CCIE must know MUX VLAN, port isolation, port security brief description
MUX VLAN (Multiplex VLAN) provides a mechanism for network resource control through VLAN. The Layer 2 traffic isolation mechanism provided by MUX VLAN can realize the communication between internal employees of the enterprise, and the mutual visits between the external visitors of the enterprise are isolated.
In order to achieve Layer 2 isolation between packets, users can add different ports to different VLANs, but this will waste limited VLAN resources. The port isolation function can realize isolation between ports in the same VLAN.
In a network with high security requirements, the switch can enable port security to prohibit devices with illegal MAC addresses from accessing the network; when the number of learned MAC addresses reaches the upper limit, no new MAC addresses will be learned, only devices with MAC addresses Communication.
1. MUX VLAN:
For businesses. It is hoped that employees within the enterprise can communicate with each other, while external visitors to the enterprise are isolated. This can be achieved by configuring each guest to use a different VLAN. However, if the enterprise has a large number of foreign guest employees, not only does it need to consume a large amount of VLAN ID, but also increases the difficulty of network maintenance. The Layer 2 traffic isolation mechanism provided by MUX VLAN can realize the communication between internal employees of the enterprise, and the mutual access between external visitors of the enterprise is isolated.
MUX VLAN is divided into primary VLAN and secondary VLAN, and secondary VLAN is divided into isolated secondary VLAN and interworking secondary VLAN.
Principal VLAN (Principal VLAN): The Principal port can communicate with all interfaces in the MUX VLAN.
Separate VLAN (Separate VLAN): Separate port can only communicate with Principal port and is completely isolated from other types of interfaces.
Each isolated secondary VLAN must be bound to a primary VLAN.
Interworking slave VLAN (Group VLAN): Group port can communicate with Principal port, and interfaces in the same group can also communicate with each other, but cannot communicate with other group interfaces or separate ports. Each interoperable secondary VLAN must be bound to a primary VLAN.
2. Port isolation
Port isolation is divided into two modes: Layer 2 isolation and Layer 3 intercommunication and Layer 2 and Layer 3 isolation:
If users want to isolate broadcast packets in the same VLAN, but users under different ports can still communicate at Layer 3, then the isolation mode can be set to Layer 2 isolation and Layer 3 intercommunication;
If the user wants users to be completely unable to communicate under different ports of the same VLAN, the isolation mode can be configured to isolate both Layer 2 and Layer 3.
Port isolation technology also has shortcomings. First, sharing between computers cannot be achieved; second, isolation can only be achieved on one switch, not between stacked switches. If it is a stacked environment, it can only be changed to cascade connection between switches.
3. Port security
If there are illegal users in the network, port security technology can be used to ensure network security. Generally used in the following scenarios: ①Applied to interface layer equipment: By configuring port security, you can prevent counterfeit users from attacking from other ports; ②Applying to convergence layer equipment, you can control the number of access users by configuring port security.
Port Security. From a basic principle, the Port Security feature records the Ethernet MAC address connected to the switch port through the MAC address table, and only allows a certain MAC address to communicate through this port. When data packets sent by other MAC addresses pass through this port, the port security feature will prevent it. Using port security features can prevent unauthorized devices from accessing the network and enhance security. In addition, the port security feature can also be used to prevent MAC address flooding from filling up the MAC address table.
Types of port security:
Port Security prevents illegal users from communicating with the switch through this interface by converting the dynamic MAC address learned by the interface into a secure MAC address (including secure dynamic MAC, secure static MAC and sticky MAC), thereby enhancing the security of the device.
1. When the port security function is enabled on the interface, the previously learned dynamic MAC address entry on the interface will be deleted, and the MAC address learned later will become a secure dynamic MAC address.
2. When the Sticky MAC function is enabled on the interface, the secure dynamic MAC address table entry on the interface will be converted into a Sticky MAC address, and the MAC address learned later will also become a Sticky MAC address.
3. When the port security function is disabled on the interface, the secure dynamic MAC address on the interface will be deleted, and the dynamic MAC address will be learned again.
4. When the Sticky MAC function is disabled on the interface, the Sticky MAC address on the interface will be converted to a secure dynamic MAC address.
Actions obtained after exceeding the secure MAC address limit:
After the number of secure MAC addresses on an interface reaches the limit, if a packet with a non-existent source MAC address is received, the port security considers that there is an illegal user attack, and will protect the interface according to the configured action. By default, the protection action is restrict.
Restrict: Discard packets with non-existent source MAC addresses and send an alarm. It is recommended to use this action. Note: When the device receives a packet with an illegal MAC address, it will warn at least once every 30s, and warn at most 2 times.
Protect: Only discard the packets whose source MAC address does not exist, and do not report to the alarm.
Shutdown: The interface status is set to error-down, and an alarm is reported. By default, the interface will not be restored automatically after it is closed, and can only be restored manually by the administrator.
Get 100% accurate CCIE/ CCNP/CCNA/HCIE dumps in IELAB .
Please follow us if you like our articles.
visit us: http://ielab.network
Facebook : https://www.facebook.com/ielab.network/