Best Security Practices To Protect Layer 2

Root Guard, BPDU Guard and BPDU Filter
Network Attackers can launch different types of attacks on Spanning Tree Protocol (STP).
One type of Spanning Tree Protocol (STP) attack is to inject superior BPDUs in Layer 2
network. A superior BPDU is a BPDU which has a lower Bridge ID. In a normal network,
superior BPDU's are generated by Root Bridge. If any other switch generate a superior
BPDU, Spanning Tree Protocol (STP) recalculations will happen and the switch which
generated superior BPDU will become the new Root Bridge.
By injecting a superior BPDUs in Layer 2 network, an attacker can cause Spanning Tree
Protocol (STP) recalculations and finally result in re-convergence of the Spanning Tree
Protocol (STP). Attackers can achieve Spanning Tree Protocol (STP) attacks by adding a
rogue switch configured with lower bridge ID, or by using some software which are
available for free download.
When a new rogue Root Bridge is introduced inside Spanning Tree Protocol (STP), all the
traffic from other switches start flowing via the new rogue Root Bridge. Attacker can now
start capturing the network traffic for sensitive data.
Cisco Switches have different features for protection against Spanning Tree Protocol
(STP) attacks. Root Guard, BPDU Guard and BPDU Filter are some features available for
protection against Spanning Tree Protocol (STP) related attacks.
Root Guard, BPDU Guard and BPDU Filter

Root Guard: Root Guard protects the Spanning Tree Protocol (STP) topology attack of
replacing the original Root Bridge with a rogue Root Switch. When a Root Guard feature
enabled switch port receives a superior BPDU from a rogue switch, the state of the port
is changed into a root-inconsistent state, thus enforcing the position of original Root
Bridge. Once the port state is changed into root-inconsistent state (similar to STP
listening state), no user data is sent via that port.
Visit following link to learn more about Root Guard and how to configure Root Guard in
Cisco Switches
BPDU
Guard: BPDU
Guard feature
is
typically
implemented
on
an access
port configured with PortFast. When a BPDU Guard enabled port receive BPDU from the
connected device, BPDU Guard disables the port and the port state is changed to
Errdisable state.
Visit following link to learn more about BPDU Guard and how to configure BPDU Guard in
Cisco Switches
BPDU
Filter: BPDU
Filter feature
is
also
typically
implemented
on
an access
port configured with PortFast. BPDU Filter feature allows you to stop generating BPDUs on
an access port configured with PortFast.

Visit following link to learn more about BPDU Filter and how to configure BPDU Filter in
Cisco Switches
Root Guard protects the Spanning Tree Protocol (STP) topology attack of replacing the
original Root Bridge with a rogue Root Bridge. When a Root Guard feature enabled switch
port receives a superior BPDU from a rogue switch, the state of the port is changed into
a root-inconsistent state, thus enforcing the position of original Root Bridge. Once the
port state is changed into root-inconsistent state (similar to STP listening state), no user
data is sent via that port. However, after the flow of superior BPDUs is stopped, the port
state will change back to the forwarding state. In other words, Root Guard feature of
Cisco Switches prevents a Designated Port from becoming a Root Port.
Root Guard feature can be enabled on switch ports that is connected to other switches
that should never become a Root Bridge. For example, a port on the distribution layer
switch which is connected to an access layer switch can be Root Guard enabled, because
the access layer switch should never become the Root Bridge.
How to configure Root Guard in Cisco Switches

To enable Root Guard, use following commands.
OmniSecuSW1#configure terminal
OmniSecuSW1(config)#interface giga 0/0
OmniSecuSW1(config-if)#spanning-tree guard root
OmniSecuSW1(config-if)#exit
OmniSecuSW1(config)#exit
OmniSecuSW1#
To disable Root Guard, use following commands.

OmniSecuSW1(config-if)#no spanning-tree guard root
OmniSecuSW1#
What is BPDU Guard and how to configure BPDU Guard in

Cisco Switches
BPDU Guard feature is used to protect the Layer 2 Spanning Tree Protocol (STP) Topology
from BPDU related attacks. BPDU Guard feature must be enabled on a port that should
never receive a BPDU from its connected device. If a switch port which is configured
with Spanning Tree Protocol (STP) PortFast feature, it must be connected to an end device
(For exampe: workstation, server, printer etc). The PortFast is enabled only on access
ports to speed the transition of access port to STP forwarding state. End devices are not
supposed to generate BPDUs, because in a normal network environment, BPDU

messages are exchanged by network switches.
BPDU Guard feature can be enabled globally at Global configuration mode or per
interface
at Interface
configuration
mode.
When
BPDU
Guard
enabled
port
receive BPDU from the connected device, BPDU Guard disables the port and the port
state is changed to Errdisable state.
How to configure BPDU Guard Globally at Global

Configuration Mode
Below configuration commands enable BPDU Guard by default on all PortFast edge
ports.
OmniSecuSW1(config)#spanning-tree portfast edge bpduguard default
OmniSecuSW1#
Below configuration commands disable BPDU Guard on all PortFast edge ports.
OmniSecuSW1(config)#no spanning-tree portfast edge bpduguard default
OmniSecuSW1#
How to configure BPDU Guard per interface at

Interface Configuration Mode
Below configuration commands enable BPDU Guard for an interface.
OmniSecuSW1(config-if)#spanning-tree bpduguard enable
OmniSecuSW1#
Below configuration commands disable BPDU Guard for an interface.

OmniSecuSW1(config-if)#spanning-tree bpduguard disable
OmniSecuSW1#
What is BPDU Filter and how to configure BPDU Filter in

Cisco Switches
BPDU Filter feature also can be enabled on an access port that should never receive a
BPDU (Example: an end device like a workstation or a server). If a switch port which is
configured with Spanning Tree Protocol (STP) PortFast feature, it must be connected to an
end device. The Spanning Tree Protocol (STP) PortFast is enabled only on access ports to
speed up the transition of access port to STP forwarding state. End devices are not
supposed to generate BPDUs, because in a normal network environment, BPDU
messages are exchanged by network switches.
BPDU Filter feature can be enabled globally at Global configuration mode or per interface
at Interface configuration mode.
BPDU Filter feature act in two different ways when it is configured on Global level or
Interface level. If BPDU Filter feature is enabled on a Global level, BPDU Filter is applied
to all Spanning Tree Protocol (STP) PortFast enabled ports. If any BPDUs are received on
that port, the PortFast feature is disabled and the port will become a normal STP port.
When BPDU Filter is enabled on Interface level, BPDU Filter will not send out BPDUs and
avoid the processing of received BPDUs. This behaviour can completely disable Spanning
Tree Protocol (STP) on that interface. Beware... This can potentially create damage to the
network by forming alayer 2 switching loop, if switches are connected to BPDU Filter
enabled port (at interface level) accidently.
How to configure BPDU Filter Globally at Global

Configuration Mode
Below configuration commands enable BPDU Filter by default on all PortFast edge ports.
OmniSecuSW1(config)#spanning-tree portfast edge bpdufilter default
OmniSecuSW1#
Below configuration commands disable BPDU Filter on all PortFast edge ports.
OmniSecuSW1(config)#no spanning-tree portfast edge bpdufilter default

OmniSecuSW1#
How to configure BPDU Filter per interface at Interface

Configuration Mode
Below configuration commands enable BPDU Filter for an interface.
OmniSecuSW1(config-if)#spanning-tree bpdufilter enable
OmniSecuSW1#
Below configuration commands disable BPDU Filter for an interface.

OmniSecuSW1(config-if)#spanning-tree bpdufilter disable
OmniSecuSW1#
DHCP Starvation attacks and DHCP spoofing attacks
Another type of network attack which is targeted to DHCP servers is known as DHCP
starvation attack. In a DHCP starvation attack, an attacker broadcasts large number
of DHCP REQUEST messages with spoofed source MAC addresses. If the legitimate
DHCP
Server
in
the
network
start
responding
to
all
these
bogus DHCP
REQUEST messages, available IP Addresses in the DHCP server scope will be depleted
within a very short span of time.
Once the available number of IP Addresses in the DHCP server is depleted, network
attackers can then set up a rogue DHCP server and respond to new DHCP requests
from network DHCP clients. By setting up a rogue DHCP server, the attacker can now
launch DHCP spoofing attack.
What is DHCP spoofing attack

After a DHCP starvation attack and setting up a rogue DHCP server, the attacker can
start distributing IP addresses and other TCP/IP configuration settings to the network
DHCP clients. TCP/IP configuration settings include Default Gateway and DNS Server IP
addresses. Network attackers can now replace the original legitimate Default Gateway
IP Address and DNS Server IP Address with their own IP Address.
Once the Default Gateway IP Address of the network devices are is changed, the
network clients start sending the traffic destined to outside networks to the attacker's
computer. The attacker can now capture sensitive user data and launch a man-in-themiddle attack. This is called as DHCP spoofing attack. Attacker can also set up a rogue
DNS server and deviate the end user traffic to fake web sites and launch phishing
attacks.
How to configure DHCP Snooping
DHCP snooping is a DHCP security feature which provides protection from DHCP
starvation attacks by filtering untrusted DHCP messages.
DHCP snooping feature identifies Switch Ports as "trusted" and "untrusted". DHCP
snooping feature can be used to differentiate between untrusted interfaces (where
DHCP clients are connected) and trusted interfaces (where a DHCP server or another
switches are connected).
Trusted ports (where a DHCP server or other switches are connected) can source all
types of DHCP messages, including DHCP OFFER message.
Untrusted ports are the ports where DHCP clients are connected. Untrusted switch
ports cannot source DHCP messages like : DHCPOFFER,DHCPACK, DHCPNAK, which are
normally generated by a DHCP server. By default, all switch ports are untrusted.
When DHCP snooping is enabled, Cisco switches build a table known as DHCP
snooping binding database (known as DHCP snooping binding table).
DHCP snooping binding table is used to identify and filter untrusted DHCP messages
from the network. DHCP snooping binding table keeps track of DHCP addresses that
are assigned to switch ports. DHCP snooping binding table includes the client MAC
address, IP address, DHCP lease time, binding type, VLAN number, and interface
information on untrusted switch ports.
When a switch receives a packet on an untrusted switch port where DHCP snooping is
enabled, with the help of information stored on DHCP snooping binding table the
switch will be permitted or denied.
The packet is denied when
DHCP server related messages (Example: DHCPOFFER, DHCPACK, DHCPNAK) are
received on an untrusted switch port.

The source MAC address does not match MAC address in the DHCP binding table
entry.
How to enable DHCP snooping globally
OmniSecuSW1(config)#ip dhcp snooping
OmniSecuSW1#
How to enable DHCP snooping on a specific VLAN
OmniSecuSW1(config)#ip dhcp snooping vlan 500
OmniSecuSW1#
How to configure a switch port as trusted
OmniSecuSW1(config)#interface gigabitethernet 0/0
OmniSecuSW1(config-if)#ip dhcp snooping trust
OmniSecuSW1#
How to view the DHCP snooping database
OmniSecuSW1#show ip dhcp snooping binding

MacAddress
-------------------------------------
IpAddress
Lease(sec)
---------------
Type
----------
VLAN
Interface
-------------
----
00:00:AB:19:C6:00
Gigabitethernet0/1
172.16.10.183
690515
dhcp-snooping
500
00:00:AB:34:CB:00
Gigabitethernet0/2
172.16.10.184
690518
dhcp-snooping
500
00:00:AB:2A:FE:00
Gigabitethernet0/3
172.16.10.182
690512
dhcp-snooping
500
00:00:AB:F7:D0:00
Gigabitethernet0/4
172.16.10.181
690512
dhcp-snooping
500
00:00:AB:93:82:00
Gigabitethernet0/5
172.16.10.185
690518
dhcp-snooping
500
Total number of bindings: 5
How to view the DHCP Snooping configuration
OmniSecuSW1#show ip dhcp snooping

Switch DHCP snooping is enabled
DHCP snooping is configured on following VLANs:

500
DHCP snooping is operational on following VLANs:
500
DHCP snooping is configured on the following L3 Interfaces:
Insertion of option 82 is enabled

circuit-id default format: vlan-mod-port
remote-id: aabb.cc00.0100 (MAC)
Option 82 on untrusted port is not allowed
Verification of hwaddr field is enabled
Verification of giaddr field is enabled
DHCP snooping trust/rate is configured on the following Interfaces:
Interface
Trusted
Allow option
Rate limit (pps)
-----------------------
-------
------------
----------------
Ethernet0/0
yes
yes
unlimited
Custom circuit-ids:
OmniSecuSW1#
ARP Spoofing attack
Address Resolution Protocol (ARP) spoofing attack is a type of network attack where an
attacker sends fake Address Resolution Protocol (ARP) messages inside a Local Area
Network (LAN), with an aim to deviate and intercept network traffic.
In normal Address Resolution Protocol (ARP) operation, when a network device sends
a ARP
request (as
broadcast)
to
find
a MAC
addresscorresponding
to
an IPv4
address, ARP reply comes from the legitimate network device which is configured with
the IPv4 address which matches the ARP request. The ARP reply is cached by the
requesting device in its ARP table.
A
network
attacker
can
abuse Address Resolution Protocol
(ARP) operation
by
responding ARP request, posing that it has the requested IPv4 address. Once the
attacker's MAC address is mapped to a authentic legitimate IPv4 address, the attacker
will begin receiving any data that is intended for that legitimate IPv4 address. Now the
attacker can launch a man-in-the-middle attack can start capturing the network traffic
for any sensitive user data.
Attacker can also broadcast Gratuitous ARP message with the IPv4 address of default
gateway. Gratuitous ARP is a broadcast packet is used by network devices to announce
any
change
in
their IPv4
address or MAC
address .
By
sending Gratuitous
ARP
message with the IPv4 address of default gateway, attacker can pose as default
gateway and capture all the network traffic moving outside the Local Area Network
(LAN).
Preventing ARP spoofing attacks with Dynamic ARP

inspection (DAI)
Dynamic ARP Inspection (DAI) is a feature which can be used to prevent ARP spoofing
attacks. Dynamic ARP Inspection (DAI) can be enabled on switches. When enabled,
Dynamic ARP Inspection (DAI) verifies IPv4 address to MAC address bindings. If a
mismatch happened on an untrusted port, Dynamic ARP Inspection (DAI) will discard
spoofed ARP packets. DAI uses the DHCP snooping binding database to validate
bindings. Dynamic ARP Inspection (DAI) only inspects ARP packets from untrusted
ports.
Dynamic ARP Inspection (DAI) can be enabled globally per VLAN using the command
"ip arp inspection vlan <vlan-id>" By default, all ports are untrusted. To to configure a
port as trusted, use the command "ip arp inspection trust", at the interface level.
How to enable Dynamic ARP Inspection (DAI) on a
specific VLAN
OmniSecuSW1(config)#ip arp inspection vlan 500
OmniSecuSW1#
How to configure a switch port as trusted
OmniSecuSW1(config-if)#ip arp inspection trust
IP spoofing attacks and IP Source Guard (IPSG)
External Resources
IP address spoofing attack is a type of attack when an attacker assumes the
source Internet Protocol (IP) address of IP datagram packets to make it appear

as though the packet is coming from another valid IP address. In IP address
spoofing, IP packets are generated with fake source IP addresses in order to
impersonate other systems or to protect the identity of the sender.
When enabled, the IP Source Guard (IPSG) feature can mitigate IP spoofing
attacks. IP Source Guard (IPSG) feature can help ensure that the network
devices utilize only their assigned IP addresses.
IP Source Guard (IPSG) feature uses the information in the DHCP Snooping
binding database to dynamically create Port ACL's. IP Source Guard (IPSG)
can use static IP binding entries also. The IP Source Guard (IPSG) feature
permits only Internet Protocol (IP) traffic which has a source IP address
matching the entry in the DHCP Snooping binding database. Thus IP Source
Guard (IPSG) feature prevents a network device from transmitting an IP
datagram using a different source IP address other than which it was
assigned via Dynamic Host Configuration Protocol (DHCP).
Make sure that you have configured DHCP snooping feature properly before
these configuration steps. Click the following link to learn how to configure
DHCP snooping.
How to enable IP Source Guard (IPSG) feature

with IP source check
OmniSecuSW1(config-if)#ip verify source
OmniSecuSW1#
How to verify IP Source Guard (IPSG) with the IP

source check
OmniSecuSW1#show ip verify source

Interface
Filter-type
Filter-mode
IP-address
Mac-
address
Vlan
----------------------------------- ---Et0/0
1
-----------
ip
active
---------------
172.16.10.175
How to enable IP Source Guard (IPSG) feature

with IP and MAC source check
OmniSecuSW1(config-if)#switchport port-security
OmniSecuSW1(config-if)#ip verify source port-security
OmniSecuSW1#
How to verify IP Source Guard (IPSG) with the IP

and MAC source check
OmniSecuSW1#show ip verify source

Interface
address
Filter-type
Vlan
Filter-mode
----------------------------------- ---Et0/0
ip-mac
00:00:AB:5E:C9:00 1
IP-address
-----------
active
Mac-
---------------
172.16.10.175
How to view the IP source bindings
OmniSecuSW1#show ip source binding

MacAddress
VLAN Interface
------------------------------ ----
IpAddress
Lease(sec)
----------------------------------
Type
----------
00:00:AB:99:88:00
172.16.10.178
snooping
1
Ethernet0/3
689555
dhcp-
00:00:AB:9D:BC:00
172.16.10.176
snooping
1
Ethernet0/1
689549
dhcp-
00:00:AB:5E:C9:00
172.16.10.175
snooping
1
Ethernet0/0
689539
dhcp-
00:00:AB:D4:02:00
172.16.10.177
snooping
1
Ethernet0/2
689555
dhcp-
Total number of bindings: 4
What are PVLANs (Private VLANs) - Promiscous, Isolated

and Community PVLAN ports
Virtual LANs (VLANs) are used to create separate broadcast domains within a Local Area
Network (LAN). A Virtual LAN (VLAN) is a broadcast domain and is also a separate IP
subnet. Virtual LANs limit broadcasts to specified devices.

Private VLANs (PVLANs) divide the broadcast domain into multiple broadcast subdomains. The Private VLANs (PVLANs) feature allows further isolating different devices
within the same VLAN. Private VLANs (PVLANs) provide layer 2 isolation between ports
within the same broadcast domain.
Private VLANs (PVLANs) feature can be used to create Secondary VLANs inside a
Primary VLAN. Primary VLANs are just normal VLANs. Secondary VLANs are also
created as normal VLANs, but it is later associated with a Primary VLAN.
Secondary VLANs can be in any one of the following modes.
Isolated VLAN: The network devices attached to the ports associated with an
Isolated private VLAN cannot communicate with one another. They can communicate
with a Promiscuous port within the same Private VLAN (PVLAN).
Community VLAN: The network devices attached to the ports associated with
Community VLAN can communicate with one another. They can also communicate
with a Promiscuous port within the Private VLAN (PVLAN).
Following are the three types of Private VLAN (PVLAN) ports.
Promiscuous Port: A promiscuous port can communicate with all interfaces inside
the Private VLAN (PVLAN), including the isolated and community ports.
Isolated Port: An Isolated port cannot communicate with other ports within the
same PVLAN, except the promiscuous ports. PVLANs block all traffic to isolated ports
except traffic from promiscuous ports.
Community Port: Community ports can communicate among themselves and with
the promiscuous ports. Community ports cannot communicate with interfaces in other
communities or isolated ports.
Note: Only one secondary Isolated type VLAN can be associated to a Primary VLAN.
Multiple secondary type Community VLANs can be associated to a Primary VLAN.
How to configure PVLAN (Private VLANs)
Change the VTP mode to transparent mode.

If the VTP mode is not transparent mode, you may get an error message as shown below.
OmniSecuSW1(config)#vlan 150
OmniSecuSW1(config-vlan)#private-vlan community
%Private VLANs can only be configured when VTP is in transparent/off modes in VTP
version 1 or 2 and in server/transparent/off modes in VTP version 3 when pruning is
turned off
To change the VTP mode to transparent mode, follow these steps.

OmniSecuSW1(config)#vtp mode transparent
OmniSecuSW1#
Create Secondary and Primary PVLANs and define the

type of PVLANs.
To create a Secondary PVLAN and define it as Community type, follow these steps.
OmniSecuSW1(config-vlan)#private-vlan community
OmniSecuSW1(config-vlan)#exit
OmniSecuSW1#
To create a Secondary VLAN and define it as Isolated type, follow these steps.
OmniSecuSW1(config-vlan)#private-vlan isolated
OmniSecuSW1#
To create a Primary PVLAN and associate Secondary PVLANs with Primary PVLAN, follow
these steps.
OmniSecuSW1(config-vlan)#private-vlan primary
OmniSecuSW1(config-vlan)#private-vlan association 150,250
OmniSecuSW1#
Place switch ports in different PVLANs created in

previous steps
To configure a port as Promiscuous port, follow these steps.
OmniSecuSW1(config-if)#switchport mode private-vlan promiscuous
OmniSecuSW1(config-if)#switchport private-vlan mapping 50 150,250
OmniSecuSW1#
To configure a port as Community PVLAN port, follow these steps. Remember we had
configured PVLAN 150 as Community type in previous steps.
OmniSecuSW1(config-if)#switchport mode private-vlan host
OmniSecuSW1(config-if)#switchport private-vlan host-association 50 150

OmniSecuSW1#
To configure a port as Isolated PVLAN port, follow these steps. Remember we have
configured PVLAN 250 as Isolated type in previous steps.
OmniSecuSW1(config-if)#switchport mode private-vlan host
OmniSecuSW1(config-if)#switchport private-vlan host-association 50 250
Best Security practices to protect layer 2

Hardcode access ports as "switchport mode access" and trunk ports as "switchport
mode trunk".
Administratively shutdown all the unused switch interfaces, using "shutdown"
interface command. Never enable a switchport which is not in use.
Assign unused interfaces to a VLAN which is not in use.
Disable DTP on every trunk using "switchport nonegotiate" command.
Use any VLAN which is not used for user traffic or management traffic as the native
VLAN for all trunk links.
Do not use VLAN 1 anywhere, because it is a default VLAN and default native VLAN.
Use port security feature to protect the switch from CAM Table Overflow attacks.
Use BPDU guard and Root guard features to protect Spanning Tree topology.
Turn on Cisco Discovery Protocol (CDP) only on interfaces facing trusted devices.

Best Security Practices To Protect Layer 2

Transféré par

Informations du document

Titre original

Copyright

Formats disponibles

Partager ce document

Partager ou intégrer le document

Options de partage

Avez-vous trouvé ce document utile ?

Ce contenu est-il inapproprié ?

Droits d'auteur :

Formats disponibles

Best Security Practices To Protect Layer 2

Transféré par

Droits d'auteur :

Formats disponibles

Root Guard, BPDU Guard and BPDU Filter

Root Guard, BPDU Guard and BPDU Filter

an access port configured with PortFast.

How to configure Root Guard in Cisco Switches

To disable Root Guard, use following commands.

What is BPDU Guard and how to configure BPDU Guard in

supposed to generate BPDUs, because in a normal network environment, BPDU

How to configure BPDU Guard Globally at Global

How to configure BPDU Guard per interface at

Below configuration commands disable BPDU Guard for an interface.

What is BPDU Filter and how to configure BPDU Filter in

How to configure BPDU Filter Globally at Global

OmniSecuSW1(config)#no spanning-tree portfast edge bpdufilter default

How to configure BPDU Filter per interface at Interface

Below configuration commands disable BPDU Filter for an interface.

DHCP Starvation attacks and DHCP spoofing attacks

within a very short span of time.

What is DHCP spoofing attack

How to configure DHCP Snooping

received on an untrusted switch port.

How to enable DHCP snooping globally

How to enable DHCP snooping on a specific VLAN

How to configure a switch port as trusted

How to view the DHCP snooping database

OmniSecuSW1#show ip dhcp snooping binding

Total number of bindings: 5

How to view the DHCP Snooping configuration

OmniSecuSW1#show ip dhcp snooping

DHCP snooping is configured on following VLANs:

Insertion of option 82 is enabled

Rate limit (pps)

ARP Spoofing attack

abuse Address Resolution Protocol

Preventing ARP spoofing attacks with Dynamic ARP

How to enable Dynamic ARP Inspection (DAI) on a

How to configure a switch port as trusted

IP spoofing attacks and IP Source Guard (IPSG)

IP address spoofing attack is a type of attack when an attacker assumes the

source Internet Protocol (IP) address of IP datagram packets to make it appear

How to enable IP Source Guard (IPSG) feature

How to verify IP Source Guard (IPSG) with the IP

OmniSecuSW1#show ip verify source

How to enable IP Source Guard (IPSG) feature

How to verify IP Source Guard (IPSG) with the IP

OmniSecuSW1#show ip verify source

How to view the IP source bindings

OmniSecuSW1#show ip source binding

Total number of bindings: 4

What are PVLANs (Private VLANs) - Promiscous, Isolated

subnet. Virtual LANs limit broadcasts to specified devices.

How to configure PVLAN (Private VLANs)

Change the VTP mode to transparent mode.

To change the VTP mode to transparent mode, follow these steps.

Create Secondary and Primary PVLANs and define the

Place switch ports in different PVLANs created in

OmniSecuSW1(config-if)#switchport private-vlan host-association 50 150

Best Security practices to protect layer 2

Vous aimerez peut-être aussi