Performance = productivity
Performance = Separation of large broadcast
domains into smaller ones.
The role of the router is no providing end
access and here came switch L2 VLAN purpose.
1.
VLAN Segmentation
1.1 Vlan Definition:
Within a
switched internetwork, VLANs provide segmentation and organizational
flexibility.
VLANs are based
on logical connections, instead of physical connections.
VLANs enable the
implementation of access and security policies according to specific groupings
of users. Each switch port can be
assigned to only one VLAN (with the exception of a port connected to an IP
phone or to another switch).
1.2 Benefits os VLANs
·
Improved Security sensitive data are separate in other group
·
Reduced Cost less nodes and efficient
use of existing bandwidth and uplinks.
·
Better Performance (broadcast domains) reduces
unnecessary traffic & boosts performance.
·
Smaller Broadcast Domains
·
IT Efficiency VLANs
make it easier to manage and identifying function of a VLAN.
·
Management Efficiency VLANs aggregate
users and network devices to support business or geographic requirements.
Each VLAN in a switched network corresponds
to an IP network; therefore, VLAN design must take into consideration the
implementation of a hierarchical network-addressing scheme.
Example: VLAN 33, 172.17.33.0/24
1.3 Types of VLANs (defines by traffic class or specific function the
serve)
·
Data VLAN configured to carry
user-generated traffic, it a common practice to separate voice and management traffic.
User VLAN data.
·
Default VLAN All switch ports become a
part of the default VLAN in default configuration vlan 1
·
Native VLAN is assigned to an 802.1Q
trunk port. (tagged traffic) - untagged
goes to vlan1.
·
Management VLAN To create the management
VLAN, the switch virtual interface (SVI) of that VLAN is assigned an IP address
and subnet mask, allowing the switch to be managed via HTTP, Telnet, SSH, or
SNMP. Vlan1 (bad choice). On 15.x
versions of the Cisco IOS for Catalyst 2960 Series switches, it is possible to
have more than one active SVI. More than 1 VLAN management, increases exposure
to network attacks.
1.4 Voice VLAN
A separate VLAN
is needed to support Voice over IP (VoIP). VoIP traffic requires:
·
Assured bandwidth to ensure
voice quality
·
Transmission priority over
other types of network traffic
·
Ability to be routed around
congested areas on the network
·
Delay of less than 150 ms
across the network
2.
VLANs in a Multi-Switched
Environment
2.1 VLAN Trunks
A VLAN trunk, or
trunk, is a point-to-point link between two network devices that carries more
than one VLAN. A VLAN trunk extends VLANs across an entire network.
Cisco supports IEEE 802.1Q for coordinating trunks on
Fast Ethernet, Gigabit Ethernet, and 10-Gigabit Ethernet interfaces.
A VLAN trunk
does not belong to a specific VLAN.
|
VLAN trunk ß---à Any other device that is equipped with an appropriate
802.1Q-capable NIC
|
2.2 Tagging Ethernet Frames for VLANs definition.
Catalyst 2960
Series switches are Layer 2 devices. They use the Ethernet frame header
information to forward packets. They do not have routing tables.
VLAN are
inserted in standard Ethernet Frame when placed on a truck.
|
|
This process, called tagging, is
accomplished by using the IEEE 802.1Q header, specified in the IEEE 802.1Q
standard. The 802.1Q header includes a 4-byte tag inserted within the
original Ethernet frame header, specifying the VLAN to which the frame
belongs.
|
VLAN Tag Field
Details The VLAN tag field consists of a
Type field, a Priority field, a Canonical Format Identifier field, and VLAN ID
field:
Type - A 2-byte value
called the tag protocol ID (TPID) value. For Ethernet, it is set to hexadecimal
0x8100.
User priority - A 3-bit
value that supports level or service implementation.
Canonical Format Identifier (CFI) - A 1-bit identifier that enables Token Ring frames to be
carried across Ethernet links.
VLAN ID (VID) - A 12-bit
VLAN identification number that supports up to 4096 VLAN IDs.
|
After the switch inserts the Type and tag
control information fields, it recalculates the FCS values and inserts the
new FCS into the frame.
|
2.3 Native VLANs and 802.1Q Tagging
Tagged Frames on the Native VLAN its drops the frame
Untagged Frames on the Native VLAN forwards those frames to the native VLAN. If no device and no trunk
port on native vlan will drop the frame.
2.4 Voice VLAN tagging
Same interface 2
vlan tag (data+voice) used to priories the voice over data.
3.
VLAN Implementation
3.1 Vlan Range on Catalyst Switch
Catalyst 2960
and 3560 Series switches support over 4,000 VLANs.
Normal range
VLANs on these switches are numbered 1 to 1,005 and extended range VLANs are
numbered 1006 to 4094.
Normal Range VLANs
·
Used in small- and medium-sized
business and enterprise networks.
·
Identified by a VLAN ID between
1 and 1005.
·
IDs 1002 through 1005 are
reserved for Token Ring and FDDI VLANs.
·
IDs 1 and 1002 to 1005 are
automatically created and cannot be removed.
·
Configurations are stored
within a VLAN database file, called vlan.dat. The vlan.dat file is located in
the flash memory of the switch.
·
The VLAN Trunking Protocol
(VTP), which helps manage VLAN configurations between switches, can only learn
and store normal range VLANs.
Extended Range VLANs
·
Enable service providers to
extend their infrastructure to a greater number of customers. Some global
enterprises could be large enough to need extended range VLAN IDs.
·
Are identified by a VLAN ID
between 1006 and 4094.
·
Configurations are not written
to the vlan.dat file.
·
Support fewer VLAN features
than normal range VLANs.
·
Are, by default, saved in the
running configuration file.
·
VTP does not learn extended
range VLANs.
|
4096 is the upper boundary for the number
of VLANs available on Catalyst switches (12 bits VLAN ID)
|
3.2 Creating and deleting Vlan
|
4.
S1#Conf term
5.
S1(config)#vlan 33
6. S1(config-vlan)#name vlan-unique-name
7.
S1(Config-vlan)#end
|
Verify:
S1#Show vlan brief
S1#show vlan name vlan-unique-name
S1#show interface switchport
|
3.3 Assigning
ports to VLANs
|
S1#Conf term
S1(config)#interface fastethernet0/1
S1(config-if)#switchport mode access
S1(config-if)#switchport access vlan 33
S1(config)#end
|
Interface
range for simultaneously interfaces.
S1(config-if)#no switchport access vlan
Detele
vlan:
S1(config-if)# no vlan 33
S1# delete flash:vlan.dat (and reload) fact default
|
Caution: Before deleting a VLAN, be
sure to first reassign all member ports to a different VLAN. Any ports that are
not moved to an active VLAN are unable to communicate with other hosts after
the VLAN is deleted and until they are assigned to an active VLAN.
Note: For a Catalyst switch, the erase startup-config command must
accompany the delete vlan.dat command prior to reload to restore the switch to
its factory default condition.
4. VLAN trunk
4.1
Configuring IEEE 802.1Q Trunk Links
A VLAN trunk is an OSI Layer 2 link between
two switches that carries traffic for all VLANs (unless the allowed VLAN list
is restricted manually or dynamically).
|
|
Remove a vlan from vlan-list:
switchport trunk allowed vlan remove XX
|
If the native VLAN is not allowed on the trunk
link, the trunk will not allow any data traffic for the native VLAN.
5. Dynamic trunking protocols
5.1
Introduction to DTP - S1#show dtp
/ #sh dtp interface xx
Ethernet trunk interfaces support different
trunking modes. An interface can be set to trunking or nontrunking, or to
negotiate trunking with the neighbor interface. Trunk negotiation is managed by
the Dynamic Trunking Protocol (DTP), which operates on a point-to-point basis
only, between network devices.
DTP is a Cisco proprietary protocol that is
automatically enabled on Catalyst 2960 and Catalyst 3560 Series switches.
Switches from other vendors do not support DTP. DTP manages trunk negotiation
only if the port on the neighbor switch is configured in a trunk mode that
supports DTP.
|
Caution: Some internetworking devices might forward DTP frames
improperly, which can cause misconfigurations. To avoid this, turn off DTP on
interfaces on a Cisco switch connected to devices that do not support DTP.
|
Trunk DTP (cisco) ß-----à devices NO cisco supporting DTP we have to disable DTP frames
S1(config-if)#switchport mode trunk
S1(config-if)#switchport nonnegotiate
Combinations and result:
|
|
Resume
and Negotiated Interface Modes:
-
switchport mode access
-
switchport mode dynamic auto *(default)
-
switchport mode dynamic
desirable
-
switchport mode trunk
-
switchport nonegotiate
|
4.1 Resetting the trunk to default state
|
|
Verify:
S1#show interfaces f0/1 switchport
|
6. Troubleshoot VLANs and Trunk
- Addressing issues: Addresses with
different subnets in the same VLAN will not work.
- Missing VLANs:
|
|
Vlan deleted :
|
-Trunk:
VLAN
leaking: Access port accepting different VLANs from
the VLAN to which it is assigned.
|
|
Indicate native vlan mismatch:
|
CDP displays a notification of a native
VLAN mismatch on a trunk link
Most
common error:
- Native VLAN mismatches: Different native
vlan each side. Result security risk and
intended results
- Trunk mode mismatches: trunk on ßà trunk off. Cause loss network traffic connectivity.
- Allowed VLANs on trunks: Cause unaccepted
traffic or no traffic at all.
- Trunk Mode Mismatches
S1#show interfaces trunk
Administrative MODE: (muste be the correct
one, example: trunk)
-Incorrect VLAN List
Allowed vlan in trunk:
switchport trunk allowed vlan
xx,yy,native ß--à switchport trunk allowed vlan xx,yy,native
7.
VLAN Security and Design
7.1 Attacks on VLANs
VLAN hopping (spoofing):
takes advantage of an incorrectly configured trunk port. By default, trunk
ports have access to all VLANs and pass traffic for multiple VLANs across the
same physical link, generally between switches. To protect against this attack
all unnecessary port have to be shutdown.
Double-Tagging Attack: Another type of VLAN attack is a
double-tagging (or double-encapsulated) VLAN hopping attack. Takes advantage of
the way that hardware on most switches operates. Most switches perform only one
level of 802.1Q de-encapsulation, which allows an attacker to embed a hidden
802.1Q tag inside the frame.
-Allows the
frame to be forwarded to a VLAN that the original 802.1Q tag did not specify.
-Works even if
trunk ports are disabled because a host typically sends a frame on a segment
that is not a trunk link.
PVLAN Edge: Some applications require that no traffic
forwarded at layer2 between ports on the same switch so that a neighbor does
not see the traffic generated. Private VLAN algo know as protected port, ensure
that there is no exchange of unicast, broadcast or multicast traffic between
these ports.
VLAN Edge feature characteristics:
·
A protected port does not
forward any traffic (unicast, multicast, or broadcast) to any other port that
is also a protected port, except for control traffic. Data traffic cannot be
forwarded between protected ports at Layer 2.
·
Forwarding behavior between a
protected port and a nonprotected port proceeds as usual.
·
Protected ports must be
manually configured.
|
Configure:
S1(config-if)#switchport
protected
|
Verification:
S1#
interfaces interface-id switchport
|
7.2 Design Best Practices for VLANs
-It is a security
best practice to configure all the ports on all switches to be associated with
VLANs other than VLAN 1
- Shut down unused switch ports to prevent
unauthorized access.
-
Separate management and user
data traffic. The management VLAN, which is VLAN 1 by default, should be
changed to a separate, distinct VLAN
-
encrypted SSH sessions for
remote management.
-
As a port security best
practice, do not use the dynamic auto or dynamic desirable switch port modes.
-
If user PCs and IP phones are
on the same VLAN, each tries to use the available bandwidth without considering
the other device. To avoid this conflict, it is good practice to use separate
VLANs for IP telephony and data traffic.









No hay comentarios:
Publicar un comentario