Simplest form of PRIVATE--VLAN

    Private-Vlans :-

 Private-vlan is an important security related concept.


Private-vlan --

|
|
|---Primary Vlan - There will be one primary for every secondary vlan. All secondary                                                       vlan  can communicate  with the primary vlan.
|
|---Secondary Vlan - Every Secondary vlan will communicate with only primary vlan.                                                    No two secondary vlan will communicate with each other.                                   
                      


                                   Types of secondary vlans 
                                                  |
                                                  |
                                             /        \
                                         /               \
              Community Vlan               Isolated Vlan
All pc's with in community vlan      All pc's with in isolated vlan 
will communicate each other.             will not communicate with each other    
       

Private Vlan's Configuration with every command explanation :-

# Vtp mode transparent ( Private-vlan will work only in this mode of vtp )

# vlan 10

# private-vlan community  à making vlan 10 as community vlan

# exit

# vlan 20

# private-vlan isolated à making vlan 20 as isolated vlan

# exit

# vlan 100

# private-vlan primary à making vlan 100 as primary

# private-vlan association 10,20 à associating 10,20 ( secondary vlan           

# exit                                                                                to primary )

# int range f 0/1 -2

# switchport mode private-vlan host à making the port access mode

# sw private-vlan host-association 100 10 à putting the port into specific vlan , first the primary and                                                                                   then the secondary vlan

#exit 

# int range f 0/3-4

# switchport mode private-vlan host

# sw private-vlan host-association 100 20

# exit

# int f 0/5 à interface where router/ server is connected

# switchport mode private-vlan promiscuous à making port as trunk

# switchport private-vlan mapping  100 10,20 à which vlan’s to be allowed from promiscuous port ,                                                                                 ( first primary then secondary )

# exit

To verify

#show vlan private-vlan

Primary Secondary Type              Ports

-------      --------        ---------           -----------------------------------------

100        10                community    fa 0/5, fa0/1, fa 0/2       

100        20                isolate            fa0/5, fa0/3, fa 0/4

   

  

FTP and DNS

   What are the modes of FTP? 

A)  File Transfer Protocol, we use ftp in the process of transferring file from one device to the other.

On any system we can simply install FTP server software and it starts working like a FTP server. In terms of networking we use it for downloading or uploading the ios images from the routers mostly ( Not a very prominent use of ftp ).  Very effective between the transfer of files between the Server and Client. 

   There are two types of FTP.

Passive FTP: - In passive mode, the client establishes both channels (Data and control). In that case, the server tells the client which port should be used for the data channel.

Active FTP: - In active mode, the client establishes the control channel but the server establishes the data channel.

   What are the ports of DNS?


  Domain Name Server.

  DNS server is normally user to convert the IP-ADDRESS into NAME, and vice versa. 
 
    DNS use Port TCP & UDP 53.

  UDP/53 is used when a host or a router wants to resolve a domain name to an IP address (or vice versa).

  TCP/53 is used between two DNS servers when they want to sync or share their databases. Or If the size of the response message is more than 512 bytes, a TCP connection is used.

An example of DNS Lookups

IP - SEC

IP- Sec is the most used tunnel in creating the VPn site-to-site tunnel.

IKE - ( Internet Key Exchange Protocol )

  

Internet key Exchange 

• It automates the negotiations process of the S.A.
• Dead Peer Detection : Hello Timer 10 Sec.

In Which two major protocols are involved - 1) Isakmp 2) DH - Group

ISAKMP -  ( Internet Security Association and Key Management Protocol )

• This protocol is used for the exchange of the POLICY and Transform Set's, S.A related to the IpSec tunnel formation.

DH-GROUP - ( Deffie Hellman Algorithum )

Used for the Exchange of the PASSWORD'S between two devices to establish  a  shared secret  over an unsecured communication like isakmp for IPSEC.

DH consists of the following options:

• D-H Group 1 — 768-bit DH Group.
• D-H Group 2 — 1024-bit DH Group. This group provides more security than group 1, but requires more processing time.
• D-H Group 5 — 1536-bit DH Group. This group provides more security than group 2, but requires more processing time.

Hashing -

A process of date integrity with out the process of encryption. It makes sure that the date is not tampered till it is delivered to the destination by generating and verifying the HMAC values.

Which supports two types of protocols : MD5 and SHA.

Encryption -

A process of converting simple clear text into ----> cypher text ( which is not understandable by humans )

Used for the protection of the data.

Algorithms used are DES, 3DES, AES

Des -

3DES-

AES - 

ESP -  ( Encapsulation Security Payload )

Esp supports Encryption, Hashing, Authentication, Encapsulation and Optional Anti replay

AH - ( Authentication Header )

Ah supports Hashing, Authentication, Encapsulation and Optional Anti replay.

The only difference between ESP and AH is encryption process.

Two basic modes 1) Tunnel Mode 2) Transport Mode

Tunnel mode is used between TWO sites , where the encapsulation will take place ( adding a new header )

Transport mode is used with in the site, where there is no encapsulation.