BCMSN Exam Certification Guide
.pdf
466 Chapter 19: Securing Switch Access
Q&A
The questions and scenarios in this book are more difficult than what you should experience on the actual exam. The questions do not attempt to cover more breadth or depth than the exam; however, they are designed to make sure that you know the answers. Rather than allowing you to derive the answers from clues hidden inside the questions themselves, the questions challenge your understanding and recall of the subject. Hopefully, these questions will help limit the number of exam questions on which you narrow your choices to two options and then guess.
The answers to these questions can be found in Appendix A.
1.What does the acronym “AAA” stand for?
2.What external methods of authentication does a Catalyst switch support?
3.A RADIUS server is located at IP address 192.168.199.10. What command configures a Catalyst switch to find the server?
4.A Catalyst switch should be configured to authenticate users against RADIUS servers first, followed by TACACS+ servers. What command can define the authentication methods? Make sure users can still authenticate if none of the servers are available.
5.What is the purpose of authorization? What happens if authorization is not used?
6.Is it possible to use different methods to authorize users to run switch commands instead of making configuration changes?
7.When might the command switchport port-security maximum 2 be used?
8.After port-based authentication is configured and enabled, can any host connect as long as the user can authenticate?
9.When the 802.1x force-authorized keyword is used, how does the switch react to users attempting to connect?
10.Can more than one host be authenticated on a single switch port with port-based authentication?
This chapter covers the following topics that you need to master for the CCNP BCMSN exam:
■VLAN Access Lists—This section discusses how traffic can be controlled within a VLAN. You can use VLAN access control lists (ACLs) to filter packets even as they are bridged or switched.
■Private VLANs—This section explains the mechanisms that you can use to provide isolation within a single VLAN. Private VLANs have a unidirectional nature; several of them can be isolated, yet share a common subnet and gateway.
■Switch Port Monitoring—This section presents the Catalyst features that allow traffic on switch ports or VLANs to be monitored on a different switch port.
C H A P T E R 20
Securing with VLANs
Traditionally, traffic has been filtered only at router boundaries, where packets are naturally inspected before forwarding. This is true within Catalyst switches because access lists can be applied as a part of mutlilayer switching. Catalysts can also filter packets even if they stay within the same VLAN; and VLAN access control lists, or VACLs, provide this capabiltiy.
Catalyst switches also have the capability to logically divide a single VLAN into multiple partitions. Each partition can be isolated from others, with all of them sharing a common IP subnet and a common gateway address. Private VLANs make it possible to offer up a single VLAN to many disparate customers or organizations without any interaction between them.
Finally, switch ports must be monitored at times for troubleshooting purposes. Catalyst switches can mirror switch ports or VLANs onto other ports so that a network analysis device can capture or “listen in” on interesting traffic within the switch. The Switch Port Analysis (SPAN) feature can mirror ports on the same switch or across a switched network to a remote switch.
“Do I Know This Already?” Quiz
The purpose of the “Do I Know This Already?” quiz is to help you decide what parts of this chapter to use. If you already intend to read the entire chapter, you do not necessarily need to answer these questions now.
The quiz, derived from the major sections in the “Foundation Topics” portion of the chapter, helps you determine how to spend your limited study time.
Table 20-1 outlines the major topics discussed in this chapter and the “Do I Know This Already?” quiz questions that correspond to those topics.
Table 20-1 “Do I Know This Already?” Foundation Topics Section-to-Question Mapping
Foundation Topics Section |
Questions Covered in This Section |
|
|
VLAN ACLs |
1–4 |
|
|
Private VLANs |
5–8 |
|
|
Monitoring Switch Ports |
9–12 |
|
|
470 Chapter 20: Securing with VLANs
CAUTION The goal of self-assessment is to gauge your mastery of the topics in this chapter. If you do not know the answer to a question or are only partially sure of the answer, you should mark this question wrong. Giving yourself credit for an answer you correctly guess skews your selfassessment results and might give you a false sense of security.
1.Which one of the following can filter packets even if they are not routed to another Layer 3 interface?
a.IP extended access lists
b.MAC address access lists
c.VLAN access lists
d.Port-based access lists
2.In what part of a Catalyst switch are VLAN ACLs implemented?
a.NVRAM
b.CAM
c.RAM
d.TCAM
3.Which of the following commands can implement a VLAN ACL called “test?”
a.access-list vlan test
b.vacl test
c.switchport vacl test
d.vlan access-map test
4.After a VACL is configured, where is it applied?
a.Globally on a VLAN
b.On the VLAN interface
c.In the VLAN configuration
d.On all ports or interfaces mapped to a VLAN
5.Which of the following private VLANs is the most restrictive?
a.Community VLAN
b.Isolated VLAN
c.Restricted VLAN
d.Promiscuous VLAN
“Do I Know This Already?” Quiz 471
6.The vlan 100 command has just been entered. What is the next command needed to configure VLAN 100 as a secondary isolated VLAN?
a.private-vlan isolated
b.private-vlan isolated 100
c.pvlan secondary isolated
d.No further configuration is necessary.
7.What type of port configuration should you use for private VLAN interfaces on a router?
a.Host
b.Gateway
c.Promiscuous
d.Transparent
8. Promiscuous ports must be |
|
|
to primary and secondary VLANs, and |
|
host ports must be |
|
|
. |
|
a.mapped, associated
b.mapped, mapped
c.associated, mapped
d.associated, associated
9.Which of the following allows a port to be mirrored to another port on the same switch?
a.VSPAN
b.RSPAN
c.SPAN
d.CSPAN
10.What must be used to connect switches used for RSPAN?
a.An 802.1Q trunk
b.Access-mode switch ports (single VLAN)
c.A private VLAN over a trunk
d.An RSPAN VLAN over a trunk
472Chapter 20: Securing with VLANs
11.What is the most important difference between an RSPAN VLAN and a regular VLAN?
a.The RSPAN VLAN disables MAC address learning.
b.The RSPAN VLAN uses static MAC address definitions.
c.The RSPAN VLAN has the RSPAN source and destination MAC addresses defined in the CAM table.
d.The RSPAN VLAN cannot be carried over a trunk link.
12.To configure an RSPAN session’s source switch, what is used for the session destination?
a.The switch port leading to the destination switch
b.The RSPAN VLAN
c.The final destination switch port
d.The next-hop router
The answers to the “Do I Know This Already?” quiz are found in Appendix A, “Answers to Chapter ‘Do I Know This Already?’ Quizzes and Q&A Sections.” The suggested choices for your next step are as follows:
■10 or less overall score—Read the entire chapter. This includes the “Foundation Topics,” “Foundation Summary,” and “Q&A” sections.
■11 or 12 overall score—If you want more review on these topics, skip to the “Foundation Summary” section and then go to the “Q&A” section at the end of the chapter. Otherwise, move to Chapter 21, “Scenarios for Final Preparation.”
VLAN Access Lists 473
Foundation Topics
VLAN Access Lists
Access lists can manage or control traffic as it passes through a switch. When normal access lists are configured on a Catalyst switch, they filter traffic through the use of the Ternary Content Addressable Memory (TCAM). Recall from Chapter 3, “Switch Operation,” that access lists (also known as router access lists or RACLs) are merged or compiled into the TCAM. Each ACL is applied to an interface according to the direction of traffic—inbound or outbound. Packets can then be filtered in hardware with no switching performance penalty. However, only packets that pass between VLANs can be filtered this way.
Packets that stay in the same VLAN do not ever cross a VLAN or interface boundary and do not necessarily have a direction in relation to an interface. These packets might also be non-IP, non-IPX, or completely bridged; therefore, they never pass through the multilayer switching mechanism. VLAN access lists (VACLs) are filters that can directly affect how packets are handled within
a VLAN.
VACLs are somewhat different from RACLs or traditional access control lists. Although they too are merged into the TCAM, they can permit, deny, or redirect packets as they are matched. VACLs are also configured in a route map fashion, with a series of matching conditions and actions to take.
VACL Configuration
VACLs are configured as a VLAN access map, in much the same format as a route map. A VLAN access map consists of one or more statements, each having a common map name. First, you define the VACL with the following global configuration command:
Switch(config)# vlan access-map map-name [sequence-number]
Access map statements are evaluated in sequence, according to the sequence-number. Each statement can contain one or more matching conditions, followed by an action.
Next, define the matching conditions that identify the traffic to be filtered. Matching is performed by access lists (IP, IPX, or MAC address ACLs), which you must configure independently. Configure a matching condition with the following access map configuration command:
Switch(config-access-map)# match {ip address {acl-number | acl-name}} | {ipx address
{acl-number | acl-name}} | {mac address acl-name}
Private VLANs 475
However, if one host broadcasts a packet, all hosts on the VLAN must listen. You can use a VACL to filter packets between a source and destination in a VLAN if both connect to the local switch.
Sometimes, it would be nice to have the ability to segment traffic within a single VLAN, without having to use multiple VLANs and a router. For example, in a single-VLAN server farm, all servers should be able to communicate with the router or gateway, but the servers should not have to listen to each other’s broadcast traffic. Taking this a step further, suppose each server belongs to a separate organization. Now each server should be isolated from the others but still be able to reach the gateway to find clients not on the local network.
Another application is a service provider network. Here, the provider might want to use a single VLAN to connect to several customer networks. Each customer needs to be able to contact the provider’s gateway on the VLAN. Clearly, the customer sites do not need to interact with each other.
Private VLANs (PVLANs) solve this problem on Catalyst switches. In a nutshell, a normal, or primary, VLAN can be logically associated with special unidirectional, or secondary, VLANs. Hosts associated with a secondary VLAN can communicate with ports on the primary VLAN (a router, for example), but not with another secondary VLAN. A secondary VLAN is configured as one of the following types:
■Isolated—Any switch ports associated with an isolated VLAN can reach the primary VLAN but not any other secondary VLAN. In addition, hosts associated with the same isolated VLAN cannot reach each other. They are, in effect, isolated from everything except the primary VLAN.
■Community—Any switch ports associated with a common community VLAN can communicate with each other and with the primary VLAN but not with any other secondary VLAN. This provides the basis for server farms and workgroups within an organization, while giving isolation between organizations.
All secondary VLANs must be associated with one primary VLAN to set up the unidirectional relationship. Private VLANs are configured using special cases of regular VLANs. However, VLAN Trunking Protocol (VTP) does not pass any information about the private VLAN configuration. Each of the private VLANs must be configured locally on each switch that interconnects them.
You must configure each switch port that uses a private VLAN with a VLAN association. You must also define the port with one of the following modes:
■Promiscuous—The switch port connects to a router, firewall, or other common gateway device. This port can communicate with anything else connected to the primary or any secondary VLAN. In other words, the port is in promiscuous mode, where the rules of private VLANs are ignored.