Network Security Lab

Dr. Mohammed Sharaf Eng. Ibrahim Amreya

Securing VLANs
Topology

Introduction
In this lab, you will configure the network to protect the VLANs using router ACLs, VLAN ACLs, and private
VLANs. First, you will secure the new server farm (Host C) by using private VLANs. Service providers use
private VLANs to separate different customers’ traffic while utilizing the same parent VLAN for all server
traffic. The private VLANs provide traffic isolation between devices, even though they might exist on the same
VLAN.
You will then secure the staff VLAN from the student VLAN by using a RACL, which prevents traffic from the
student VLAN from reaching the staff VLAN. This allows the student traffic to utilize the network and Internet
services while keeping the students from accessing any of the staff resources.
Lastly, you will configure a VACL that allows a host on the staff network to be set up to use the VLAN for
access but keeps the host isolated from the rest of the staff machines. This machine is used by temporary
staff employees.

Required Resources
 2 switches (Cisco 2960)
 2 switches (Cisco 3560)
 4 PCs
 Ethernet and console cables

Page 1 of 10
Network Security Lab
Dr. Mohammed Sharaf Eng. Ibrahim Amreya

Prepare the switches for the lab

Reset all switches:
erase startup-config
delete vlan.dat
reload
Copy and paste the configuration in Appendix A on all the switches.

Part 1: Configure private VLANs.

Private VLANs are an option when you have multiple devices in the same broadcast domain, but need to
prevent them from communicating from each other. A good example is in a server farm where the servers do
not need to receive other server's broadcast traffic.
In a sense, private VLANs allow you to sub-divide the layer 2 broadcast domain. You are able to associate a
primary VLAN with multiple secondary VLANs, while using the same IP address space for all of the devices.
Secondary VLANs are defined as one of two types; either COMMUNITY or ISOLATED. A secondary
community VLAN allows the hosts within the VLAN to communicate with one another and the primary VLAN.
A secondary isolated VLAN does not allow hosts to communicate with others in the same isolated VLAN.
They can only communicate with the primary VLAN.
A primary VLAN can have multiple secondary community VLANs associated with it, but only one secondary
isolated VLAN.

Step 1: Configure the Primary Private VLAN

a. Based on the topology diagram, VLAN 150 will be used as the VLAN for the new server farm. On all
switches, add VLAN 150, and name the VLAN server-farm. In addition, configure DLS1 as the root
bridge for VLANs 150, 151, and 152.
DLS1(config)# vtp mode transparent
DLS1(config)# vlan 150
DLS1(config-vlan)# name SERVER-FARM
DLS1(config-vlan)# exit
DLS1(config)# spanning-tree vlan 150-152 root primary

b. Once this is complete, verify that VLAN 150 is preset in the database of every switch.

Step 2: Configure interface VLAN 150 at DLS1 and DLS2:

DLS1(config)# interface vlan 150
DLS1(config-if)# ip address 172.16.150.1 255.255.255.0

DLS2(config)# interface vlan 150

DLS2(config-if)# ip add 172.16.150.2 255.255.255.0

Step 3: Create the PVLANs

a. Configure the new PVLANs on all switches. Secondary PVLAN 151 is an isolated VLAN, while secondary
PVLAN 152 is used as a community PVLAN. Configure these new PVLANs and associate them with
primary VLAN 150.
DLS1(config)# vlan 151

Page 2 of 10
Network Security Lab
Dr. Mohammed Sharaf Eng. Ibrahim Amreya
DLS1(config-vlan)# private-vlan isolated
DLS1(config-vlan)# exit
DLS1(config)# vlan 152
DLS1(config-vlan)# private-vlan community
DLS1(config-vlan)# exit
DLS1(config)# vlan 150
DLS1(config-vlan)# private-vlan primary
DLS1(config-vlan)# private-vlan association 151,152
DLS1(config-vlan)# exit
DLS1(config)#

b. Verify the PVLANs on the switches.

DLS2# show vlan brief | include active

1 default active Fa0/1, Fa0/2, Fa0/3, Fa0/4
99 Management active
100 STAFF active
150 SERVER-FARM active
151 VLAN0151 active
152 VLAN0152 active
200 STUDENTS active
666 NATIVE_DO_NOT_USE active

c. Verify the creation of the secondary PVLANs and their association with the primary VLAN using the show
vlan private-vlan command. Note that no ports are currently associated with these VLANs. This is
expected behavior.

DLS1#show vlan private-vlan

Primary Secondary Type Ports

------- --------- ----------------- -----------------------------------------
-
150 151 isolated
150 152 community

DLS2# show vlan private-vlan

Primary Secondary Type Ports

------- --------- ----------------- -----------------------------------------
150 151 isolated
150 152 community

Step 4: Configure support for routing of PVLANs

The private-vlan mapping interface configuration command permits PVLAN traffic to be switched through
Layer 3. Normally you would include all the secondary VLANs to allow for HSRP to work, but for this example
we will not include a mapping VLAN 151 on DLS2 so we can demonstrate the isolation of VLAN 151.
Configure these commands for interface VLAN 150 on DLS1 and DLS2.
DLS1(config)# interface vlan 150
DLS1(config-if)# private-vlan mapping 151-152
DLS1(config-if)# end

Page 3 of 10
Network Security Lab
Dr. Mohammed Sharaf Eng. Ibrahim Amreya
DLS2(config)# interface vlan 150
DLS2(config-if)# private-vlan mapping 152
DLS2(config-if)# end

Will hosts assigned to ports on private VLAN 151 be able to communicate directly with each other?
__________________________________________________________________________________

Step 5: Configure host access to PVLANs

a. On DLS1, configure interface FastEthernet 0/6 so it is in private-vlan host mode and has association to
VLAN 150:
DLS1(config)# interface fastethernet 0/6
DLS1(config-if)# switchport mode private-vlan host
DLS1(config-if)# switchport private-vlan host-association 150 152
DLS1(config-if)# exit
b. Use the show vlan private-vlan command and note that the ports configured are currently associated
with these VLANs.
DLS1#show vlan private-vlan

Primary Secondary Type Ports

------- --------- ----------------- -----------------------------------------
-
150 151 isolated
150 152 community Fa0/6
c. On DLS2, configure the Fast Ethernet ports that are associated with the server farm private VLANs. Fast
Ethernet port 0/6 is used for the secondary isolated PVLAN 151, and ports 0/18–0/20 are used for the
secondary community VLAN 152. The switchport mode private-vlan host command sets the mode on
the interface and the switchport private-vlan host-association primary-vlan-id secondary-vlan-id
command assigns the appropriate VLANs to the interface. The following commands configure the
PVLANs on DLS2.
DLS2(config)# interface fastethernet 0/6
DLS2(config-if)# switchport mode private-vlan host
DLS2(config-if)# switchport private-vlan host-association 150 151
DLS2(config-if)# exit
DLS2(config)# interface range fa0/18 - 20
DLS2(config-if-range)# switchport mode private-vlan host
DLS2(config-if-range)# switchport private-vlan host-association 150 152
As servers are added to Fast Ethernet 0/18–20, will these servers be allowed to hear broadcasts from
each other? Explain.
_______________________________________________________________________________
_______________________________________________________________________________

d. Use the show vlan private-vlan command and note that the ports configured are currently associated
with these VLANs.
DLS2# show vlan private-vlan

Page 4 of 10
Network Security Lab
Dr. Mohammed Sharaf Eng. Ibrahim Amreya
Primary Secondary Type Ports
------- --------- ----------------- -----------------------------------------
150 151 isolated Fa0/6
150 152 community Fa0/18, Fa0/19, Fa0/20
e. Configure HOST C on DLS1 interface f0/6 with the IP address 172.16.150.50/24. Use 172.16.150.1 as
the default gateway address.
f. Configure HOST D on DLS2 interface f0/6 with the IP address 172.16.150.150/24. Use 172.16.150.1 as
the default gateway address.

Step 6: Verify PVLANs are working

a. From HOST C, try to ping the following addresses - they should all work: 172.16.150.1 (DLS1),
172.16.150.2 (DLS2), 172.16.99.5 (ALS1).
b. From HOST C, try to ping HOST D (172.16.150.150). This should NOT work.
c. From HOST D, try to ping the following addresses - they should all work: 172.16.150.1 (DLS1),
172.16.99.5 (ALS1).
d. From HOST D, try to ping 172.16.150.2 (DLS2). This should NOT work.

Part 3: RACLs.
You can use router access control lists (RACLs) to separate the student and staff VLANs. In this lab scenario,
write an ACL that allows the staff VLAN (100) to access the student VLAN (200), and deny student VLAN
access to the staff VLAN.

Step 1: Write an extended IP access list

Write an ACL that meets the requirement and assign the access list to the appropriate VLAN interfaces on
DLS1 and DLS2 using the ip access-group acl-num {in | out} command.
DLS1(config)# access-list 100 permit tcp 172.16.200.0 0.0.0.255 172.16.100.0 0.0.0.255
established
DLS1(config)# access-list 100 permit icmp 172.16.200.0 0.0.0.255 172.16.100.0
0.0.0.255 echo-reply
DLS1(config)# access-list 100 deny ip 172.16.200.0 0.0.0.255 172.16.100.0 0.0.0.255
DLS1(config)# access-list 100 permit ip any any
DLS1(config)# interface vlan 200
DLS1(config-if)# ip access-group 100 in
DLS1(config-if)# exit

DLS2(config)# access-list 100 permit tcp 172.16.200.0 0.0.0.255 172.16.100.0 0.0.0.255

established
DLS2(config)# access-list 100 permit icmp 172.16.200.0 0.0.0.255 172.16.100.0
0.0.0.255 echo-reply
DLS2(config)# access-list 100 deny ip 172.16.200.0 0.0.0.255 172.16.100.0 0.0.0.255
DLS2(config)# access-list 100 permit ip any any
DLS2(config)# interface vlan 200
DLS2(config-if)# ip access-group 100 in
DLS2(config-if)# exit

e. Check the configuration using the show ip access-list and show ip interface vlan vlan-id commands.

Page 5 of 10
Network Security Lab
Dr. Mohammed Sharaf Eng. Ibrahim Amreya
DLS1# show access-lists
Extended IP access list 100
10 permit tcp 172.16.200.0 0.0.0.255 172.16.100.0 0.0.0.255 established
20 permit icmp 172.16.200.0 0.0.0.255 172.16.100.0 0.0.0.255 echo-reply
30 deny ip 172.16.200.0 0.0.0.255 172.16.100.0 0.0.0.255
40 permit ip any any

DLS1# show ip interface vlan 200

Vlan200 is up, line protocol is up
Internet address is 172.16.200.3/24
Broadcast address is 255.255.255.255
Address determined by non-volatile memory
MTU is 1500 bytes
Helper address is not set
Directed broadcast forwarding is disabled
Multicast reserved groups joined: 224.0.0.2
Outgoing access list is not set
Inbound access list is 100
<output omitted>
f. After the access list has been applied verify the configuration using the following:
On ALS1 set up a simulated host in VLAN 100 and one in VLAN 200 by creating a VLAN 100 and 200
interface on the switch. Give the VLAN 100 interface an IP address in VLAN 100. Give the VLAN 200
interface an IP address in VLAN 200. The following is a sample configuration on ALS1.
ALS1(config)# int vlan 100
ALS1(config-if)# ip address 172.16.100.100 255.255.255.0

ALS1(config)# int vlan 200

ALS1(config-if)# ip address 172.16.200.200 255.255.255.0
Ping the interface of the gateway for the staff VLAN (172.16.100.1) with a source of staff VLAN 100
(172.16.100.100) and then ping with a source of student VLAN 200. The pings from the student VLAN
should fail.
ALS1# ping 172.16.100.1 source vl100

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 172.16.100.1, timeout is 2 seconds:
Packet sent with a source address of 172.16.100.100
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/205/1007 ms

ALS1# ping 172.16.100.1 source vl200

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 172.16.100.1, timeout is 2 seconds:
Packet sent with a source address of 172.16.200.200
.U.U.
Success rate is 0 percent (0/5)
What does a U signify in the output of the ping command?
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________

Page 6 of 10
Network Security Lab
Dr. Mohammed Sharaf Eng. Ibrahim Amreya

Part 4: Configure VACLs.

Configure the network so that the temporary staff host cannot access the rest of the staff VLAN, yet still be
able to use the default gateway of the staff subnet to connect to the rest of the network and the ISP. You can
accomplish this task by using a VLAN ACL (VACL).
For this scenario, Host C (DLS1 Fast Ethernet 0/6) will act as a temporary staff PC, therefore the VACL must
be placed on DLS1.

Step 1: Configure DLS1 F0/6 and Host C

a. Change the configuration of DLS1 F0/6 so that the interface is associated with VLAN 100. To keep things
tidy, also remove the private vlan mapping on the interface as well:
DLS1(config)#interface f0/6
DLS1(config-if)#switchport mode access
DLS1(config-if)#switchport access vlan 100
DLS1(config-if)#no switchport private-vlan host-association 150 152
DLS1(config-if)#exit

b. Change the configuration of HOST C so that it is using the IP address 172.16.100.150/24 with the default
gateway set as 172.16.100.1

Step 2: Configure and apply the VACL

a. Configure an access list on DLS1 called temp-host using the ip access-list extended name command.
This list defines the traffic between the host and the rest of the network. Then define the traffic using the
permit ip host ip-address subnet wildcard-mask command. Note that you must be explicit about what
traffic to match -- this isn't a traffic filtering ACL, it is a traffic matching ACL. If you were to leave the
second line of the example below out, pings would work.
DLS1(config)# ip access-list extended temp-host
DLS1(config-ext-nacl)# permit ip host 172.16.100.150 172.16.100.0 0.0.0.255
DLS1(config-ext-nacl)# permit icmp host 172.16.100.150 172.16.100.0 0.0.0.255
DLS1(config-ext-nacl)# exit

b. The VACL is defined using a VLAN access map. Access maps are evaluated in a numbered sequence.
To set up an access map, use the vlan access-map map-name seq# command. The following
configuration defines an access map named block-temp, which uses the match statement to match the
traffic defined in the access list and denies that traffic. You also need to add a line to the access map that
allows all other traffic. If this line is not added, an implicit deny catches all other traffic and denies it.
DLS1(config)# vlan access-map block-temp 10
DLS1(config-access-map)# match ip address temp-host
DLS1(config-access-map)# action drop
DLS1(config-access-map)# vlan access-map block-temp 20
DLS1(config-access-map)# action forward
DLS1(config-access-map)# exit
c. Define which VLANs the access map should be applied to using the vlan filter map-name vlan-list vlan-
ID command.
DLS1(config)# vlan filter block-temp vlan-list 100
d. Verify the VACL configuration using the show vlan access-map command on DLS1.
DLS1# show vlan access-map

Page 7 of 10
Network Security Lab
Dr. Mohammed Sharaf Eng. Ibrahim Amreya

Vlan access-map "block-temp" 10

Match clauses:
ip address: temp-host
Action:
drop
Vlan access-map "block-temp" 20
Match clauses:
Action:
forward

Step 3: Test the VACL

a. From HOST C, try to ping 172.16.100.50. The ping should fail.
b. From HOST C, try to ping 172.16.100.1. The ping should fail.
c. From HOST C, try to ping 172.16.200.50. The ping should succeed.

Page 8 of 10
Network Security Lab
Dr. Mohammed Sharaf Eng. Ibrahim Amreya
Appendix A: start configuration of all devices

DLS1: DLS2:
hostname DLS1 hostname DLS2
enable secret pass enable secret pass
ip routing ip routing
no ip domain-lookup no ip domain-lookup
ip domain-name SEC.LAB ip domain-name SEC.LAB
vlan 99 vlan 99
name Management name Management
vlan 100 vlan 100
name STAFF name STAFF
vlan 200 vlan 200
name STUDENTS name STUDENTS
vlan 666 vlan 666
name NATIVE_DO_NOT_USE name NATIVE_DO_NOT_USE
exit exit
spanning-tree mode pvst spanning-tree mode pvst
spanning-tree vlan 99-100 priority 24576 spanning-tree vlan 99-100 priority 28672
spanning-tree vlan 200 priority 28672 spanning-tree vlan 200 priority 24576
interface range FastEthernet0/1-5 interface range FastEthernet0/1-6
switchport mode access shutdown
shutdown interface range FastEthernet0/7-12
interface FastEthernet0/6 switchport trunk encapsulation dot1q
switchport access vlan 99 switchport trunk native vlan 666
switchport mode access switchport mode trunk
spanning-tree portfast switchport nonegotiate
interface range FastEthernet0/7-12 interface range FastEthernet0/13-48
switchport trunk encapsulation dot1q shutdown
switchport trunk native vlan 666 interface range GigabitEthernet0/1-4
switchport mode trunk shutdown
switchport nonegotiate interface Vlan99
interface range FastEthernet0/13-48 ip address 172.16.99.4 255.255.255.0
switchport mode access standby 0 preempt
shutdown standby 99 ip 172.16.99.1
interface range GigabitEthernet0/1-4 interface Vlan100
switchport mode access ip address 172.16.100.4 255.255.255.0
shutdown standby 100 ip 172.16.100.1
interface Vlan99 standby 100 preempt
ip address 172.16.99.3 255.255.255.0 interface Vlan200
standby 0 preempt ip address 172.16.200.4 255.255.255.0
standby 99 ip 172.16.99.1 standby 200 ip 172.16.200.1
standby 99 priority 150 standby 200 priority 150
interface Vlan100 standby 200 preempt
ip address 172.16.100.3 255.255.255.0 line con 0
standby 100 ip 172.16.100.1 exec-timeout 0 0
standby 100 priority 150 logging synchronous
standby 100 preempt line vty 0 15
interface Vlan200 password pass
ip address 172.16.200.3 255.255.255.0 login
ip helper-address 172.16.99.50 end
standby 200 ip 172.16.200.1
standby 200 preempt
line con 0
exec-timeout 0 0
logging synchronous
line vty 0 15
password pass
login
end

Page 9 of 10
Network Security Lab
Dr. Mohammed Sharaf Eng. Ibrahim Amreya
ALS1: ALS2:
hostname ALS1 hostname ALS2
enable secret pass enable secret pass
no ip domain-lookup no ip domain-lookup
ip domain-name SEC.LAB ip domain-name SEC.LAB
vlan 99 vlan 99
name Management name Management
vlan 100 vlan 100
name STAFF name STAFF
vlan 200 vlan 200
name STUDENTS name STUDENTS
vlan 666 vlan 666
name NATIVE_DO_NOT_USE name NATIVE_DO_NOT_USE
exit exit
spanning-tree mode pvst spanning-tree mode pvst
interface range FastEthernet0/1-5 interface range FastEthernet0/1-5
shutdown shutdown
interface FastEthernet0/6 interface FastEthernet0/6
switchport access vlan 200 switchport access vlan 200
switchport mode access switchport mode access
spanning-tree portfast spanning-tree portfast
interface range FastEthernet0/7-12 ip dhcp snooping limit rate 20
switchport trunk native vlan 666 interface range FastEthernet0/7-12
switchport mode trunk switchport trunk native vlan 666
switchport nonegotiate switchport mode trunk
interface range FastEthernet0/13-14 switchport nonegotiate
shutdown ip dhcp snooping trust
interface range FastEthernet0/15-48 interface range FastEthernet0/13-14
switchport access vlan 100 shutdown
switchport mode access interface range FastEthernet0/15-24
spanning-tree portfast switchport access vlan 200
interface range GigabitEthernet0/1-2 switchport mode access
shutdown spanning-tree portfast
interface Vlan99 interface range GigabitEthernet0/1-2
ip address 172.16.99.5 255.255.255.0 shutdown
ip default-gateway 172.16.99.1 interface range FastEthernet0/25-48
line con 0 shutdown
exec-timeout 0 0 interface Vlan99
logging synchronous ip address 172.16.99.6 255.255.255.0
line vty 0 15 ip default-gateway 172.16.99.1
password pass line con 0
login exec-timeout 0 0
end logging synchronous
line vty 0 15
password pass
login

Page 10 of 10