This chapter covers the following topics that you need to master for the CCNP BCMSN exam:
Traditionally, traffic has been filtered only at router boundaries, where packets naturally are inspected before forwarding. This is true within Catalyst switches because access lists can be applied as a part of multilayer switching. Catalysts also can filter packets even if they stay within the same VLAN; VLAN access control lists, or VACLs, provide this capability. Catalyst switches also have the capability to logically divide a single VLAN into multiple partitions. Each partition can be isolated from others, with all of them sharing a common IP subnet and a common gateway address. Private VLANs make it possible to offer up a single VLAN to many disparate customers or organizations without any interaction between them. VLAN trunks commonly are used on links between switches to carry data from multiple VLANs. If the switches are all under the same administrative control, it is easy to become complacent about the security of the trunks. A few known attacks can be used to gain access to the VLANs that are carried over trunk links. Therefore, network administrators should be aware of the steps that can be taken to prevent any attacks. Finally, switch ports must be monitored at times for troubleshooting purposes. Catalyst switches can mirror switch ports or VLANs onto other ports so that a network-analysis device can capture or "listen in" on interesting traffic within the switch. The Switch Port Analysis (SPAN) feature can mirror ports on the same switch or across a switched network to a remote switch. |