Professional Documents
Culture Documents
CCNP Security Notes
CCNP Security Notes
The main purpose of Private VLAN (PVLAN) is to provide the ability to isolate hosts at Layer 2 instead
of Layer 3. As you know, a VLAN is a broadcast domain; by using PVLAN we are splitting that domain
into some smaller broadcast domains. For example, without PVLAN, a service provider wants to
increase security by isolating customers into separate domains so that they can’t access each other,
they have to assign them into different VLANs and use different subnets. This can result in a waste of
IP addresses and difficulty in VLAN management. Private VLANs (PVLANs) can solve this problem by
allowing the isolation of devices at Layer 2 in the same subnet. PVLAN can be considered “VLANs
inside VLAN”.
* Isolated: only communicate with promiscuous ports. Notice that it cannot even communicate with
another isolated port. Also, there can be only 1 isolated VLAN per PVLAN.
* Promiscuous: can communicate with all other ports. The default gateway is usually connected to
this port so that all devices in PVLAN can go outside.
* Community: can communicate with other members of that community and promiscuous ports but
cannot communicate with other communities. There can be multiple community VLANs per PVLAN.
+ Host C can communicate with Host D because they are in the same community but Host
C cannot communicate with E and F because they are in a different community.
Also I want to mention about the concept of “primary VLAN” and “secondary VLAN”. PVLAN can have
only one primary VLAN; all VLANs in a PVLAN domain share the same primary VLAN. Secondary VLANs
are isolated or community VLANs.
Configuration of PVLAN:
//Assign Promiscuous port to the port connected to the router, with the primary VLAN mapped to the
secondary VLAN.
Switch(config)# interface f0/1
Switch(config-if)# switchport mode private-vlan promiscuous
Switch(config-if)# switchport private-vlan mapping 100 101,102,103
//Ports connected to hosts A, B, C, D, E, F are configured in host mode and assign to appropriate
VLANs (A and B to isolated VLAN 101; C and D to community VLAN 102; E and F to community VLAN
103):
Switch(config)# interface range f0/2 – 0/3 //connect to host A and B
Switch(config-if)# switchport mode private-vlan host
Switch(config-if)# switchport private-vlan host-association 100 101
3560-2(config)#vlan 99
3560-2(config-vlan)#name pri-vlan
3560-2(config)#vlan 100
3560-2(config-vlan)#name comm-vlan
3560-2(config-vlan)#vlan 200
3560-2(config-vlan)#name isolated-vlan
Step 2:Define your secondary vlans.
3560-2(config-vlan)#vlan 100
3560-2(config-vlan)#private-vlan community
3560-2(config-vlan)#vlan 200
3560-2(config-vlan)#private-vlan isolated
Step 3:Define your primary vlan and associate secondary vlans into this.
3560-2(config-vlan)#vlan 99
3560-2(config-vlan)#private-vlan primary
3560-2(config-vlan)#private-vlan association 100,200
Step 4:Define your port roles based on the above diagram.
3560-2(config)#int fa0/1
3560-2(config-if)#switchport mode private-vlan promiscuous
3560-2(config-if)#switchport private-vlan mapping 99 100,200
3560-2(config)#int range fa0/10 – 11
3560-2(config-if-range)#switchport mode private-vlan host
3560-2(config-if-range)#switchport private-vlan host-association 99 100
3560-2(config)#int range fa0/20 – 21
3560-2(config-if-range)#switchport mode private-vlan host
3560-2(config-if-range)#switchport private-vlan host-association 99 200
Check the vlan roles.
3560-2#sh vlan private-vlan
Primary Secondary Type Ports
——- ——— —————– ——————————————
99 100 community Fa0/1, Fa0/10, Fa0/11
99 200 isolated Fa0/1, Fa0/20, Fa0/21
II. CONFIGURING IP DHCP SNOOPING AND DYNAMIC ARP INSPECTION TO MITIGATE AGAINST ARP SPOOFING
ATTACKS
A. DHCP snooping is a DHCP security feature that provides network security by filtering
untrusted DHCP messages and by building and maintaining a DHCP
snooping binding database, also referred to as a DHCP snooping binding
table.
B. For DHCP snooping to function properly, all DHCP servers must be
connected to the switch through trusted interfaces.
c. The switch drops a DHCP packet when one of these situations occurs: A packet from a
DHCP server, such as a DHCPOFFER, DHCPACK, DHCPNAK, or DHCPLEASEQUERY packet,
is received from outside the network or firewall A packet is received on an untrusted
interface, and the source MAC address and the DHCP client hardware address do not
match The switch receives a DHCPRELEASE or DHCPDECLINE broadcast message that has
a MAC address in the DHCP snooping binding database, but the interface information in
the binding database does not match the interface on which the message was received.
A DHCP relay agent forwards a DHCP packet that includes a relay-agent IP address that
is not 0.0.0.0, or the relay agent forwards a packet that includes option-82 information
to an untrusted port.
d. Dynamic ARP inspection determines the validity of an ARP packet based on
valid IP-to-MAC address bindings stored in a trusted database, the DHCP snooping
binding database. This database is built by DHCP snooping if DHCP snooping is enabled
on the VLANs and on the switch. If the ARP packet is received on a trusted interface, the
switch forwards the packet without any checks. On untrusted interfaces, the switch
forwards the packet only if it is valid.
e. You enable dynamic ARP inspection on a per-VLAN basis by using the IP
ARP inspection vlan vlan-range global configuration command
f. Address Resolution Protocol (ARP) poisoning is a type of attack where
the Media Access Control (MAC) address is changed by the attacker. Also,
called an ARP spoofing attacks, it is effective against both wired and
wireless local networks. Some of the things an attacker could perform from
ARP poisoning attacks include stealing data from the compromised
computers, eavesdrop using man-in-the middle methods, and prevent
legitimate access to services, such as Internet service.
Scenario:
g. User A will contact DLS1 (172.16.1.1) to obtain an IP address via DHCP. This will create
an entry in the DHCP binding table on DLS1. “Attacker” will be on same vlan 1 as User A
and will attempt to spoof an invalid mac address using Cain & Abel software. This will
send out a gratuitous ARP, updating the ARP entry for 172.16.1.1 on User A and on DLS1
for IP 172.16.1.2. User A will send packets to attacker thinking it is sending to default
gateway. This is called a “man-in-the-middle” attack