2.1.e Private VLAN
Also known as port isolation, is a technique in computer networking where a VLAN contains switch ports that are restricted such that they can only communicate with a given "uplink". The restricted ports are called "private ports".
A private VLAN partitions the Layer 2 broadcast domain of a VLAN into subdomains, allowing you to isolate the ports on the switch from each other. A subdomain consists of a primary VLAN and one or more secondary VLANs. All VLANs in a private VLAN domain share the same primary VLAN. The secondary VLAN ID differentiates one subdomain from another. The secondary VLANs may either be isolated VLANs or community VLANs. A host on an isolated VLAN can only communicate with the associated promiscuous port in its primary VLAN. Hosts on community VLANs can communicate among themselves and with their associated promiscuous port but not with ports in other community VLANs.
The following are true about PVLANs:
The syntax for associating a switch port with a Private VLAN is given by:
Switch(config-if)#switchport mode private-vlan {host | promiscuous}
If the port is connected to a router etc, then you need to select the keyword "promiscuous". If the port is connected to a host such as a server or a workstation then you normally choose "host" keyword. By choosing the keyword "host", you are setting the port as community or isolated port on the secondary VLAN.
The command sequence to map the promiscuous ports to primary and secondary VLANs are as given below:
switch(config)#interface fastethernet
3/9
switch(config-if)#switchport mode
private-vlan promiscuous
switch(confgi-if)#switchport
private-vlan mapping 100, 10,20
The steps involved in implementing VLAN access lists:
1. Define VLAN Access Map. To define a VLAN access-map use the command:
Switch(config)#vlan access-map <map-name> [sequence-number]
Access map statements are performed according to the sequence number.
2. Define matching conditions to identify traffic to be filtered. Use the access-map configuration command:
Switch(config-access-map)# match {ip address {acl-address {<acl-number> |<acl name>}} | {ipx address {<acl-number> | <acl name>}} | {mac address <acl-name>}
3. Define the action to be performed on the filtered traffic. Use the command:
Switch(config-access-map)# action {drop | forward [capture] | redirect <interface type> <mod>/<num>}
4. Apply the VACL to a VLAN interface. Use the global configuration command:
Switch(config)# vlan filter <map-name> vlan-list <list-of-vlans-here>
Example: Please look at the figure. You have DMZ that has two servers as shown in the figure. You want to secure the DMZ using Private VLAN. How the switch ports 3/4 and 3/5 be configured so that the servers are secure and do not talk to each other?
In the DMZ shown, the servers Server1 and Server2 do not have to talk to each other. Therefore a private vlan be defined with ports 3/4 and 3/5 as isolated ports. An isolated port has complete L2 separation, including broadcasts, from other ports within the same PVLAN, with the exception of the promiscuous port. Traffic received from an isolated port is forwarded to all promiscuous ports only. None of the other isolated ports receive traffic from another isolated port.On the otherhand port 3/9 has to be configured as promiscuous it needs to talk to the isolated ports 3/4 and 3/5 and with the other switches, routers, or other network components.
2.1.f Storm control:
A traffic storm occurs when packets flood the LAN, creating excessive traffic and degrading network performance. You can use the traffic storm control feature to prevent disruptions on Layer 2 ports by a broadcast, multicast, or unicast traffic storm on physical interfaces. Traffic storm control (also called traffic suppression) allows you to monitor the levels of the incoming broadcast, multicast, and unicast traffic over a 1-second interval. During this interval, the traffic level is compared with the traffic storm control threshold that you had configured. If the ingress traffic reaches the traffic storm control threshold that is configured on the port, traffic storm control drops the traffic until the interval ends. You will be able to make the traffic storm control to monitor only the broadcast traffic, or broadcast and multi-cast and/or all broadcast, multicast, and unicast traffic and trigger traffic control on a variety of criteria.
