Network & Security Engineering
  • My Training Course
  • Network Engineering
    • CompTIA Network+
      • OSI Model: Layers 1-7 (Functions & Devices)
      • TCP/IP Model: Layers & Protocols
      • Encapsulation & De-encapsulation Process in Networking
      • Star, Mesh, Bus, Ring, Hybrid
      • LAN, WAN, WLAN, MAN, CAN, PAN
      • IPv4 Addressing & Classes
      • CIDR Notation & Subnet Masks
      • Private vs. Public IPs
      • Common TCP & UDP Ports
      • Twisted Pair (CAT5e, CAT6, CAT7, etc.)
      • Fiber Optic Cables
      • Ethernet Frame Structure
      • Switches
      • Router
      • Traceroute Test
      • Setting Up a Wireless Network in Cisco Packet Tracer
    • CCNA
      • Cisco Systems History
      • Cisco Certification Roadmap
      • Cisco Router Port Naming
      • Configuring Hostname, Passwords, and Banners in GNS3
      • Setting Router Clocks in Cisco Devices
      • Assigning IP Addresses to Interfaces
      • How to Back Up and Restore Router Configurations with TFTP
      • SSH Configuration on a Cisco Router
      • Configuring Static Routes on Routers
      • Configuring RIP v2 and Verifying Routes
      • Configuring EIGRP
      • Implementing Single-Area OSPF
      • Implementing Multiple OSPF Areas
      • Troubleshooting with show ip route
      • Configuring Standard ACLs in Cisco Routers
      • Getting Internet in GNS3 using a Cisco Router
      • Securing Remote Management and Disabling Unnecessary Services
      • Setting up a DHCP Server on a Cisco Router
      • Creating VLANs and Assigning Ports
      • Blackhole VLAN
      • Configuring 802.1Q Trunking
      • Configuring SSH on a Cisco Switch
      • Configuring Router-on-a-stick (ROAS) for VLANs
      • Setting up Syslog for Network Monitoring
      • Serial Point-to-Point Overview
      • Point-to-Multipoint OSPF in Metro Ethernet WAN Network
      • Frame Relay Configuration
    • CCNP
      • OSPF Single Area Configuration
      • OSPF Multi-Area Configuration
    • GNS3
      • About GNS3
      • GNS3 Architecture
      • Windows Installation
      • Linux Installation
      • Cisco IOS images for Dynamips
      • Add Router IOS Image in GNS3
      • Add a Virtual Machine in GNS3
      • Upgrade The GNS3 VM
      • L2 Switching Simulation
      • L3 switching Simulation
      • Lab 01 : Connect 2 PCs
      • Lab 02 : Configuring Ethernet and Serial Interfaces
      • Lab 03 : Basic switch setup
      • Lab 04 : Basic router setup
      • Lab 05 : Connect Router to Cloud in GNS3
      • Lab 06 : Router Remote Access via Telnet
      • Lab 07 : Configure Static Route in GNS3
      • Lab 08 : Syslog Server for Cisco Router in GNS3
      • Lab 09 : DHCP configuration in GNS3
      • Lab 10 : PPP Configuration
      • Lab 11 : Configuring Switch Security Features
    • MTCNA
      • Module 1 : Introduction
        • History
        • Cisco vs. MikroTik
        • Training Programs
        • MikroTik RouterOS
        • MikroTik RouterBOARD
        • Product Categories
        • Product Naming
        • First Time Access
        • Winbox
        • Default Configuration
        • Neighbor Discovery
        • Command Line Interface
        • Router Identity
        • Upgrading RouterOS
        • Package Management
        • Users and Services
        • Reset Configuration
        • RouterOS Licensing
      • Module 2 : DHCP
        • Overview of DHCP
        • DHCP Client
        • DHCP Server
        • RouterOS ARP table
      • Module 3 : Bridging
        • OSI Model
        • Overview of Bridging
      • Module 4 : Routing
        • IP Addressing
        • Routing Concepts
        • Static routing
      • Module 5 : Wireless
        • Basics of Radio Waves
        • Wireless Agencies
        • 802.11a/b/g/n/ac Concepts
        • Setup a simple wireless link
        • Link Budget Calculation
        • Wireless Network Topologies
        • 2.4 GHz Band
        • 5 GHz Band
      • Module 6 : Firewall
        • Firewall Principles
        • Firewall (Input Chain)
      • Module 7 : QoS
        • Quality of Service
  • Network Administrator
    • Linux Commands
      • The ls command
      • The cd command
      • The cat command
      • The head command
      • The tail command
      • The pwd command
      • The touch Command
      • The cal Command
      • The uname command
      • The mkdir command
      • The gzip command
      • The who command
      • The man command
      • The passwd command
      • The w command
      • The whoami command
      • The cp command
    • Windows Server 2012
      • Windows Server 2012 - Home
      • Installation
      • Server Roles
      • PowerShell
      • Windows Firewall
      • Remote Desktop Management
      • Resource Monitor
      • Active Directory
      • Group Policy Overview
      • DC Accounts
      • DHCP Role
      • DNS Role
      • Primary Zones
      • Manage Records
      • IIS Overview
      • IIS Security
      • Sharing of Files
      • Print Server
    • VMware Workstation
      • Install VMware Workstation on Windows
      • Customize Network Settings in VMware Workstation
      • Install VMware Tools on Windows and Windows Server VMs
      • Configure Autologin for a Windows VM on VMware Workstation
      • Lab 01 - Install Windows 7 on a VMware Workstation
      • Lab 02 - Install CentOS 8 on a VMware Workstation
      • Lab 03 - Install Kali Linux on VMware Workstation
      • Lab 04 - Install The Mikrotik CHR On VMware Workstation​
      • Lab 05 - Install Ubuntu in VMware Workstation
      • Lab 06 - Installing GNS3 VM on VMware Workstation
      • Lab 07 - Install Windows Server 2012 R2 on VMWare Workstation
      • Lab 08 - Install Windows 10 in VMware Workstation
    • LPIC-1
      • 101.1 Determine and configure hardware settings
  • Security Engineering
    • Practical Packet Analysis
      • Network Traffic Analysis with Wireshark in GNS3
      • Echo Requests and Responses
      • Dynamic Host Configuration Protocol
      • Cisco Discovery Protocol
      • Routing Information Protocol
    • PRTG Network Monitoring
      • Overview of PRTG Network Monitor
      • Internet Uptime/Availability Monitoring
      • Configuring SNMP v2 on Cisco Devices
    • Classical Ciphers
      • Caesar Cipher
      • Atbash Cipher
      • Vigenère Cipher
      • Affine Cipher
      • Hill Cipher
      • Rail Fence Cipher
      • Scytale Cipher
      • Bacon's Cipher
      • Beaufort Cipher
      • ROT13
      • Gronsfeld Cipher
  • Web Development
    • HTML
      • What is HTML?
      • Basic HTML Structure
      • Headings and Paragraphs
      • Text Formatting Tags
      • Working with Links
      • Adding Images to a Webpage
      • Embedding Videos and Audio
      • Creating Lists
      • Building Tables
      • HTML Forms
Powered by GitBook
On this page
  • Step 1: Understanding Blackhole VLAN
  • Step 2: Practical Scenario
  • Step 3: Lab Configuration on Cisco Switch
  • Step 4: Assign Unused Ports to Blackhole VLAN
  • Step 5: Ensure VLAN 999 is Not Routed
  • Step 6: Verify and Test Configuration
  • Step 7: Summary
  • Keywords
  1. Network Engineering
  2. CCNA

Blackhole VLAN

Nerd Cafe

A Blackhole VLAN is a security measure used in network environments to isolate unused switch ports and prevent unauthorized access or malicious attacks. This VLAN ensures that no traffic from those ports reaches the rest of the network.

Step 1: Understanding Blackhole VLAN

What is a Blackhole VLAN?

  • A VLAN (Virtual LAN) used to isolate unused switch ports.

  • Prevents unauthorized devices from connecting and accessing network resources.

  • Configured on access ports to drop all traffic.

  • No Layer 3 (IP) interface is assigned to this VLAN.

Step 2: Practical Scenario

Company Network Setup:

  • A company has a Layer 2 switch with several unused ports.

  • Some employees try to plug in personal devices into those ports.

  • The network administrator wants to ensure that any unauthorized connection is blocked using a Blackhole VLAN.

Step 3: Lab Configuration on Cisco Switch

Step 3.1: Create the Blackhole VLAN

  • Connect to the switch via CLI (Command Line Interface).

  • Enter privileged EXEC mode:

Switch>enable 
Switch#

  • Enter global configuration mode:

Switch#configure terminal 
Switch(config)#

  • Create a VLAN (e.g., VLAN 999 as Blackhole VLAN):

Switch(config)#vlan 999
Switch(config-vlan)#name Blackhole_VLAN

Step 4: Assign Unused Ports to Blackhole VLAN

  • Identify unused switch ports (e.g., FastEthernet 0/3 to 0/24).

  • Assign these ports to VLAN 999:

Switch(config)#interface range fastEthernet 0/3-24
Switch(config-if-range)#switchport mode access 
Switch(config-if-range)#switchport access vlan 999
Switch(config-if-range)#shutdown

  • This ensures that no traffic from these ports can access the network.

  • Shutting down the ports adds an extra layer of security.

Step 5: Ensure VLAN 999 is Not Routed

  • Verify VLAN 999 does not have an SVI (Switched Virtual Interface):

Switch#show ip interface brief
Interface              IP-Address      OK? Method Status                Protocol
 
FastEthernet0/1        unassigned      YES manual up                    up
 
FastEthernet0/2        unassigned      YES manual up                    up
 
FastEthernet0/3        unassigned      YES manual administratively down down
 
FastEthernet0/4        unassigned      YES manual administratively down down
 
FastEthernet0/5        unassigned      YES manual administratively down down
 
FastEthernet0/6        unassigned      YES manual administratively down down
 
FastEthernet0/7        unassigned      YES manual administratively down down
 
FastEthernet0/8        unassigned      YES manual administratively down down
 
FastEthernet0/9        unassigned      YES manual administratively down down
 
FastEthernet0/10       unassigned      YES manual administratively down down
 
FastEthernet0/11       unassigned      YES manual administratively down down
 
FastEthernet0/12       unassigned      YES manual administratively down down
 
FastEthernet0/13       unassigned      YES manual administratively down down
 
FastEthernet0/14       unassigned      YES manual administratively down down
 
FastEthernet0/15       unassigned      YES manual administratively down down
 
FastEthernet0/16       unassigned      YES manual administratively down down
 
FastEthernet0/17       unassigned      YES manual administratively down down
 
FastEthernet0/18       unassigned      YES manual administratively down down
 
FastEthernet0/19       unassigned      YES manual administratively down down
 
FastEthernet0/20       unassigned      YES manual administratively down down
 
FastEthernet0/21       unassigned      YES manual administratively down down
 
FastEthernet0/22       unassigned      YES manual administratively down down
 
FastEthernet0/23       unassigned      YES manual administratively down down
 
FastEthernet0/24       unassigned      YES manual administratively down down
 
Vlan1                  unassigned      YES manual administratively down down
Switch#

  • If an SVI exists for VLAN 999, remove it:

Switch(config)#interface vlan 999
Switch(config-if)#no ip address 
Switch(config-if)#shutdown 
Switch(config-if)#exit
Switch(config)#

Step 6: Verify and Test Configuration

Verify VLAN Assignment

Check VLAN 999 and assigned ports:

Switch#show vlan brief 

VLAN Name                             Status    Ports
---- -------------------------------- --------- -------------------------------
1    default                          active    Fa0/1, Fa0/2
999  Blackhole_VLAN                   active    Fa0/3, Fa0/4, Fa0/5, Fa0/6
                                                Fa0/7, Fa0/8, Fa0/9, Fa0/10
                                                Fa0/11, Fa0/12, Fa0/13, Fa0/14
                                                Fa0/15, Fa0/16, Fa0/17, Fa0/18
                                                Fa0/19, Fa0/20, Fa0/21, Fa0/22
                                                Fa0/23, Fa0/24
1002 fddi-default                     active    
1003 token-ring-default               active    
1004 fddinet-default                  active    
1005 trnet-default                    active    
Switch#

Test Port Behavior

  1. Plug a PC into one of the blackholed ports (Fa0/10).

  2. Assign a static IP to the PC (e.g., 192.168.1.10).

  3. Try pinging other network devices – it should fail.

Step 7: Summary

  • Blackhole VLANs secure unused ports by isolating them.

  • Assigning unused ports to VLAN 999 ensures no traffic passes.

  • Shutting down ports adds extra protection.

  • No Layer 3 routing prevents communication in the blackhole VLAN.

Keywords

Blackhole VLAN, VLAN security, unused ports, Cisco switch, VLAN 999, network isolation, access ports, unauthorized access, Layer 2 security, switch configuration, port shutdown, BPDU Guard, spanning tree, VLAN assignment, port security, network protection, CLI commands, switchport mode access, show vlan brief, VLAN best practices, سیسکو

PreviousCreating VLANs and Assigning PortsNextConfiguring 802.1Q Trunking

Last updated 1 month ago