L2 security – protected ports.

Sometimes we have to isolate some hosts from each other. We can use ‘private vlan’ feature or simpler solution like ‘protected ports’. The feature can be easily enabled on designated ports. The communication between ‘protected’ and normal ports is allowed. The main difference between ‘private vlan’ and ‘protected port’ is the second one is limited to only one device. You can’t block traffic between two ports on separate devices. 

                   Fa1/0/9   Fa1/0/11           
          /----\      \  ----- /       /----\ 
         |  R1  |-------| sw1 |-------|  R2  |
          \----/\        -----        /\----/ 
               Gig0/0      |      Gig0/0
              10.0.0.1     |     10.0.0.2     
                           | \
                        /----\ fa0/0 
                       |  R3  | 10.0.0.3
                        \----/

Let’s configure switch ports Fa1/0/9 and Fa1/0/11 as protected and test connection between all three routers.

!
interface FastEthernet1/0/9
 description to R1-2911 gi0/0
 switchport mode access
 switchport protected
end
!
interface FastEthernet1/0/11
 description to R2-2911 gi0/0
 switchport mode access
 end
!
interface FastEthernet1/0/13
 description to R3-2811 fa0/0
end

With above settings r2 can ping r1(protected) and r3:

r2#ping 10.0.0.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.0.0.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/4 ms
r2#ping 10.0.0.3

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.0.0.3, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/4 ms
r2#

Now, we enable protected port for r2:

MP-SW(config)#int fa1/0/11            
MP-SW(config-if)# switchport protected

And now from r2(protected) we can’t ping r1(protected) but we can ping r3(non-protected): 

r2#ping 10.0.0.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.0.0.1, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
r2#ping 10.0.0.3

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.0.0.3, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/4 ms
r2#

As we see everything works as expected:

P-SW#sh int fa1/0/9 switchport 
Name: Fa1/0/9
Switchport: Enabled
Administrative Mode: static access
Operational Mode: static access
Administrative Trunking Encapsulation: negotiate
Operational Trunking Encapsulation: native
Negotiation of Trunking: Off
Access Mode VLAN: 1 (default)
Trunking Native Mode VLAN: 1 (default)
Administrative Native VLAN tagging: enabled
Voice VLAN: none
Administrative private-vlan host-association: none 
Administrative private-vlan mapping: none 
Administrative private-vlan trunk native VLAN: none
Administrative private-vlan trunk Native VLAN tagging: enabled
Administrative private-vlan trunk encapsulation: dot1q
Administrative private-vlan trunk normal VLANs: none
Administrative private-vlan trunk associations: none
Administrative private-vlan trunk mappings: none
Operational private-vlan: none
Trunking VLANs Enabled: ALL
Pruning VLANs Enabled: 2-1001
Capture Mode Disabled
Capture VLANs Allowed: ALL

Protected: true
Unknown unicast blocked: disabled
Unknown multicast blocked: disabled
Appliance trust: none
MP-SW#
 
2
Kudos
 
2
Kudos

Now read this

DMVPN - phase two - EIGRP

The phase two allows me on spoke-to-spoke communication. Please read my previous post (EIGRP phase one): http://myitmicroblog.svbtle.com/dmvpn-phase-one-eigrp You should know the phase two is not recommended because the phase three... Continue →