jueves, 12 de junio de 2014

CCNA v5.0 modul 2 Chapter: 3 - VLANs

Performance = productivity
Performance = Separation of large broadcast domains into smaller ones.
The role of the router is no providing end access and here came switch L2 VLAN purpose.

1.   VLAN Segmentation
1.1  Vlan Definition:
Within a switched internetwork, VLANs provide segmentation and organizational flexibility.
VLANs are based on logical connections, instead of physical connections.
VLANs enable the implementation of access and security policies according to specific groupings of users. Each switch port can be assigned to only one VLAN (with the exception of a port connected to an IP phone or to another switch).

1.2  Benefits os VLANs
·      Improved Security  sensitive data are separate in other group
·      Reduced Cost  less nodes and efficient use of existing bandwidth and uplinks.
·      Better Performance  (broadcast domains) reduces unnecessary traffic & boosts performance.
·      Smaller Broadcast Domains
·      IT Efficiency  VLANs make it easier to manage and identifying function of a VLAN.
·      Management Efficiency VLANs aggregate users and network devices to support business or geographic requirements.

Each VLAN in a switched network corresponds to an IP network; therefore, VLAN design must take into consideration the implementation of a hierarchical network-addressing scheme.
Example: VLAN 33, 172.17.33.0/24

1.3  Types of VLANs (defines by traffic class or specific function the serve)
·      Data VLAN configured to carry user-generated traffic, it a common practice to separate voice and management traffic. User VLAN data.
·      Default VLAN All switch ports become a part of the default VLAN in default configuration vlan 1
·      Native VLAN is assigned to an 802.1Q trunk port. (tagged traffic)  - untagged goes to vlan1.
·      Management VLAN To create the management VLAN, the switch virtual interface (SVI) of that VLAN is assigned an IP address and subnet mask, allowing the switch to be managed via HTTP, Telnet, SSH, or SNMP.  Vlan1 (bad choice). On 15.x versions of the Cisco IOS for Catalyst 2960 Series switches, it is possible to have more than one active SVI. More than 1 VLAN management, increases exposure to network attacks.

1.4  Voice VLAN
A separate VLAN is needed to support Voice over IP (VoIP). VoIP traffic requires:  
·      Assured bandwidth to ensure voice quality  
·      Transmission priority over other types of network traffic  
·      Ability to be routed around congested areas on the network     
·      Delay of less than 150 ms across the network

2.     VLANs in a Multi-Switched Environment
2.1  VLAN Trunks
A VLAN trunk, or trunk, is a point-to-point link between two network devices that carries more than one VLAN. A VLAN trunk extends VLANs across an entire network.
Cisco supports IEEE 802.1Q for coordinating trunks on Fast Ethernet, Gigabit Ethernet, and 10-Gigabit Ethernet interfaces.
A VLAN trunk does not belong to a specific VLAN.
VLAN trunk ß---à Any other device that is equipped with an appropriate 802.1Q-capable NIC


2.2  Tagging Ethernet Frames for VLANs definition.
Catalyst 2960 Series switches are Layer 2 devices. They use the Ethernet frame header information to forward packets. They do not have routing tables.
VLAN are inserted in standard Ethernet Frame when placed on a truck.



This process, called tagging, is accomplished by using the IEEE 802.1Q header, specified in the IEEE 802.1Q standard. The 802.1Q header includes a 4-byte tag inserted within the original Ethernet frame header, specifying the VLAN to which the frame belongs.

VLAN Tag Field Details  The VLAN tag field consists of a Type field, a Priority field, a Canonical Format Identifier field, and VLAN ID field:     
Type - A 2-byte value called the tag protocol ID (TPID) value. For Ethernet, it is set to hexadecimal 0x8100.     
User priority - A 3-bit value that supports level or service implementation.    
Canonical Format Identifier (CFI) - A 1-bit identifier that enables Token Ring frames to be carried across Ethernet links.     
VLAN ID (VID) - A 12-bit VLAN identification number that supports up to 4096 VLAN IDs. 

After the switch inserts the Type and tag control information fields, it recalculates the FCS values and inserts the new FCS into the frame.

2.3  Native VLANs and 802.1Q Tagging
Tagged Frames on the Native VLAN its drops the frame
Untagged Frames on the Native VLAN forwards those frames to the native VLAN. If no device and no trunk port on native vlan will drop the frame.

2.4  Voice VLAN tagging
Same interface 2 vlan tag (data+voice) used to priories the voice over data.

3.     VLAN Implementation
3.1  Vlan Range on Catalyst Switch
Catalyst 2960 and 3560 Series switches support over 4,000 VLANs.
Normal range VLANs on these switches are numbered 1 to 1,005 and extended range VLANs are numbered 1006 to 4094.

Normal Range VLANs     
·      Used in small- and medium-sized business and enterprise networks.     
·      Identified by a VLAN ID between 1 and 1005.     
·      IDs 1002 through 1005 are reserved for Token Ring and FDDI VLANs.     
·      IDs 1 and 1002 to 1005 are automatically created and cannot be removed.     
·      Configurations are stored within a VLAN database file, called vlan.dat. The vlan.dat file is located in the flash memory of the switch.     
·      The VLAN Trunking Protocol (VTP), which helps manage VLAN configurations between switches, can only learn and store normal range VLANs. 
Extended Range VLANs     
·      Enable service providers to extend their infrastructure to a greater number of customers. Some global enterprises could be large enough to need extended range VLAN IDs.     
·      Are identified by a VLAN ID between 1006 and 4094.     
·      Configurations are not written to the vlan.dat file.     
·      Support fewer VLAN features than normal range VLANs.     
·      Are, by default, saved in the running configuration file.     
·      VTP does not learn extended range VLANs.
4096 is the upper boundary for the number of VLANs available on Catalyst switches (12 bits VLAN ID)

3.2  Creating and deleting Vlan
4.     S1#Conf term
5.     S1(config)#vlan 33
6.     S1(config-vlan)#name vlan-unique-name
7.     S1(Config-vlan)#end
Verify:
S1#Show vlan brief
S1#show vlan name vlan-unique-name
S1#show interface switchport

3.3 Assigning ports to VLANs
S1#Conf term
S1(config)#interface fastethernet0/1
S1(config-if)#switchport mode access
S1(config-if)#switchport access vlan 33
S1(config)#end
Interface range for simultaneously interfaces.
S1(config-if)#no switchport access vlan
Detele vlan:
S1(config-if)# no vlan 33
S1# delete flash:vlan.dat   (and reload) fact default

 Caution: Before deleting a VLAN, be sure to first reassign all member ports to a different VLAN. Any ports that are not moved to an active VLAN are unable to communicate with other hosts after the VLAN is deleted and until they are assigned to an active VLAN.

Note: For a Catalyst switch, the erase startup-config command must accompany the delete vlan.dat command prior to reload to restore the switch to its factory default condition.

4. VLAN trunk
 4.1 Configuring IEEE 802.1Q Trunk Links
A VLAN trunk is an OSI Layer 2 link between two switches that carries traffic for all VLANs (unless the allowed VLAN list is restricted manually or dynamically).


Remove a vlan from vlan-list:
switchport trunk allowed vlan remove XX

If the native VLAN is not allowed on the trunk link, the trunk will not allow any data traffic for the native VLAN.

5. Dynamic trunking protocols
 5.1 Introduction to DTP  -  S1#show dtp  / #sh dtp interface xx
Ethernet trunk interfaces support different trunking modes. An interface can be set to trunking or nontrunking, or to negotiate trunking with the neighbor interface. Trunk negotiation is managed by the Dynamic Trunking Protocol (DTP), which operates on a point-to-point basis only, between network devices. 
DTP is a Cisco proprietary protocol that is automatically enabled on Catalyst 2960 and Catalyst 3560 Series switches. Switches from other vendors do not support DTP. DTP manages trunk negotiation only if the port on the neighbor switch is configured in a trunk mode that supports DTP. 

Caution: Some internetworking devices might forward DTP frames improperly, which can cause misconfigurations. To avoid this, turn off DTP on interfaces on a Cisco switch connected to devices that do not support DTP.

Trunk DTP (cisco) ß-----à devices NO cisco supporting DTP we have to disable DTP frames
S1(config-if)#switchport mode trunk
S1(config-if)#switchport nonnegotiate

Combinations and result:

Resume and Negotiated Interface Modes:
-       switchport mode access
-       switchport mode dynamic auto  *(default)
-       switchport mode dynamic desirable
-       switchport mode trunk
-       switchport nonegotiate


4.1 Resetting the trunk to default state

Verify:
S1#show interfaces f0/1 switchport

6. Troubleshoot VLANs and Trunk
- Addressing issues: Addresses with different subnets in the same VLAN will not work.
- Missing VLANs:

 Vlan deleted :


-Trunk:
VLAN leaking: Access port accepting different VLANs from the VLAN to which it is assigned.

Indicate native vlan mismatch:



CDP displays a notification of a native VLAN mismatch on a trunk link

Most common error:
- Native VLAN mismatches: Different native vlan each side.  Result security risk and intended results
- Trunk mode mismatches: trunk on ßà trunk off. Cause loss network traffic connectivity.
- Allowed VLANs on trunks: Cause unaccepted traffic or no traffic at all.

- Trunk Mode Mismatches
S1#show interfaces trunk
Administrative MODE: (muste be the correct one, example: trunk)

-Incorrect VLAN List
Allowed vlan in trunk:
switchport trunk allowed vlan xx,yy,native  ß--à switchport trunk allowed vlan xx,yy,native

7.     VLAN Security and Design
7.1 Attacks on VLANs
VLAN hopping (spoofing): takes advantage of an incorrectly configured trunk port. By default, trunk ports have access to all VLANs and pass traffic for multiple VLANs across the same physical link, generally between switches. To protect against this attack all unnecessary port have to be shutdown.
Double-Tagging Attack: Another type of VLAN attack is a double-tagging (or double-encapsulated) VLAN hopping attack. Takes advantage of the way that hardware on most switches operates. Most switches perform only one level of 802.1Q de-encapsulation, which allows an attacker to embed a hidden 802.1Q tag inside the frame.
-Allows the frame to be forwarded to a VLAN that the original 802.1Q tag did not specify.
-Works even if trunk ports are disabled because a host typically sends a frame on a segment that is not a trunk link.


PVLAN Edge:  Some applications require that no traffic forwarded at layer2 between ports on the same switch so that a neighbor does not see the traffic generated. Private VLAN algo know as protected port, ensure that there is no exchange of unicast, broadcast or multicast traffic between these ports.

 VLAN Edge feature characteristics:
·      A protected port does not forward any traffic (unicast, multicast, or broadcast) to any other port that is also a protected port, except for control traffic. Data traffic cannot be forwarded between protected ports at Layer 2.
·      Forwarding behavior between a protected port and a nonprotected port proceeds as usual.
·      Protected ports must be manually configured.

Configure:
S1(config-if)#switchport protected

Verification:
S1# interfaces interface-id switchport


7.2 Design Best Practices for VLANs

-It is a security best practice to configure all the ports on all switches to be associated with VLANs other than VLAN 1

-     Shut down unused switch ports to prevent unauthorized access.

-       Separate management and user data traffic. The management VLAN, which is VLAN 1 by default, should be changed to a separate, distinct VLAN
-       encrypted SSH sessions for remote management.
-       As a port security best practice, do not use the dynamic auto or dynamic desirable switch port modes.

-       If user PCs and IP phones are on the same VLAN, each tries to use the available bandwidth without considering the other device. To avoid this conflict, it is good practice to use separate VLANs for IP telephony and data traffic.

No hay comentarios:

Publicar un comentario