Category: Networking

Isolating Traffic inside a VLAN Using Private VLANs

In the article VACL – VLAN Access Lists we mention one way how to provide security on switch device like Cisco Catalyst switch. In this article we will see the other way of providing security with use of private VLANs – PVLAN.

The whole idea is to make possible to group VLANs inside the VLANs. You see from the picture here on the right that this will give you the opportunity to make group od computers or servers inside main (primary) VLAN. It will be possible to have two servers in the VLAN 10 and both of them on the same subnet. Here it becomes little bit strange, then they can be separated into two Secondary VLANs, VLAN 4 and VLAN 5.

If you are interested in the PVLAN configuration: PVLAN configuration article 

A network proper running is an indispensable issue for the successful operations of that network. Today’s companies have become more and more reliant over the networking services. And the good performances of these services mean a business good quality management. In this regard, the network’s management fundamentals proffer you an easy to get outline of the network managing. That will not just cover the administration of a network itself but as well offer the coverage to those services running on that specific network.

IP access control lists – ACLs are used by routers to deny or forward specific traffic from passing through some network interface. We can say that ACLs are used when traffic travels from one network address space to other. Cisco Catalyst switch can also have an ACL applied within a VLAN. This special kind of ACL is called a VLAN access control list – VACL.

In simple words SPAN technology enables port mirroring on selected switch.

In some cases you will need that some kind of server, PC or other network device receives a copy of network traffic that is destinated for some other device in the network. Why would you want that? Maybe you need some kind of control of the traffic or you want to implement IDS – Intrusion Detection System or something else. In that case you can configure every Cisco switch to send a copy of the traffic to one of the ports that is connected to sensor device.

Additional protection of potential man in the middle attack
Dynamic ARP Inspection will help us prevent Address Resolution Protocol – ARP spoofing attacks with help of DHCP functionality and specially DHCP snooping. This is why  Dynamic ARP Inspection is usually used simultaneously with DCHP snooping. Let’s se how is this technology protecting us from ARP attack.