Cisco Protected Ports Tutorial with Free EVE-NG Lab !

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
[Music] hello everyone i'm rafael and welcome to my channel network engineer pro in today's video i'm going to show you a cool and easy way to make sure that certain hosts in the same broadcast domain or vlan aren't able to talk to each other so blocking into host communication on the same network the features called protected ports and it's very similar to private vlans but easier to implement you'll also hear protected ports referred to as private vlan edge we'll take a look at the theory of how it works and why you would even use it then we're going to hit the command line for a scenario based configuration lab and get protected ports configured in action if you want to follow along with me you can right now i'm actually sharing the even g topology file and initial configs on my website networkengineerpro.com forward slash free labs don't worry i put the link down in the description so go download it get it ready and let's lab together and feel free to share it with your friends at the end of the video if you found those resources helpful and you want to see more then don't forget to like comment and subscribe it really helps the channel grow and reach more people and the is to help as many people as i can alright let's get started okay so by default when you connect host to a switch in the same network or vlan assuming that the hosts are configured properly then they should be able to reach each other so this human resource pc hr1 should be able to talk to hr2 and hr3 no problem they should also be able to reach their default gateway like a sub interface on a router for example by default all of these ports on the switch are considered unprotected so i'm going to put a u here on each of them but depending on the environment security policies may dictate that these pcs should not be allowed to talk to each other maybe there's sensitive materials and they don't want any unauthorized file sharing between the hosts the application they use is somewhere out on the internet in the cloud and that's the only resource they should be talking to let's also say for example that hr1 accesses something malicious out on the internet by accident this now compromised pc if it's able to talk to hr2 and hr3 guess what it can spread and compromise those hosts as well by configuring protected ports also known as private vlan edge we can easily isolate these hosts from communicating with each other and limit unauthorized file sharing and limit the potential attack surface of a compromised pc the configuration of protected ports is really easy once you've identified what ports should not be able to communicate to each other for example gigi zero one gigi zero two and gigi zero three all you do under interface configuration mode all you say is switch port protected so if you want to make sure that hr1 hr2 and hr3 are isolated and they cannot talk to each other that means unicast broadcast multicast completely isolated from each other then all of those ports should have switchboard protected configured now once you do that all of these ports are going to be now considered protected so i'm going to put a p under them they're all protected ports now what about this interface here the gigi zero zero on the switch well that's how they reach their default gateway over on router one you don't wanna configure protect it there because protected ports cannot talk to protected ports so we'll leave that port there gigi zero zero on the switch unprotected which is the default now if you're trying to remember what can talk to what let's draw it out real quick so like i said earlier the default for all the ports on a switch they are unprotected so unprotected ports are able to talk to unprotected ports unprotected ports are able to talk to protected ports the only combination that results in no communication between the hosts is going to be protected ports and protected ports on the same switch in the same vlan if for some reason this switch had a trunk link connected to another switch and a host hanging off this switch if you were to configure protected port here and these three ports gigi zero one zero two and zero three were protected it's not gonna work they are still gonna be able to communicate even though they're all configured as protected again because protected ports is only local to the switch so protected ports are able to talk to protected ports on two different switches if you want protected ports to work they need to be on the same switch all right so we're finally ready for the configuration portion of this lab and what i wanted to do was just take a moment to explain to you the evg topology file that i'm going to be sharing now the link to this topology file is going to be in the description of the video so be sure to download it get it uploaded inside of your eveng virtual machine share it with your friends and let's learn and lab together another cool thing is that if you put your mouse over here and you click picture i have a picture of the lab topology now you click over here where it says lab and here is a picture of the topology with the objectives here and what's really cool is i went ahead and mapped out the actual nodes to the icons on this picture so all you have to do once you open up the picture is if you want to access router 1 just click right here in the diagram it's going to open it up boom router one's open let's go ahead and do the same thing for the switch look at that it already opens it up to your terminal emulator that you have set up with even g that's pretty cool let's go ahead and open up hr1 it opens it up let's do the same thing for hr2 do the same thing for hr3 again all you have to do is click on the picture it's automatically mapped to the specific nodes and you have all of your nodes open here and you can have this little window here if you want to look at the diagram as you lab all right so let me close this really quick and i have three pcs here hr1 hr2 and hr3 i'm actually using the virtual pc simulators that come with evg right the vpscs i could have used three routers and give them an ip address and have them act as a host but these are really quick to set up and they're very lightweight they connect into a switch and the switch connects up to a router and this gig zero zero interface here is going to be the sub interface that's acting as the default gateway for these three pcs so if you look in the upper right hand corner we have some more details about our switchport protected lab we can see the actual ip addresses for hr1 hr2 and hr3 what ports they connect to on the switch and we have our sub interface gig00.10 which has an ip of 10.10.10.254. all three of these pcs are in vlan 10. now our objective says that new security requirements for the human resource subnet configure switchboard protected in such a way that hr1 hr2 and hr3 are unable to exchange unicast broadcast and multicast traffic between each other they should only be able to reach their default gateway 10.10.10.254 on router 1. verify that the ip reachability requirements are met using icmp so ping so what it's telling us to do is to make sure that hr1 hr2 and hr3 cannot talk to each other we should not be able to ping between those three pcs those three pcs should only be able to talk to their default gateway which is this sub interface gig 0 0.10 now as far as what's configured so far just the basic device configuration ip addresses vlans things like that but before we get started and configure switchboard protected anything let's verify the current state of the network let's make sure that everything can ping each other before we even start so on one what i'm going to do is i'm going to ping hr2 i'm going to ping hr3 and i'm going to ping my default gateway to make sure that i can reach it so 10.10.10.2 perfect i get a response let me try hr3 perfect i get a response let me try my default gateway perfect i get a response now we can get started so let's hop over on switch one and what i want to do i want to go to configuration mode so enable config t now the first interface i want to do is interface gig zero slash one and to configure switch port protected it's super easy switch port protected that's it now we haven't really done much because only one interface is configured with switchboard protected so gig zero slash one is now a protected port it's a protected interface let's go ahead and configure gig 0 2. so what i'm going to do i'm going to say interface gig 0 2 switch port protected the last interface that i want to do is interface gig 0 3. switchboard protected perfect let's go ahead and make sure that hr1 hr2 and hr3 cannot reach each other from hr1 i'm just going to hit a up arrow and i'm going to ping pc2 uh oh we have timeout looks like there's uh no reachability between hr1 and hr2 that's exactly what we want let me try pc3 or hr3 all right i cannot reach hr 3 as well let me try reaching my default gateway that is what i am supposed to reach perfect i get a response from my default gateway so very easily we made sure that hr1 and hr2 hr3 cannot reach each other but they can reach their default gateway we've met the objective let's do a verification command to make sure that the switchboard protected feature is turned on what you can do is you can do show interface gig zero slash zero or let's do gig zero slash one in this case switchboard you're getting a lot of information about the actual interface and what we care about here is that the protected status says true so if we want to kind of limit some of this output because it is a lot what you can do is show interface gig 0 1 switch port pipe include protected or pro there we go the protected state is true let's do the same thing for giggy zero slash two giggy slash two protected is true let's do the same thing for three perfect protected is true let's try geek zero zero remember that's our uplink to our default gateway and we didn't configure switchboard protected so it should be an unprotected port let's verify perfect protected is false we didn't configure switchboard protected on gig00 and that's exactly what we want alright just for funsies i want to show you why you want to be careful what interface you configure as protected remember gig zero zero on switch one is the up link to our default gateway you don't want to configure switch port protected there if not nothing is going to be able to communicate on the switch between the protected ports let me show you so let me get back into the switch i'm going to go to config t and i'm going to say interface gig 0 0. again that's our up link to our default gateway i'm going to say switch port protected now now that we've configured switchport protected is hr1 hr2 and hr3 gonna be able to ping the default gateway let's find out i can now no longer ping my default gateway let's try from hr2 hr2 cannot ping its default gateway let's try from hr3 hr3 can also not ping its default gateway that is because we accidentally configured the uplink as switch port protected you don't want to do this let's go ahead and remove it no switchboard protected and let's run our pings again perfect i have a response from hr3 to the default gateway let's try hr2 perfect that's looking good and let's try from hr1 again that's looking great so you want to be careful and you know plan what interfaces you don't want to talk to each other and what interfaces need to so that's a really cool and easy way to make sure that these hosts on the same switch in the same vlan are isolated from each other okay so that's it for configuring protected ports on cisco switches that was pretty easy right we saw how to get it configured with the switch port protected command under the interface configuration mode as well as how to verify using show interface switchboard i hope you found this video helpful and learned something if you did don't forget to like the video comment and subscribe that's all for now thanks everyone have a great day and lab on
Info
Channel: Network Engineer Pro
Views: 191
Rating: undefined out of 5
Keywords: switch port isolation in the same vlan, protect ports training, Private VLAN Edge, how to use protected ports, cisco routing and switching tutorial, implementing protected ports, Private VLAN Edge training, PVLAN edge tutorial, Cisco, CCNA, CCNP, Cisco protected port, what is cisco catalyst switch, cisco protected port example, cisco protected port trunk, protected port on cisco catalyst switch, cisco protected port vs private vlan, protected port in cisco, ccna, ccnp, ccie, PVLAN edg
Id: 8CwAJOUHaUY
Channel Id: undefined
Length: 13min 24sec (804 seconds)
Published: Sun Oct 03 2021
Related Videos
How to configure Layer 2 and Layer 3 EtherChannel - CCNA 200-301
Network Engineer Pro
1.8K
How switches learn MAC addresses - CCNA 200-301
Network Engineer Pro
928
Cisco SD-WAN Lab implementation: Install vManage, vBond, and vSmart to SD-WAN Fabric over EVE-NG
PyNet Labs
6.1K
DHCP for IPv4 and Configuring it on a Cisco Router - CCNA 200-301
Network Engineer Pro
477
Configuring an ACL on VTY Lines (Telnet/SSH)
Network Engineer Pro
580
CCNA - Dynamic NAT with Pools Configuration Lab
Network Engineer Pro
168
How to import IOSv Router & Switch images from CML into EVE-NG
Network Engineer Pro
603
Never use TELNET ! How to configure SSH on a Cisco Router.
Network Engineer Pro
246
What is a router and how do they work ? - CCNA 200-301
Network Engineer Pro
159
Building an ESXi server for Network Engineers - Part 1 iDrac7 and Raid Setup
Network Engineer Pro
1.6K
What is Secure CDP and how does Secure CDP work ?
Network Engineer Pro
157
Create a Cisco IPsec protected tunnel interface!
Keith Barker
6.1K
Internet acces inside eve ng lab using windows pc
NetworkPeer
76
Cisco IOS XE - Embedded Packet Capture Tutorial
Network Engineer Pro
1.8K
EVE-NG Cisco Images
David Bombal
109K
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.