Foundation Summary

The Foundation Summary is a collection of information that provides a convenient review of many key concepts in this chapter. If you are already comfortable with the topics in this chapter, this summary can help you recall a few details. If you just read this chapter, this review should help solidify some key facts. If you are doing your final preparation before the exam, this information will hopefully be a convenient way to review the day before the exam.

• VLAN Access Lists (VACLs) can control packets that are bridged, switched, or routed. VACLs are effective on packets that stay within a single VLAN.

  Table 18-2. VLAN ACL Configuration Commands

  Task	Command Syntax
  Define a VACL	vlan access-map map-name [sequence-number]
  Define a matching condition	match {ip address {acl-number | acl-name}} | {ipx address {acl- number | acl-name} | {mac address acl-name}}
  Define an action	action {drop | forward [capture] | redirect interface type mod/num}
  Apply the VACL to VLANs	vlan filter map-name vlan-list vlan-list

  
  

• Private VLANs provide special unidirectional relationships between entities on a single VLAN.

• Private VLANs are implemented as primary and secondary VLANs.

• Primary VLANs allow hosts to communicate with any other type of private (secondary) VLAN.

• Secondary VLANs allow hosts to communicate with ports on a primary VLAN but not with other secondary VLANs.

• Secondary VLANs are categorized as follows:

  - Isolated VLAN Hosts can communicate only with the primary VLAN, not any other isolated port or secondary VLAN.
  
  

  - Community VLAN Hosts can communicate with the primary VLAN and other hosts in the community VLAN but not with any other isolated or community VLAN.
  
  

• Secondary VLANs must be associated with one primary VLAN.

  You can configure switch ports using private VLANs, as follows:

  - Promiscuous Usually connects to a router, firewall, or gateway device; this type of port can communicate with any other type of private VLAN.
  
  

  - Host Usually connects to regular hosts; this type of port can communicate with a promiscuous port or ports on the same community VLAN.
  
  

  Table 18-3. Private VLAN Configuration Commands

  Task	Command Syntax
  Define a secondary VLAN	vlan vlan-id private-vlan {isolated | community}
  Define a primary VLAN; associate it with secondary VLANs	vlan vlan-id private-vlan primary private-vlan association {secondary-vlan-list | add secondary-vlan-list | remove secondary-vlan-list}
  Associate ports with private VLANs	switchport mode private-vlan {host | promiscuous}
  Associate nonpromiscuous ports with private VLANs	switchport private-vlan host-association primary-vlan-id secondary- vlan-id
  Associate promiscuous ports with private VLANs	switchport private-vlan mapping {primary-vlan-id} {secondary-vlan-list} | {add secondary-vlan-list} | {remove secondary-vlan-list}
  Associate secondary VLANs with a primary VLAN Layer 3 SVI	private-vlan mapping {secondary-vlan-list | add secondary-vlan-list | remove secondary-vlan-list}

  
  

• Switch port monitoring can monitor or capture interesting traffic on a Catalyst switch.

• Local SPAN copies frames from a source to a destination port on the local switch.

• VLAN SPAN (VSPAN) copies frames from a source VLAN to a destination port on the local switch.

• Remote SPAN (RSPAN) copies frames from a source on one switch to a destination on another switch. Frames are carried over a special RSPAN VLAN across intermediate switches and trunks.