I want to simulate an environment where two customers - Customer A and Customer B - are supported by a service provider with private VLANs. In this scenario Customer A has two routers; R3 and R5, Customer B has a single router; R4, and the provider is offering Internet access with R1 and monitoring services to the Customers' loopback addresses with R2.
In this scenario, all Router FastEthernet interfaces are in "Primary" VLAN 20 with addressing in the 10.20.1.0/24 space. With private VLANs, the provider can conserve VLANs by not assigning each customer their own VLAN ID. With this configuration I will allow both Customers access to the services they need, but also ensure that they do not gain access to each other.
Here's a baseline before I begin configuring the Private VLANs.
Switches:
Both switches have had their VTP domain names set to cisco, and have had their VTP modes set to transparent. Fa0/13 on both switches will serve as the trunk port. Currently, only VLAN 1 is configured.
Routers:
All routers have had their Fa0/0 interfaces configured with the IP and mask of 10.20.1.X/24, where X = the router number.
With a PINGSCRIPT, I'll test connectivity from R3 to all devices.
R3#tclsh
R3(tcl)#proc PINGSCRIPT [] {
+>(tcl)#foreach IP {
+>(tcl)#10.20.1.1
+>(tcl)#10.20.1.2
+>(tcl)#10.20.1.3
+>(tcl)#10.20.1.4
+>(tcl)#10.20.1.5
+>(tcl)#} {
+>(tcl)# set RESULT [exec "ping $IP repeat 3 timeout 1"];
+>(tcl)#if { [regexp "!!!" $RESULT]} { puts "$IP OK"} else { puts "$IP Unreachable" }
+>(tcl)# }
+>(tcl)# }
R3(tcl)#PINGSCRIPT
10.20.1.1 OK
10.20.1.2 OK
10.20.1.3 OK
10.20.1.4 OK
10.20.1.5 OK
R3(tcl)#
Connectivity appears to be successful.
Note: there are 3 port types, or roles, that are used in Private VLANs. There are Promiscuous ports, which talk to all ports, there are Isolated ports, which can only talk to Promiscuous ports, and there are Community ports, which can talk to other Community ports in the same community, as well as promiscuous ports.
In this scenario, R1 and R2's Fa0/0s are operating as Promiscuous ports, R3 and R5's Fa0/0s are operating as mutual Community Ports, and R4's Fa0/0 is operating as an Isolated port. After a successful Private VLAN configuration, I should be able to see that R3 and R5 can communicate within their own Community, as well as with the Promiscuous ports, but will not be able to speak to R4's Isolated port.
Starting with SW1, I'll configure primary and secondary VLANs, and associate the secondaries to the primary:
Sw1#conf t
Enter configuration commands, one per line. End with CNTL/Z.
Sw1(config)#vlan 21
Sw1(config-vlan)#name PVLAN_Community
Sw1(config-vlan)#private-vlan ?
association Configure association between private VLANs
community Configure the VLAN as a community private VLAN
isolated Configure the VLAN as an isolated private VLAN
primary Configure the VLAN as a primary private VLAN
twoway-community Configure the VLAN as a two way community private VLAN
Sw1(config-vlan)#private-vlan community
Sw1(config-vlan)#
Sw1(config-vlan)#vlan 22
Sw1(config-vlan)#name PVLAN_Isolated
Sw1(config-vlan)#private-vlan isolated
Sw1(config-vlan)#
Sw1(config-vlan)#vlan 20
Sw1(config-vlan)#name PVLAN_Primary
Sw1(config-vlan)#private-vlan primary
Sw1(config-vlan)#private-vlan association 21,22
Sw1(config-vlan)#exit
SW1(config)#do sh vlan b
VLAN Name Status Ports
---- -------------------------------- --------- -------------------------------
1 default active Fa0/1, Fa0/2, Fa0/3, Fa0/4
Fa0/5, Fa0/6, Fa0/7, Fa0/8
Fa0/9, Fa0/10, Fa0/11, Fa0/12
Fa0/14, Fa0/15, Fa0/16, Fa0/17
Fa0/18, Fa0/19, Fa0/20, Fa0/21
Fa0/22, Fa0/23, Fa0/24, Gi0/1
Gi0/2
20 PVLAN_Primary active
21 PVLAN_Community active
22 PVLAN_Isolated active
1002 fddi-default act/unsup
1003 trcrf-default act/unsup
1004 fddinet-default act/unsup
1005 trbrf-default act/unsup
SW1(config)#
Next, I'll configure the individual port modes and map the private VLANs to the correct ports for R1, R3 and R5's switchports on SW1.
SW1(config)#int fa0/1
SW1(config-if)#switchport mode private-vlan promiscuous
SW1(config-if)#switchport private-vlan mapping 20 21,22
SW1(config-if)#
SW1(config-if)#int fa0/3
SW1(config-if)#switchport mode private-vlan host
SW1(config-if)#switchport private-vlan host-association 20 21
SW1(config-if)#
SW1(config-if)#int fa0/5
SW1(config-if)#switchport mode private-vlan host
SW1(config-if)#switchport private-vlan host-association 20 21
SW1(config-if)#
I'll test connectivity from R1 to R3 and R5. I should not be able to connect to R4.
R1(tcl)#
R1(tcl)#proc PINGSCRIPT [] {
+>(tcl)#
+>(tcl)#foreach IP {
+>(tcl)#10.20.1.3
+>(tcl)#10.20.1.5
+>(tcl)#10.20.1.4
+>(tcl)#} { set RESULT [exec "ping $IP repeat 3 timeout 1"];
+>(tcl)# $p "!!!" $RESULT]} { puts "$IP OK"} else { puts "$IP Unreachable" }
+>(tcl)#}
+>(tcl)# }
R1(tcl)#PINGSCRIPT
10.20.1.3 OK
10.20.1.5 OK
10.20.1.4 Unreachable
Now I'll configure primary and secondary VLANs, and associate the secondaries to the primary for SW2. I'll follow it up with configuring the individual port modes and map the private VLANs to the correct ports for R2 and R4's switchports.
SW2(config)#vlan 21
SW2(config-vlan)#name PVLAN_Community
SW2(config-vlan)#private-vlan community
SW2(config-vlan)#
SW2(config-vlan)#vlan 22
SW2(config-vlan)#name PVLAN_Isolated
SW2(config-vlan)#private-vlan isolated
SW2(config-vlan)#vlan 20
SW2(config-vlan)#name PVLAN_Primary
SW2(config-vlan)#private-vlan association 21,22
SW2(config-vlan)#exit
SW2(config)#
SW2(config)#int fa0/4
SW2(config-if)#switchport mode private-vlan host
SW2(config-if)#
SW2(config-if)#switchport private-vlan host-association 20 22
SW2(config-if)#end
SW2#
At this point, I should have connectivity from R2 to all other router's FastEthernet ports, but R4 should only have access to R1 and R2's FastEthernet ports.
R1:
R1(tcl)#PINGSCRIPT
10.20.1.1 OK
10.20.1.2 OK
10.20.1.3 OK
10.20.1.4 OK
10.20.1.5 OK
R3:
R3(tcl)#PINGSCRIPT
10.20.1.1 OK
10.20.1.2 OK
10.20.1.3 OK
10.20.1.4 Unreachable
10.20.1.5 OK
R5:
R5(tcl)#PINGSCRIPT
10.20.1.1 OK
10.20.1.2 OK
10.20.1.3 OK
10.20.1.4 Unreachable
10.20.1.5 OK
R2:
R2(tcl)#PINGSCRIPT
10.20.1.1 OK
10.20.1.2 OK
10.20.1.3 OK
10.20.1.4 OK
10.20.1.5 OK
R4:
R4(tcl)#PINGSCRIPT
10.20.1.1 OK
10.20.1.2 OK
10.20.1.3 Unreachable
10.20.1.4 OK
10.20.1.5 Unreachable
Looks good!
Great Article
ReplyDeleteNetwork Security Final Year Project Ideas
Project Centers in Chennai
JavaScript Training in Chennai
JavaScript Training in Chennai
Despite their confidentiality, sometimes a PAR sheet is posted on web site|a net site}. They have restricted value to the participant, as a result of|as a end result of} normally a machine will have eight to 12 totally different potential programs with various payouts. In addition, slight 코인카지노 variations of each machine (e.g., with double jackpots or five instances play) are always being developed. The casino operator can select which EPROM chip to install in any explicit machine to pick out} the payout desired.
ReplyDelete