• Home
  • LAN Security - Cisco CCIE Prep

2.8 LAN Security

LAN Security can be implemented through the use of bridging access lists, MAC address filtering, IEEE 802.1x port-based access protocol, and private VLANs.

2.8.1 Bridging Access Lists

Cisco provides two types of bridging access lists: one based on MAC addresses, and the other on Ethernet types. The access list numbers for MAC address filters are from 700 to 799 while the access list numbers for ethertype filters are from 200 to 299.

2.8.1.1 Configuring MAC Address Filter

MAC addresses can be filtered at the interface level for inbound or outbound traffic. You can use the

input-access-list or output-access-list keywords in the bridge-group bridge_group_number

command to define the filter.

2.8.1.2 Configuring Ethernet Type Filter

Ethernet frames can be filtered by type code at the interface level for inbound or outbound traffic. You can use the input-type-list or output-type-list keywords in the bridge-group bridge_group_number command to define the filter.

2.8.2 IEEE 802.1x Port-Based Authentication

IEEE 802.1x is a port-based authentication standard that can be used on local area networks (LANs) to authenticate a user before allowing services on Ethernet, FE, and WLANs.

With 802.1x, client workstations run 802.1x client software to request services. Clients use the Extensible Authentication Protocol (EAP) to communicate with the LAN switch. The LAN switch verifies client information with the authentication server and relays the response to the client. LAN switches use a Remote Authentication Dial-In User Service (RADIUS) client to communicate with the server. The RADIUS authentication server validates the identity of the client and authorizes the client. The server uses RADIUS with EAP extensions to make the authorization.

You can configure IEEE 802.1x port-based authentication by enabling AAA authentication, configuring the RADIUS server parameters, and enabling 802.1x on the interface.

2.8.3 Private VLANs

Private VLANs provide isolation for ports that are configured within the private VLAN structure. You can use private LANs when hosts on the same segment do not need to communicate with each other but do need to communicate with the same router or firewall. Private VLANs provide isolation at Layer 2 of the OSI model and consist of the following VLANs:

  • Primary VLAN, which receives frames from the promiscuous port and forwards it to ports in the primary, isolated, and community VLANs.
  • Isolated VLAN, which are secondary VLANs. All ports in this VLAN can communicate only with the promiscuous port. Isolated ports cannot communicate with other isolated ports.
  • Community VLAN, which are also secondary VLANs. All ports in this VLAN can communicate with each other and with the promiscuous port.

To configure private VLANs you must create the primary and secondary VLANs, bind secondary VLANs to the primary VLAN, and assign ports. Then, the secondary VLANs are mapped to the promiscuous port.