RE: PVLAN on 3550

From: Jason Buszta (groupstudy@buszta.com)
Date: Tue Nov 18 2003 - 17:23:25 GMT-3

The reason I thought it would be a layer-3 thing only was based on my
understanding from the DOC page?

According to the doc pages:

You can configure VLAN maps to match Layer 3 addresses for IP traffic.
Access of all non-IP protocols is controlled with a MAC address and an
Ethertype using MAC ACLs in VLAN maps. (IP traffic is not controlled by
MAC ACLs in VLAN maps.)

VLAN Map Configuration Guidelines
        VLAN maps do not filter IPv4 ARP packets.

http://www.cisco.com/univercd/cc/td/doc/product/lan/cat4000/12_1_19/config/secure.htm#37334

It was my understanding that the Ethertype and MAC filters would only
filter non IP traffic? I do agree this would be a poor mans
implementation of PVLANs however since communities are not available in
the 3550 you may not have a choice.

If it is true that VLAN maps only provide Layer-3 security what types of
layer-2 attacks does one need to be concerned about?

On Tue, 18 Nov 2003, Scott Morris wrote:

> And why would that be a layer 3 thing only? The VLAN map commands are
> designed to work within the SWITCH part (e.g. layer 2 thinking), but
> allow you to filter on both L3 and L2 stuff (ip access list or mac
> access list). If you apply an ip access list to the vlan interface,
> that is not a vlan map, and filters only stuff that passes THROUGH the
> SVI, not intra-switch traffic.
>
> But otherwise VLAN maps will work just fine at L2 or L3 if configured as
> such.
>
> This could be used to emulate a community VLAN, but would be a bit more
> of a pain in the butt to configure. :)
>
> Scott Morris, CCIE4 (R&S/ISP-Dial/Security/Service Provider) #4713,
> CISSP, JNCIS, et al.
> IPExpert CCIE Program Manager
> IPExpert Sr. Technical Instructor
> swm@emanon.com/smorris@ipexpert.net
> http://www.ipexpert.net
>
>
> -----Original Message-----
> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
> Jason Buszta
> Sent: Tuesday, November 18, 2003 7:15 AM
> To: Henry Chou
> Cc: swm@emanon.com; Nick.Jaksec@acs-inc.com; ccielab@groupstudy.com
> Subject: RE: PVLAN on 3550
>
>
> You could always use a VLAN MAP to isolate traffic on the same VLAN sort
>
> like Private VLANS on a 3550. Keep in mind though this will only
> isolate
> Layer-3 traffic and NOT Layer-2.
>
> On another note has anyone tried routing private VLANS accross switches?
>
> i.e. You have 4 servers and two switches, and a firewall. 2 servers
> pluged into each switch and a connection exist between the swithes.
> All
> of the servers are in the same subnet however you would like 2 of the
> servers to be in 100% isolated layer-2 broadcast domains and the other
> two servers in the same community and can talk to each other. All
> servers should be able to talk to the PIX firewall in switch a? Is this
>
> possible? I am guessing due to the restriction of communities only on
> 4000 and above it can be done? I guess you could do it with a 4000 and
> a
> 3550 if you grouped them properly with only edge features?
>
> Ideas?
>
>
>
> On Mon, 17 Nov 2003, Henry Chou wrote:
>
> > 3550 does not support full PVLAN, meaning you cannot configure
> > community
> > ...etc. It only supports PVLAN edge.
> >
> >
> > From: "Scott Morris" <swm@emanon.com>
> > To: "'Jaksec, Nick'" <Nick.Jaksec@acs-inc.com>,
> > <ccielab@groupstudy.com>
> > Subject: RE: PVLAN on 3550
> > Date: Mon, 17 Nov 2003 13:12:03 -0500
> >
> > If you read the release notes for the 3550, you will see that the
> > commands are included, but currently have no effect. It's a "pending"
>
> > thing...
> >
> >
> > Scott Morris, CCIE4 (R&S/ISP-Dial/Security/Service Provider) #4713,
> > CISSP, JNCIS, et al. IPExpert CCIE Program Manager
> > IPExpert Sr. Technical Instructor
> > swm@emanon.com/smorris@ipexpert.net
> > http://www.ipexpert.net
> >
> >
> > -----Original Message-----
> > From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf
> > Of Jaksec, Nick
> > Sent: Monday, November 17, 2003 1:09 PM
> > To: 'ccielab@groupstudy.com'
> > Subject: PVLAN on 3550
> >
> >
> > I notice on a 3550 switch running EMI that it has the PVLAN commands.
> > Can this be done even though I see no documentation on Cisco's website
>
> > pertaining to a 3550. I only see it referencing a 4006 or 6500 switch.
>
> > Any thoughts would be appreciated, thanks!
> >
> > _________________________________________________________________
> > Great deals on high-speed Internet access as low as $26.95.
> > https://broadband.msn.com (Prices may vary by service area.)
> >
> > ______________________________________________________________________
> > _
> > Please help support GroupStudy by purchasing your study materials
> from:
> > http://shop.groupstudy.com
> >
> > Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html
>
> _______________________________________________________________________
> Please help support GroupStudy by purchasing your study materials from:
> http://shop.groupstudy.com
>
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
> _______________________________________________________________________
> Please help support GroupStudy by purchasing your study materials from:
> http://shop.groupstudy.com
>
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html

This archive was generated by hypermail 2.1.4 : Fri Dec 12 2003 - 12:29:13 GMT-3