CCNA Security | Control Plane Policing and PVLAN

Get 30% off with PROMO CODE CCNADT

Follow me on Twitter:

Previous Video: Implement an IPsec site-to-site VPN with PSK and TACACS+

4.3 Securing the control plane

4.3.a Explain the function of control plane policing CoPP

CoPP is a Cisco IOS feature designed to allow administrators to specify controls over traffic that is directed to a device’s control plane. The goal is to prevent low-priority or unnecessary traffic from overwhelming system resources, which could lead to issues in system performance. CoPP treats the control plane as a separate entity with its own ingress and egress ports. CoPP facilitates the definition of rules to control traffic traversing the control plane’s ingress and egress ports.

CoPP is implemented using the Cisco IOS Modular QoS CLI (MQC), a highly flexible framework that allows users to create and attach traffic polices to interfaces. The MQC mechanisms are used by CoPP to define the classification and policing descriptions for its policies. In this way, in addition to the limited permit and deny actions associated with simple ACLs, specific packets may be permitted but rate-limited when using the MQC structure.

4.6 VLAN security

4.6.a Describe the security implications of a PVLAN

It is possible to simplify a multi-VLAN and subnet deployment by using the Private VLAN (PVLAN) feature. PVLANs provide Layer 2 isolation between ports within the same VLAN. For a service provider, this isolation eliminates the need for a separate VLAN and IP subnet per customer. With PVLANs, a common subnet is subdivided into multiple PVLANs.

Communication between hosts is controlled by whether their switchport is configured as isolated, community, or promiscuous. The advantage of using PVLANs is that it simplifies traffic management while conserving IP address space. Isolated: are access ports that are assigned to an isolated VLAN. An isolated port has complete Layer 2 separation from other ports within the same primary PVLAN, except for a promiscuous port. PVLANs block all traffic to isolated ports, except the traffic from promiscuous ports. Traffic that is received from an isolated port is forwarded only to promiscuous ports. Promiscuous: are access ports that are assigned to a primary VLAN and typically connect to a router or firewall.

A promiscuous port can communicate with all ports within the PVLAN, including the community and isolated ports. The default gateway for the segment would likely be hosted on a promiscuous port, given that all devices in the PVLAN need to communicate with Community: are access ports that are assigned to a community VLAN. Community ports communicate among themselves and with the promiscuous ports. These interfaces are isolated at Layer 2 from all other interfaces in other communities or in isolated ports within their primary PVLAN.

4.6.b Describe the security implications of a native VLAN

The IEEE 802.1Q protocol allows operation between equipment from different vendors. All frames, except native VLAN frames, are equipped with a tag when traversing the link. The native VLAN is configured on each end of an 802.1Q trunk must be the same. If one end is configured for native VLAN 1 and the other for native VLAN 2, a frame that is sent in VLAN 1 on one side will be received on VLAN 2 on the other. VLAN 1 and VLAN 2 have been segmented and merged. There is no reason this should be required, and connectivity issues will occur in the network. By default, the native VLAN will be VLAN 1. For the purpose of security, the native VLAN on a trunk should be set to a specific VLAN identifier (VID) that is not used for normal operations elsewhere on the network using the switchport trunk native vlan command.

Share the Post:

Related Posts

Help Us By Donating