it’s very likely that all customers belong to the same broadcast domain, however if that’s the case why is it that I can’t use my neighbor’s printer, or maybe why is it that I can’t access the files he has store in his computer, (security) we are in the same broadcast shouldn’t I be able to at least ping his ip address?. Well that’s because the ISP must guarantee some type of security for their customers, and because put every single customer that they have in a single Vlan is not scalable they use private Vlans.

Examples:

• ISP use private vlans to protect from security bridges, Private vlans and isolated Vlans are used to protect personal information for example from one customer to another.
• DMZ; Many implementations utilizes private vlans in a DMZ to limt or minimize that risk of a compromised server.

I would like to share this documentation with you for further information and configuration guidelines

http://www.cisco.com/en/US/tech/tk389/tk814/technologies_configuration_example09186a008017acad.shtml#hw

This document explains what Cisco Catalyst switches support Private Vlans. 

http://www.cisco.com/en/US/products/hw/switches/ps708/products_tech_note09186a0080094830.shtml

Let me know if you have further questions.

Regards

Wilson B.

Take my great apologies for annoying you, but i still haven't get the answer for my question.

I am familiar with the information that you  provided with the hot links. But this infomation does not answer my question. I am already know how to configure and to maintain private vlans and i know all this theory also. This information describes  the  process of exchanging  the frames between switches and between different types of ports inside a switch. But i want to know how the process of tagging works with private vlans inside the switch from the OSI model perspective by steps:

- frame coming from host to port with secondary vlan (which tag will be add?)

- frame moving from host port of switch to the promiscuous(private nontrunk vlan) port(what happens with the tag?)

- frame moving from promiscuous(private nontrunk vlan) port to the uplink port connected to other device(which tag will be in the frame header?)

Take my previouse picture as a scheme, please.

P.S.:or if you want and can, contact  with me through e-mail, if you don't want to flood here.

CCNA, CCNA Security certified

Example Port Security configuration for a Voice Port (on a 3750 switch):

switchport mode access

switchport access vlan 101

switchport voice vlan 201

switchport port-security maximum 2

switchport port-security maximum 1 vlan access

switchport port-security maximum 1 vlan voice

switchport port-security

This allows 1 MAC for the Phone and 1 MAC address for a PC connected behind the phone.

Thanks for your reply.

Can you explain how many MAC-addresses is allowed in the case with this config?

switchport mode access

switchport access vlan 101

switchport voice vlan 201

switchport port-security

Does the "switchport voice vlan 201" command change default number of alowed mac-addresses to 2?

Dear Andriy,

"switchport voice vlan command will not change the default to 2, it will be 1 only

if want 2 mac need to configure switchport port-security maximum 2

Thanks

Shanil

Dear Andriy,

In addition to above if you want to configure port security for data and voice vlan on the same port you can use the below config

Switch(config-if)# switchport port-security

Switch(config-if)# switchport port-security mac-address sticky

Switch(config-if)# switchport port-security maximum 1 vlan voice

Switch(config-if)# switchport port-security maximum 1 vlan access

 
This will allow 1 secure mac for voice and one for data. 
 
 Thanks
 Shanil

Hello Andriy.

Regarding to your questions:

Can you explain about port-security feature on the voice-port?

• When you enable port security on an interface that is also configured with a voice VLAN, you must set the maximum allowed secure addresses on the port to two plus the maximum number of secure addresses allowed on the access VLAN. When the port is connected to a Cisco IP Phone, the phone requires up to two MAC addresses. The phone address is learned on the voice VLAN and might also be learned on the access VLAN, this behavior is due when the ip phone starts (after a reboot), it sends DHCP requests on the data VLAN.  Once the phone completes its boot process, only then it gets to know the voice VLAN ID to use for voice packets.

• It’s also possible that the phone is exchanging CDP or LLDP packets with the switch on the data VLAN so we have the same results and with Cisco IP phones that would be expected. This won't affect the devices or services at all. Connecting a PC to the phone requires additional MAC addresses.

1. This same restriction applies to 3750s, 3560s, 3550s, 2960s and 2950.
2. There are exceptions for example in 4500 switches this restriction only applies to Cisco IOS versions prior to 12.2(31)SG.
3. In 6500 switches this restrictions only applies to Cisco IOS version prior to SHX.

Regards.

Wilson B.

Hello Ahmad.

What is the best way to secure these ports so that no client is using another one's IP address?

I understand you have about 4 to 7 clients in several ME3750 Switches, and you are concerned about these users assuming others pc's IP addresses.

That scenario is described in IP source guard layer 2 security. The best way how to secure these ports is implementing IP source guard prevents a malicious host from impersonating a legitimate host by assuming the legitimate host's IP address. IP source guard checks DHCP bindings table, to make sure that hosts IP address is the one assigned as per the DHCP server. It is important to mention that Ip source guard can works together with DHCP snooping, however if you are planning to implementing IP source guard only for 4 or 5 users per switch then you may want to manually configure the bindings table for cross reference with IP source guard. Now I also understand you mentioned the mac address of the users changes a lot, in that case you would like to enable DHCP snooping for a more dynamic filtering without administrator intervention.

Find in the following link more information about IP source guard

http://www.cisco.com/en/US/docs/switches/metro/catalyst3750m/software/release/12.2_52_se/configuration/guide/swdhcp82.html

About Port-ACLs

• Port-access list are used to provide access control just like a regular acl.
• Configurationwise is similar to regular ACL.

Difference between PACL(l2) and ACL(l3)

• PACL is applied to switchports(access/trunk ports).
• Besides a PACL is applied to bridge traffic, so let's say traffic within the same vlan, remember that traffic with source/destination in different vlans is routed.

Based on what I have said: An instance of ACL applied to a layer 2 port is a PACL, the same instance of ACL applied to a layer 3 port is a regular ACL.

I don't think a PACL is the best choice to prevents a malicious host from impersonating a legitimate host by

assuming the legitimate host's IP address, I would suggest you to implement IP source guard.

Regards.

Wilson B.

Hi Wilson,

another difference between a PACL and a RACL that you forgot to mention : PACL is only ingress  feature and RACL is ingress/egress.

Can you provide a link where it is stated that PACL will have no effect on routed traffic?

Regards

Alain

Don't forget to rate helpful posts.