CCNP 642-811 BCMSN Exam Certification Guide - Cisco press
.pdf
486 Chapter 20: Securing with VLANs
In addition, if VTP pruning is in use, the RSPAN VLAN will be pruned from unnecessary trunks, limiting the traffic impact in unrelated areas of the network.
Create and maintain one or more RSPAN VLANs for the special monitoring purpose only. Set aside one RSPAN VLAN for each RSPAN session that will be used. Don’t allow any normal hosts to join an RSPAN VLAN. Define an RSPAN VLAN on each switch between the source and destination with the following configuration commands:
Switch(config)# vlan vlan-id
Switch(config-vlan)# remote-span
Next, you must identify the RSPAN source and destination on the two switches where the source and destination are connected. At the source switch, identify the source and destination with the following global configuration commands:
Switch(config)# monitor session session source {interface type mod/num | vlan vlan-id} [rx | tx | both]
Switch(config)# monitor session session destination remote vlan rspan-vlan-id
Here, the source is either a physical switch interface or a Layer 2 VLAN (not a VLAN SVI interface). Notice that the command syntax is identical to the Local SPAN source command. The RSPAN destination is simply the RSPAN VLAN. This allows the mirrored packets to be copied into the special VLAN and sent on their way toward the final RSPAN destination.
At the destination switch, you must again identify the RSPAN source and destination by using the following global configuration commands:
Switch(config)# monitor session session source remote vlan rspan-vlan-id Switch(config)# monitor session session destination {interface type | vlan vlan-id}
Here, the roles are reversed. RSPAN packets are pulled from the RSPAN VLAN and placed onto the destination, which is either a physical switch interface or a Layer 2 VLAN.
NOTE Be aware that RSPAN traffic can increase the traffic load on a trunk, even though RSPAN is restricted to one special VLAN within the trunk. If the additional load is significant, the normal production and the monitored traffic contend with each other for available bandwidth. As a result, both types of traffic could suffer.
Also, RSPAN must allow the STP to run on the RSPAN VLAN to prevent bridging loops from forming. As a result, STP BPDUs are normally sent and received on the VLAN. You cannot monitor BPDUs with RSPAN.
Switch Port Monitoring 487
In Example 20-5, RSPAN is configured on all three switches shown in Figure 20-3. The source is connected to Catalyst A port FastEthernet 1/1. The destination is a network analyzer connected to port FastEthernet 4/48 on Catalyst C. Catayst B simply passes the RSPAN session traffic over VLAN 999, transported by trunk links.
Example 20-5 Configuring RSPAN on the Catalyst Switches in Figure 20-3
Catalyst A
vlan 999 remote-span
monitor session 1 source interface fastethernet 1/1 both monitor session 1 destination remote vlan 999
Catalyst B
vlan 999
remote-span
Catalyst C
vlan 999 remote-span
monitor session 1 source remote vlan 999
monitor session 1 destination interface fastethernet 4/48
488 Chapter 20: Securing with VLANs
Foundation Summary
The Foundation Summary is a collection of information that provides a convenient review of many key concepts in this chapter. If you are already comfortable with the topics in this chapter, this summary can help you recall a few details. If you just read this chapter, this review should help solidify some key facts. If you are doing your final preparation before the exam, this information will hopefully be a convenient way to review the day before the exam.
■VLAN Access Lists (VACLs) can control packets that are bridged, switched, or routed. VACLs are effective on packets that stay within a single VLAN.
Table 20-2 VLAN ACL Configuration Commands
Task |
Command Syntax |
|
|
Define a VACL. |
vlan access-map map-name [sequence-number] |
|
|
Define a matching |
match {ip address {acl-number | acl-name}} | {ipx address {acl- |
condition. |
number | acl-name} | {mac address acl-name}} |
|
|
Define an action. |
action {drop | forward [capture] | redirect interface type mod/num} |
|
|
Apply the VACL to |
vlan filter map-name vlan-list vlan-list |
VLANs. |
|
|
|
■Private VLANs provide special unidirectional relationships between entities on a single VLAN.
■Private VLANs are implemented as primary and secondary VLANs.
■Primary VLANs allow hosts to communicate with any other type of private (secondary) VLAN.
■Secondary VLANs allow hosts to communicate with ports on a primary VLAN but not with other secondary VLANs.
■Secondary VLANs are categorized as follows:
—Isolated VLAN—Hosts can communicate only with the primary VLAN not any other isolated port or secondary VLAN.
—Community VLAN—Hosts can communicate with the primary VLAN and other hosts in the community VLAN but not with any other isolated or community VLAN.
■Secondary VLANs must be associated with one primary VLAN.
Foundation Summary 489
■You can configure switch ports using private VLANs as follows:
—Promiscuous—Usually connects to a router, firewall, or gateway device; this type of port can communicate with any other type of private VLAN.
—Host—Usually connects to regular hosts; this type of port can communicate with a promiscuous port or ports on the same community VLAN.
Table 20-3 Private VLAN Configuration Commands
Task |
Command Syntax |
|
|
Define a secondary |
vlan vlan-id |
VLAN. |
|
|
private-vlan {isolated | community} |
|
|
Define a primary VLAN; |
vlan vlan-id |
associate it with |
|
secondary VLANs. |
private-vlan primary |
|
private-vlan association {secondary-vlan-list | add secondary-vlan-list |
|
| remove secondary-vlan-list} |
|
|
Associate ports with |
switchport mode private-vlan {host | promiscuous} |
private VLANs. |
|
|
|
Associate nonpromiscu- |
switchport private-vlan host-association primary-vlan-id secondary- |
ous ports with private |
vlan-id |
VLANs. |
|
|
|
Associate promiscuous |
switchport private-vlan mapping {primary-vlan-id} {secondary-vlan- |
ports with private |
list} | {add secondary-vlan-list} | {remove secondary-vlan-list} |
VLANs. |
|
|
|
Associate secondary |
private-vlan mapping {secondary-vlan-list | add secondary-vlan-list | |
VLANs with a Primary |
remove secondary-vlan-list} |
VLAN Layer 3 SVI. |
|
|
|
■Switch port monitoring can monitor or capture interesting traffic on a Catalyst switch.
■Local SPAN copies frames from a source to a destination port on the local switch.
■VLAN SPAN (VSPAN) copies frames from a source VLAN to a destination port on the local switch.
■Remote SPAN (RSPAN) copies frames from a source on one switch to a destination on another switch. Frames are carried over a special RSPAN VLAN across intermediate switches and trunks.
490 Chapter 20: Securing with VLANs
Table 20-4 Local or VLAN SPAN Commands
Task |
Command Syntax |
|
|
Identify a SPAN session |
monitor session session source {interface type | vlan vlan-id} [rx | tx | both] |
source. |
|
|
|
Identify a SPAN session |
monitor session session destination {{interface type mod/num} | {vlan |
destination. |
vlan-id} | {analysis-module slot-number} | {data-port port-number}} |
|
|
Filter VLANs from a |
monitor session session-number filter vlan vlan-range |
SPAN source trunk. |
|
|
|
Remove a SPAN session. |
no monitor session {{range session-range} | local | all | session} |
|
|
Table 20-5 RSPAN Commands
Task |
Command Syntax |
|
|
Define an RSPAN VLAN for |
vlan vlan-id |
transport (all switches from source |
|
to destination). |
remote-span |
|
|
Source switch: identify the |
monitor session session source {interface type mod/num | vlan |
RSPAN source and destination. |
vlan-id} [rx | tx | both] |
|
monitor session session destination remote vlan rspan-vlan-id |
|
|
Destination switch: identify the |
monitor session session source remote vlan rspan-vlan-id |
RSPAN source and destination. |
|
|
monitor session session destination {interface type mod/num | |
|
vlan vlan-id} |
|
|
Q&A
The questions and scenarios in this book are more difficult than what you should experience on the actual exam. The questions do not attempt to cover more breadth or depth than the exam; however, they are designed to make sure that you know the answers. Rather than allowing you to derive the answers from clues hidden inside the questions themselves, the questions challenge your understanding and recall of the subject. Hopefully, these questions will help limit the number of exam questions on which you narrow your choices to two options and then guess.
You can find the answers to these questions in Appendix A.
1.When a VACL is implemented on a switch, how is the switching speed affected?
2.What actions can be taken on packets matching a VACL?
3.After a VACL is applied using the vlan filter command, how is the traffic direction (inbound or outbound) specified?
4.A secondary community VLAN is associated with a primary VLAN on a switch. Can hosts assigned to the community VLAN communicate with each other?
5.A secondary isolated VLAN is associated with a primary VLAN on a switch. Can hosts assigned to the isolated VLAN communicate with each other?
6.What command is needed to configure a promiscuous VLAN?
7.A router is identifed as the central gatewawy for a private VLAN. What command is needed to configure the switch port where a router is connected?
8.How many actual VLANs must be configured to implement a common router with two community VLANs?
9.How is switching performance affected when several SPAN sessions are enabled?
10.What command can specify the source of a SPAN session as VLAN 100?
11.When a SPAN session is enabled, what direction of traffic flow (relative to the source port) is mirrored for analysis?
492Chapter 20: Securing with VLANs
12.What two things can identify more granular traffic to be mirrored to a SPAN destination?
13.Three switches are connected in series with trunk links. The RSPAN source is on the first switch and the destination is on the third. How does the intermediate (second) switch learn about the RSPAN’s source and destination locations?
14.What must be configured on all switches connecting an RSPAN source and destination? What commands can be used?
15.One of the advantages of RSPAN is that mirrored traffic can be isolated in the RSPAN VLAN on a trunk. If a GigabitEthernet port is to be monitored on one switch, which is better to use as a transport for the RSPAN VLAN: a GigabitEthernet trunk already carrying user traffic in other VLANs, or an isolated GigabitEthernet trunk link set aside for RSPAN?
PART V: Scenarios for Final Preparation
Chapter 21 Scenarios for Final Preparation
The chapter in this part of the book emphasizes an overall understanding of switching concepts, configuration commands, and network operation. Although the CCNP BCMSN exam might not contain scenarios of this type, you can better prepare by thinking about the “bigger picture” of a network and how you can apply each switching topic.