CCIE must know MUX VLAN, port isolation, port security brief
A MUX Multiplex VLAN provides a mechanism for network resource control over a VLAN. The two-layer traffic isolation mechanism provided by MUX VLAN can realize the communication between employees within the enterprise, while the mutual visits between external visitors of the enterprise are isolated.
To achieve two-layer isolation between packets, users can add different ports to different VLAns, but this will waste limited VLAN resources. The port isolation function can be used to isolate the ports in the -VLAN.
In the network with high security requirements, the switch can turn on the port security function to prevent illegal MAC address devices from accessing the network. When the number of MAC addresses learned reaches the upper limit, it will not learn a new MAC address. It will only communicate to the device with the MAC address.
- MUX VLAN:
For businesses. It is hoped that employees within the enterprise can access each other, while external visitors within the enterprise are isolated from each other, which can be achieved by configuring each visitor to use a different VLAN. However, if the enterprise has a large number of external visitor employees, it will not only consume a large number of VLAN IDS, but also increase the difficulty of network maintenance. The MUX VLAN provides a two-layer traffic isolation mechanism that allows employees to communicate with each other within the enterprise, while visitors from outside the enterprise visit each other in isolation.
The MUX VLAN is divided into a master VLAN and a slave VLAN, which is further divided into an isolated slave VLAN and an interworking slave VLAN.
Principal VLAN: The Principal Port can communicate with all interfaces within a MUX VLAN.
Isolated from VLAN: Separate port can only communicate with Principal Port, and other types of interfaces are completely isolated.
Each isolated slave VLAN must be bound to a primary VLAN.
Interworking subvLAN (Group VLAN) : The Group Port can communicate with the Principal Port, and interfaces within the same Group can also communicate with each other, but not with other Group interfaces or Separate ports. Each interworking slave VLAN must be bound to a master VLAN.
- Port isolation
Port isolation is divided into two modes: two-level isolation and three-level interworking and two-level and three-level isolation:
If the user wants to isolate the broadcast message within the same VLAN, but the user under different ports can also conduct three-layer communication, the isolation mode can be set to two-layer isolation and three-layer communication.
If the user wants users to be completely unable to communicate on different ports on the same VLAN, the isolation mode can be configured to be two-tier and three-tier isolation.
Port isolation technology also has disadvantages. First, sharing between computers cannot be realized. Second, isolation can only be realized on one switch, but not between stacks. If it is a stacked environment, it can only be changed into connection between switches.
- Port security
If there are illegal users in the network, port security technology can be used to ensure the security of the network. Generally used in the following scenarios: (1) Application in the interface layer device: by configuring port security can prevent the impersonation of the user from other port attacks; (2) The application in the sink layer device, through the configuration of port security can control the number of access users.
Port Security. Basically, the Port Security feature logs the Ethernet MAC address connected to the switch Port through the MAC address table and allows only a certain MAC address to communicate over the switch Port. The port security feature prevents packets sent by other MAC addresses from passing through this port. Using port security features prevents unauthorized devices from accessing the network and enhances security. In addition, the port security feature can also be used to prevent MAC address flooding from causing the MAC address table to fill.
Types of port security:
Port Security enhances device Security by converting dynamic MAC addresses learned by the interface into secure MAC addresses (including secure dynamic MAC, secure static MAC, and Sticky MAC) to prevent illegal users from communicating through this interface and the switch.
- When the interface enables port security, the dynamic MAC address table entry learned previously on the interface will be deleted, and the MAC address learned later will be changed into a secure dynamic MAC address.
- If the interface enables StickyMAC function, the secure dynamic MAC address table entry on the interface will be converted to StickyMAC address, and then the learned MAC address will also become StickyMAC address.
- When the interface enables the port security function, the secure dynamic MAC address on the interface will be deleted, and the dynamic MAC address will be relearned.
4, Interface to enable Sticky MAC function, Sticky MAC address on the interface will be converted to a secure dynamic MAC address.
Actions after exceeding the secure MAC address limit:
When the number of secure MAC addresses on the interface reaches the limit, if the message does not exist in the source MAC address, the port security will consider that there is an illegal user attack, and will protect the interface according to the configured actions. By default, the protection action is restrict.
Restrict: Discard messages whose source MAC address does not exist and alert them on it. This action is recommended. Note: When the device receives messages with illegal MAC addresses, it shall be warned at least once every 30s and at most twice.
Protect: Discard only messages that do not have a MAC address and do not alert the source.
Shutdown: The interface state is set as an error-down, and an alarm is reported. By default, the interface is not automatically restored when it is closed and can only be manually restored by the administrator.