Using SPAN feature
Switch port analyzer (SPAN) feature can be configured to allow a copy of traffic destined for another port to be sent out the SPAN port, thus allowing an attacted IDS sensor to capture a copy of traffic, as illustrated in figure below:
monitor session 1 source interface gigabitethernet0/2
monitor session 1 destination interface gigabitethernet0/3
Cisco Catalyst Switches also support Remote SPAN (RSPAN) feature, which allows a SPAN port to be configured on a different switch.
VLAN Access Control List (VACL)
We can filter inter-vlan traffic by a VLAN access control list (VACL). Here is configuration example:
access-list 100 permit tcp any host 10.1.1.1 eq 80 (Permit HTTP to be sent to host 10.1.1.1 & deny all others)
vlan access-map ALLOWHTTP 10 (Fow sequence number 10, the specific action is to forward traffic matching ACL above)
match ip address 100
Vlan filter ALLOWHTTP vlan-list 5-10 (VACL is applied to VLANs in range of 5 to 10)
Isolating traffic within a VLAN using Private VLAN
Another way to provide traffic control withing a VLAN is the use of private VLANs (PVLAN). A PVLAN domain has a single primary VLAN. Additionally, the PVLAN domain also contains secondary VLANs that provide isolate between ports in a PVLAN domain. PVLAN ports fall into one of three categories:
- Promiscuous ports: can communicate with all other PVLAN ports.
- Isolated VLANs ports: can comunicate with only promiscuous ports.
- Community ports: can communicate with other ports in their community and also with promiscuous ports.
vtp mode transparent (required, be careful !)
private vlan community