what vlan mode must a port be configured to allow all vlan traffic?

Chapter 4. VLANs and Trunking

The move from hubs (shared networks) to switched networks was a large improvement. Control over collisions, increased throughput, and the additional features offered by switches all provide ample incentive to upgrade infrastructure. But Layer two switched topologies are non without their difficulties. Extensive flat topologies can create congested circulate domains and can involve compromises with security, redundancy, and load balancing. These issues can be mitigated through the apply of virtual local area networks, or VLANs. This chapter provides the structure and operation of VLANs as standardized in IEEE 802.1Q. This discussion will include trunking methods used for interconnecting devices on VLANs.

Problem: Big Circulate Domains

With any unmarried shared media LAN segment, transmissions propagate through the entire segment. As traffic activity increases, more collisions occur and transmitting nodes must back off and wait before attempting the transmission once again. While the collision is cleared, other nodes must also expect, further increasing congestion on the LAN segment.

The left side of Figure 4-one depicts a modest network in which PC 2 and PC 4 attempt transmissions at the same time. The frames propagate away from the computers, eventually colliding with each other somewhere in between the two nodes as shown on the right. The increased voltage and power so propagate away from the scene of the standoff. Note that the collision does not continue past the switches on either end. These are the boundaries of the collision domain. This is one of the primary reasons for switches replacing hubs. Hubs (and access points) simply do non scale well every bit network traffic increases.

Figure iv-1. Earlier and after standoff

The use of switches at Layer 2 eliminates much of the scaling problem because they filter out problems such as collisions. Instead, transmissions are now governed by the beliefs of the switches and the broadcast domain. A circulate domain defines the surface area over which a broadcast frame will propagate. For example, an ARP asking issued past PC 3 results in a circulate frame that propagates through the switches all the mode to the routers as shown in Figure four-ii. A broadcast frame has the circulate address (FF-FF-FF-FF-FF-FF) every bit the destination MAC.

Figure 4-ii. Broadcast domain

With the improved performance and filtering resulting from the utilize of switches, at that place is a temptation to create big Layer ii topologies and add lots of nodes, but this creates a large broadcast domain. The problem is that all devices on a network (computers, printers, switching equipment, etc.) generate circulate and multicast frames that traverse the entire broadcast domain, competing with data traffic for bandwidth. Much of this traffic is for management of the network and includes protocols for address resolution (ARP), dynamic host configuration (DHCP), spanning tree (STP), and an array of Windows tasks. Figure 4-three illustrates the potential difficulty. Assume that PC1 has generated the following requests: ARP, Windows registration, and DHCP.

Effigy 4-3. Broadcast frame growth

Considering all of the requests use a circulate frame, as they are received at Switch i, the frames are forwarded in all directions. As the other switches in the topology follow suit, the frames traverse the unabridged network and are received at all other nodes and the routers.

As the number of network nodes increases, the amount of overhead also increases. Each switch might exist connected to dozens of nodes, with each node generating the several broadcast frames. If plenty traffic is created, even a switched network can have poor performance. Deploying VLANs tin help solve this problem by breaking up the broadcast domain and separating the traffic.

What Is a VLAN?

A virtual local area network (VLAN) is a logical group of ports which is independent of location. A single VLAN (and the nodes connected in a unmarried VLAN) will conduct in the same way every bit if it was a dissever Layer 3 network. VLAN membership demand not be express to sequential ports or fifty-fifty ports on the same switch. Figure 4-4 depicts a very common deployment in which nodes are continued to a switch and the switch is continued to a router. Looking at the left side, the automatic assumption would be that all of the nodes are on the same IP network since they all connect to the same router interface.

Figure 4-4. Basic switch and VLAN topology

What is non obvious from the topology on the left is that by default, all of these nodes are actually part of the aforementioned VLAN. And then, another manner to think nigh this topology is based on the VLAN every bit shown on the right. For example, with Cisco devices the default VLAN is VLAN 1. This is also called the direction VLAN. Its initial configuration includes all ports as members and this reflected in the source accost table or Saturday. This tabular array is often described every bit beingness used to frontwards frames to the proper Layer 2 port based on the destination MAC. With the introduction of VLANs, the source address table reflects the port to MAC address mapping on a per-VLAN basis resulting in more advanced forwarding decisions. Figure 4-5 displays the output from both the show mac-address-table and show vlan commands. All of the ports (Fa0/1 – Fa0/24) are in VLAN 1.

Figure four-5. Switch Saturday and VLAN output

Some other common topology can be seen in Figure 4-6 in which two switches are separated by a router. In this instance, a grouping of nodes are connected to each switch. The nodes on a item switch share a common IP addressing scheme. There are two networks, 192.168.1.0 and 192.168.2.0.

Figure four-6. Router, switch and VLANs

Notation that both of the switches have the same VLAN since, in the absence of any configuration changes, switches from the same vendor will have the same numbering convention. Nonlocal network traffic must be sent to the router for forwarding. Routers will not forward Layer two unicast, multicast and circulate frames. VLANs provide a very similar logical topology in that nodes within a VLAN share a common addressing scheme and that nonlocal traffic (traffic destined for nodes on a dissimilar VLAN) must exist sent to the router for forwarding. By creating an extra VLAN on one of the switches and removing the other, Figure four-6 can now be redrawn as shown in Figure 4-vii.

Effigy 4-seven. Unmarried switch, multiple VLANs

A VLAN operates in the aforementioned fashion as a Layer 3 IP-based network. Thus, nodes on the 192.168.1.0 network must get to the router when trying to communicate with nodes on the 192.168.2.0 network fifty-fifty though all of the computers are connected to the aforementioned switch. In order to communicate between VLANs, routing functionality must be part of the topology. Layer ii unicast, multicast and circulate traffic volition non cross VLAN boundaries, therefore traffic generated on VLAN 1 will not be seen past nodes on VLAN 2. Only the switch is aware of the VLANs. The nodes and the router take no thought that VLANs are in apply—they are "non VLAN-enlightened." With the addition of the routing decision, Layer 3 functionality tin now be leveraged for additional security settings, problem/traffic containment and load balancing.

The Effect of VLANs

Configuring a switch for multiple VLANs reduces the size of each circulate domain. Therefore the corporeality of overhead traffic is lower which reduces bandwidth contest with data traffic. Stated another way, a node in a particular VLAN has less broadcast traffic with which to contend. Since switch forwarding behavior is based on MAC addresses stored in the source address tabular array, the following rules apply:

• For known unicast destinations, the switch will forwards the frame to the destination port only.

• For unknown unicast destinations, the switch will forrad the frame to all active ports except the originating port. This is called flooding.

• For multicast and broadcast destinations, the switch will forward the frame to all active ports except the originating port.

However, the switch now has the additional requirement of considering the VLAN of the destination node. Referring to Figure 4-7, if PC1 were to issue an ARP request, instead of just forwarding this frame to every port, the switch determines that the frame originated on VLAN one. The consequence is that only PC2 and the leftmost router interface (192.168.1.254) actually see the frame.

Aims and benefits from the 802.1Q standard:

• VLANs are supported over all IEEE 802 LAN MAC protocols, over shared media LANs as well equally point-to-point LANs.

• VLANs facilitate piece of cake administration of logical groups of stations that can communicate as if they were on the same LAN. They also facilitate easier assistants of moves, adds, and changes in members of these groups.

• Traffic between VLANs is restricted. Switches forward unicast, multicast, and broadcast traffic only on LAN segments that serve the VLAN to which the traffic belongs.

• Every bit far as possible, VLANs maintain compatibility with existing switches and end stations.

• If all switch ports are configured to transmit and receive untagged frames (frames to/from non-VLAN aware devices), switches will piece of work in plug-and-play ISO/IEC 15802-3 mode. End stations will exist able to communicate throughout the Bridged LAN.

VLAN Ports Do Not Need to be Continuous

Since VLANs are logical groupings of nodes that are independent of location, it does non matter where the nodes connect. Figure 4-viii demonstrates this concept. The topology in Figure 4-7 has been redrawn with the IP addresses of network nodes changed. To help with clarity, in this instance VLAN 1 is as well red and VLAN 2 is blue. Ports 1, iv and 5 are part of red VLAN one while ports ii, 3 and 6 are role of the blueish VLAN 2.

Information technology is often the example that network technicians do not wish to rewire the topology every time that a new node is connected. And then, a host may simply exist connected to whatsoever available port and the port is then assigned to a particular VLAN. The critical idea is that the behavior is the same whether or non the ports are right next to each other. Thus, PC1 and PC4 tin can communicate directly with each other simply must employ the router to get to PC2 and PC3. Frames issued on red VLAN i will not be seen by nodes on blue VLAN 2.

Figure 4-8. Noncontinuous VLANs

Types of VLANs

There are ii types of VLANs: static and dynamic. Both of these types tin be used to cover modest or large geographic areas. The type of VLAN that has been discussed thus far (a single switch divided into multiple VLANs) is called a static VLAN. Membership is largely determined past geographical location and to which port a particular node is connected. Most of the nodes in a particular VLAN are likely to be located in the same building, floor or ready of offices. These VLANs can also exist thought of every bit having local membership.

Figure 4-9 depicts an example of how nodes and VLANs might be arranged. PC1 and PC2 are physically located in the aforementioned part of the building and and then are assigned to the same VLAN. The same is true for PC3 and PC4. Information technology is likely that they serve users from the aforementioned section. This type of topology is configured manually by a network ambassador who assigns ports on the switch to a detail VLAN. Once more, the nodes and router do not have any knowledge near the VLANs.

Figure 4-9. Static VLAN, local membership

About VLANs are configured with static membership. In topologies similar those described above, nodes remain connected to the aforementioned port and so in that location is no need to modify VLAN membership. The desktop computer is commonly associated with an office desk or cubicle assigned to an employee and then there is petty need to worry that the motorcar will motility.

At that place are times when nodes do motility around. There may be a need to access dissimilar resources. Ports may be used by different departments at different times or differing levels of security may exist required. Dynamic VLANs are more appropriate for these situations. Dynamic VLANs allow nodes to move around without altering VLAN membership. This means that as they plug into a particular port, the switch automatically configures the port for membership in the right VLAN. A port that was configured for access in VLAN one for node A may now switch to VLAN 2 for node B. Consider the case in Figure 4-10. PC4, now a laptop, is moved from a port in VLAN 2 to a port in VLAN 1.

Figure iv-10. Moving from ane VLAN to another

Case 1—DHCP

If DHCP has been deployed, when PC4 moves, information technology will simply obtain a new IP address on the new network, though this is not guaranteed. This may actually be the near mutual behavior for nodes connecting to a network on a particular VLAN. However, if services or security measures are in place and the organizations' policy is to maintain separation between VLANs, then this configuration may pose a problem—access to the server. Once on the new network, PC4 may no longer exist able to reach the right server or may require boosted configuration to support the motion.

Case 2—No DHCP

If the IP address of PC4 is statically configured, when it moves to the new location, its IP accost volition not match the network. It volition no longer be able to reach the IP accost of the gateway or the server. In this case, the node volition not have any connectivity at all.

Solution: Dynamic VLANs

Notwithstanding, if the switch is smart plenty to recognize that PC4 has at present moved to a new port, it may exist able to automatically repair the connection. In one case PC4 connects to the new port, it will generate traffic. Upon receipt of a frame from PC4, the switch completes a database look up to determine the VLAN membership and so will assign the port to the proper VLAN. Once this has occurred, PC4 volition be able to communicate but equally information technology did earlier the move. The new topology would look like the 1 shown in Figure 4-11. The node will not even have to change its IP address.

Figure 4-eleven. New dynamic VLAN topology

Only how does the switch know? The most common method of assigning dynamic VLAN membership is via the MAC accost. Equally soon as the node generates a single frame, the switch completes the MAC address query and so assigns the port. The nodes nevertheless do not have any knowledge that VLANs are used. VLAN membership can also be based on other criteria or tied to authentication schemes such as 802.1X.

VLANs Between Switches

Then far, the VLANs discussed accept been deployed on a single switch. The question arises: "What happens if multiple switches are part of the overall network cloth? How does it work?" The answers depend on the switch configurations. A default topology is shown in Effigy iv-12 where 2 switches take just been powered upward and several nodes continued. The default VLAN for both switches (if we assume Cisco devices) will be VLAN 1. This also means that the connections running between the switches volition also be in VLAN 1. The router provides the egress point for all nodes.

Figure iv-12. Multiple switches, single VLAN

In this default topology, the nodes will not have any trouble connecting to each other because the source accost tables on the switches will show that they are all in the same VLAN. This volition allow the unicast, multicast and broadcast traffic to menstruum freely. Note likewise that the nodes exist on the same IP network. The connection between the switches uses either a crossover cable or an uplink port.

Problems occur when new VLANs are created as shown in Effigy 4-13. Since the VLANs create Layer 3 boundaries around the ports connected to the hosts, they are not able to communicate.

Figure 4-13. Issues with additional VLANs

Examining Figure 4-13, there are a couple of problems. First, the computers are all on the aforementioned IP network, despite being connected to unlike VLANs. Secondly, the router is isolated from all of the nodes because it is in VLAN i. Lastly, the switches are interconnected via different VLANs. Each of these would create advice difficulties, but taken together, in that location is little or no advice betwixt network elements.

It is often the case that a switch may be full or that nodes within the same administrative unit are geographically separated from each other. In these cases, a VLAN tin be extended to neighboring switches through the use of a trunk line. Trunks volition be discussed in greater item afterwards in this chapter, but for now information technology is sufficient to say that trunks connecting carve up switches can, amongst other things, convey VLAN information between network devices. Effigy 4-fourteen suggests several changes to repair the items noted in Figure 4-xiii.

Figure 4-fourteen. Topology repaired with trunking

Repairs to the topology include:

• PC1 and PC2 accept been assigned to the 192.168.1.0 network and VLAN 2

• PC3 and PC4 have been assigned to the 192.168.two.0 network and VLAN three

• The router interfaces are continued to VLANs 2 and 3.

• The switches are interconnected via trunk lines.

Annotation that while the trunk ports appear to be in VLAN 1, they are non every bit denoted by the letter T. Trunk ports do not have membership in whatsoever particular VLAN. Now that the VLANs persist across multiple switches, the nodes tin can be physically located anywhere and nevertheless be members of the same VLAN. When several switches are configured with VLANs and ports maintain their VLAN membership, the architecture is referred to as "end-to-end" and "static." Information technology is not uncommon to accept these switches located in different wiring closets, or even dissimilar buildings. Switches in the same closet can also be interconnected via trunk lines.

What is a Trunk?

Mostly, there are two ways to look at a trunk line. In telephony, the term trunk refers to connections between offices or distribution facilities. These connections represent an increased number of lines or time division multiplexed connections as shown in Effigy 4-15. Examples include 25 pair bundles or T carriers.

Figure 4-15. Telephone lines and trunks

For data networking, trunks take little to do with increasing the number of connections betwixt switches. The chief use of a body line in a data network is to convey VLAN information. The trunk line shown in Figure four-xiv carries VLAN and quality of service information for the participating switch.

When a trunk line is installed, a trunking protocol is used to modify the Ethernet frames equally they travel across the trunk line. In Effigy iv-xiv the ports interconnecting the switches are trunk ports. This too means that at that place is more than one operational mode for switch ports. By default, all ports are called "access ports." This describes a port used by a figurer or other end node to "access" the network. When a port is used to interconnect switches and convey VLAN information, the performance of the port is changed to a trunk. For case, on a Cisco switch the manner command would exist used to make this change. Other vendors bespeak that the port is at present "tagged," indicating that a VLAN id will at present exist inserted into the frames. The 802.1Q standard as well includes a provision for "hybrid" ports that understand both tagged and untagged frames. To be articulate, nodes and routers are oft unaware of the VLANs and utilise standard Ethernet or "untagged" frames. Trunk lines providing VLAN or priority values will be using "tagged" frames. An example of a tagged frame tin be seen in Figure 4-17.

Then, on the trunk ports, a trunking protocol is run that allows the VLAN information to exist included in each frame every bit it travels over the torso line. For configuration, there are generally two steps: converting the port to trunk mode and determining the encapsulation (trunking protocol) to be used.

Using Effigy 4-16 we'll go through an example of ii nodes communicating over a trunk line. At that place are several steps to the process (in add-on to host routing) and then Figure 4-16 is labeled based on the steps listed.

Figure 4-16. Trunking traffic between switches

PC1 sends traffic to PC2 after processing its host routing table. These nodes are in the same VLAN but they are connected to different switches. The bones procedure:

1. The Ethernet frame leaves PC1 and is received by Switch 1.

2. The Switch 1 Sat indicates that the destination is on the other finish of the trunk line.

3. Switch ane uses the trunking protocol to modify the Ethernet frame by adding the VLAN id.

4. The new frame leaves the trunk port on Switch1 and is received by Switch 2.

5. Switch2 reads the VLAN id and strips off the trunking protocol.

6. The original frame is forwarded to the destination (port 4) based on the Sat of Switch 2.

The packet shown in Figure 4-17 provides detail on this modification. In this detail example, the trunking protocol that has been used is IEEE 802.1Q. This frame is an ICMP echo request from PC1→PC2 and because it traverses the trunk line, the VLAN tag must be included so that Switch 2 knows how to properly forward the packet.

Figure 4-17. Ethernet frame with 802.1Q trunking

The Ethernet frame is intact but at present has several additional fields such every bit the VLAN ID. In this case, the ii computers communicating are on VLAN 2. The binary value of 0000 0000 0010 is shown. Note that the IP and ICMP headers have not been modified. Nevertheless, because this is a change to the actual frame, the Cyclical Back-up Check (CRC) at the end of the Ethernet frame must exist recalculated. Trunking probably doesn't get as much attending every bit it should but, as soon every bit VLANs are configured on the switches, a trunking protocol must be used if the VLANs are to persist from i switch to some other. Without a trunk, the nodes volition probably all be on the same VLAN which can lead to the bug noted earlier. Trunks and VLANs are a vital part of standard topologies.

Trunking Protocol Standards

There are 2 trunking protocols used on modernistic communication networks: Inter-Switch Link (ISL) from Cisco and the aforementioned nonproprietary IEEE 802.1Q. Of the two, IEEE 802.1Q is the industry standard. Even Cisco switches now apply IEEE 802.1Q (dot1q) past default.

IEEE 802.1Q

The IEEE 802.1Q standard is really entitled "IEEE Standards for Local and Metropolitan Expanse Networks: Virtual Bridged Local Area Networks" and is primarily concerned with VLANs themselves. The trunking protocol or "tagging" of frames is discussed in latter sections of 802.1Q. As a reminder, IEEE 802.1D is the standard for MAC Access Control Bridges upon which Layer 2 networks are synthetic. Switch vendors adhere to both of these standards and so add together enhancements such as management. The IEEE 802.1Q standard bases much of its language on documents such as the ISO/IEC 15802-iii standard for MAC bridges.

When using IEEE 802.1Q, a 4-byte header is inserted in between the Ethernet and IP headers. Per the 802.1D standard, it is inserted 12 bytes into the frame immediately post-obit the source MAC address. Therefore, frame is actually changed. So, the Ethernet type, which indicates the kind of encapsulated data, must also modify. As an case, IP packets accept an Ethertype value of 0800 but when running over a torso it is changed to 8100 equally shown in Figure iv-18.

Figure 4-18. Ethertype for IEEE 802.1Q

The 802.1Q header is straightforward and includes the post-obit fields:

• The tag protocol identifier (ii-byte TPID)
• The value of 8100 can exist seen but before the highlighted hexadecimal.
• The tag control data (2-byte TCI)

In that location are three means that this information can be structured just those used in token ring and FDDI networks will non exist covered here. The TCI includes the priority, Canonical Format Indicator and VLAN ID. The ii-byte hexadecimal TCI from Effigy 4-eighteen is 20 65.

Priority

Used in quality of service implementations, also called class of service. This is a three chip field with values ranging from 000 (0) to 111 (7). The default value is 0 though vendors recommend college values for certain types of traffic. For example, VoIP traffic is typically set to binary 101 (base x: 5). Figure 4-eighteen depicts a slightly elevated priority of 2. Figure iv-19 depicts prioritized traffic from another network. In this case, the priority is set to 111 (7).

Canonical Format Indicator (CFI)

This single bit field was used to bespeak bit orders or flags for routing data associated with legacy protocols such equally token band and FDDI. Today, nearly all switching is Ethernet. Then, the field is most never used and the value is typically 0.

VLAN ID

The last twelve bits are allocated for the VLAN ID for values ranging from 1 to 4095. The VLAN ID in binary is 1100101. This corresponds to VLAN 101 in base of operations 10 numbers.

Figure four-19. Tagged frame with priority field

Inter-switch link (ISL)

Equally this is an older Cisco proprietary protocol, not much time volition be spent on its clarification. Figure 4-20 shows an ISL tagged frame and illustrates a different arroyo to tagging. IEEE 802.1Q performs what is called "internal tagging" by inserting the VLAN header in between the Ethernet and IP headers. This also forces a recalculation of the frame CRC. ISL prepends the tag. The ISL header is also considerably larger than the 802.1Q header and does not provide for priority handling. Modern Cisco equipment uses IEEE 802.1Q equally the default trunking and tagging protocol.

Figure 4-xx. ISL tagged frame

Pruning

While a particular VLAN may extend well beyond a unmarried switch and may be throughout much of a topology, it is non necessary to have it persist on every switch.

In Figure 4-21, VLANs 1, and ii be on both Switches. Merely VLAN 3(xanthous) only exists on Switch 1. Information technology doesn't brand much sense to take the traffic for VLAN 3 forwarded to Switch two. The benefits include a reduction in torso line traffic and potential security improvement through this pruning capability, especially with static topologies. Switch one prunes VLAN 3 traffic (prevents passage) out its trunk port.

Figure 4-21. Pruning example

Vendors take unlike approaches to pruning; some permit all VLANs by default (Cisco), others deny all VLANs by default. Regardless of vendor, it is always a good idea to examine the trunking configuration and determine the all-time approach for tagged frames and untagged frames and pruning.

VLAN Design Considerations

VLANs create boundaries that can isolate nodes or traffic so some idea should go into the design of a multi-VLAN topology. The full general question to inquire is "Who is talking to whom and what are they trying to get done?" The post-obit list provides some guidelines.

Scaling considerations

How big is the network and how far does the traffic take to go?

Traffic patterns

Over what pathways do packets/frames travel?

Applications

Why is the traffic in that location? What are the hosts trying to practise?

Network direction

Is SNMP or another direction protocol running? How will you lot go to all of the nodes?

Group commonality

What do nodes have in common? Are in that location shared resources or traffic patterns?

IP addressing scheme

What does the IP address space look like? How many nodes will be in each VLAN?

Physical location

Do the nodes occupy the aforementioned function? Floor? Building?

Static versus Dynamic

Are the nodes moving around or are they stationary?

End-to-end versus Local VLANs

Are there nodes outside of a location that should be part of the same VLAN?

80/xx versus xx/80 traffic flow pattern

Is a majority of the flow internal or external? Is this pattern changing?

Common security requirements

Are these nodes servers? Cease nodes? Wireless? Do the nodes represent vital company resource? Are these public facing machines?

Quality of service

Are there quality of service concerns?

In addition to these general questions, there are other good practices to follow that will assistance reduce exposure to security risk and protect vital network resources.

• Wireless should be in its ain VLAN. Since wireless is a shared media, all broadcast and much of the multicast traffic coming from the switch volition be shared as well. In addition, whatever flooded unicast traffic volition be seen by all wireless nodes. Creating a VLAN for wireless nodes narrows the traffic that they can encounter. In addition, a potential attack via wireless will have a boundary to cross earlier reaching other portions of the network.

• VoIP elements should likewise be in their ain VLAN. This is equally much for quality of service as it is for protection. Anytime existent fourth dimension vocalism traffic has to compete for bandwidth, there is the potential for performance degradation. Security concerns are to some extent relieved past the VLANs besides. Tools such as Wireshark tin can not just capture but decode and play phonation traffic then it is important to keep voice traffic separated wherever possible.

• Other important network devices such equally servers or even users of sensitive data should exist placed in their own VLANs. In addition to the reasons already stated, many vendors accept features that allow the creation of VLAN specific security and QoS policies.

Security Considerations

This chapter has discussed the need to isolate traffic. Organizations need not forward data to every single port considering this is inefficient and represents a security risk due to potential eavesdroppers. There are several configuration items that should be function of any VLAN deployment checklist. One of the biggest challenges associated with deploying a network device is agreement default beliefs. Switches and routers are no different, particularly equally the number of features increases.

One of these items is the default configuration mode of the ports on the switch. Nearly switch ports will wind up continued to computers and and then will human activity every bit access ports. What is non obvious is that on many devices, the default configuration is not access, only dynamic. This means that the port is willing to negotiate the manner of operation. If two switches are continued together, and one switch is configured with a body port, it is often the case that it will generate dynamic trunking protocol letters. One time received, this message may cause the 2nd switch to convert its port to a trunk automatically. This is shown in Figure four-22.

Figure four-22. Dynamic port configuration security exposure

Initially this car-configuration sounds convenient but what is to stop an assailant from generating the aforementioned message and converting a port in the aforementioned fashion? The assaulter's port will then receive broadcast, multicast and flooded unicast traffic for all VLANs not pruned. In addition to allowing the assaulter to learn more well-nigh the network, it also means that the attacker may exist able to generate tagged frames that will exist delivered over the entire network. Whenever possible, dynamic configuration should be turned off.

In addition to pruning for proper VLAN boundaries and the default configurations of the ports, information technology may be prudent to add a couple of boosted configuration changes. Unused ports tin can exist collected into a "deadend VLAN" that is not routed and is pruned from the network. Anyone connecting to a port in this VLAN will be isolated. In addition, many vendors offer security enhancements to ports such as authorized MAC addresses and restricting the number of MAC addresses allowed. When invalid MAC addresses are seen on the port, the port will automatically be shutdown or disabled.

Reading

• IEEE 802.1Q standard is actually entitled "IEEE Standards for Local and Metropolitan Surface area Networks: Virtual Bridged Local Area Networks"
• ISO/IEC 15802-3 ANSI/IEEE Std 802.1D Information technology—Telecommunications and information exchange between systems—Local and metropolitan surface area networks—Common specifications—Part 3: Media Access Control (MAC) Bridges

Summary

VLANs are a basic tool for creating network boundaries. While they can create challenges regarding the forwarding of traffic, they tin exist a powerful tool for handling security and quality of service concerns. This chapter discussed the operation of VLANs and the methods used for propagating VLANs throughout a larger topology. When deploying VLANs and trunks, there are several pattern considerations to take into account. One must address the basic questions of "Who is talking to whom and why?" As topologies and the VLANs grow, so does the complication. It is of import to review the default operation and configuration of network elements in order to ensure that locally created configurations do non place the network at risk.

Review Questions

1. Broadcast frames will proceed to propagate until they reach a routed interface.

   1. TRUE

   2. Imitation

2. Broadcast and multicast traffic will cantankerous VLAN boundaries only unicast traffic will not.

   1. Truthful

   2. False

3. By default, all hosts are connected to the same VLAN.

   1. TRUE

   2. FALSE

4. Hosts do non usually know to what VLAN they are connected.

   1. TRUE

   2. Imitation

5. In a gimmicky data network, the primary used of a trunk line is to convey VLAN information.

   1. TRUE

   2. FALSE

6. While they are both part of a switch, the source accost tabular array and the VLANs are not integrated in whatever style.

   1. TRUE

   2. Faux

7. Which of the following is the industry standard trunking protocol?

   1. ISL

   2. IEEE 802.one

   3. VLANs

8. Pruning is the practice of preventing unauthorized access to torso lines.

   1. TRUE

   2. FALSE

9. Dynamic port mode is a security hazard because by default attackers can run across all unpruned VLAN traffic.

   1. TRUE

   2. FALSE

10. Services such equally VoIP and wireless users should exist placed in their own VLANs.

    1. TRUE

    2. False

Review Answers

1. TRUE

2. FALSE

3. True

4. Truthful

5. Truthful

6. FALSE

7. B

8. FALSE

9. FALSE

10. Truthful

Lab Activities

Activity 1—Setting Upwardly a Local VLANs

Materials: A VLAN capable switch and a router. Note: A home gateway may be used if it can be converted to a router to avoid confusion over the NAT operation.

Note: The goal of this particular action is just to sympathise the basic configuration necessary for routing between VLANs without trunks, as shown in Effigy 4-23.

Figure 4-23. Activity i

1. On the switch create a pair of VLANs.

2. Add a host to teach VLAN and determine the IP addressing scheme. Every bit an example one VLAN might utilise 192.168.1.0 and the other 192.168.ii.0. Handy Cisco command: switchport access vlan X.

3. Connect a router interface to each of the VLANs and assign the proper IP addressing. At this point, the nodes on different networks should be able to successfully PING each other.

Activity two—VLANs and the SAT

Materials: A VLAN capable switch and a router.

1. One time the topology from activeness 1 is complete, PING between all of the nodes and router interfaces.

2. On the switch, examine the source address (MAC address) table. Handy Cisco command: show mac-address-table

3. Compare this table to ane in which all of the nodes are in the same VLAN.

4. Using the data in the Sabbatum and the routing table of the router, develop a step past step procedure for forwarding packets from one computer to the other.

Activity 3—What Can You Come across?

Materials: A VLAN capable switch, a router and Wireshark.

During this activity, the goal is to determine how far traffic in ane VLAN will travel and if it tin can exist seen on another VLAN on the same switch.

1. First a capture on one of the network hosts in 1 of the VLANs.

2. In the other VLAN, generate broadcast traffic by "PINGing" an unused IP accost on the same network. This will cause an ARP request to be transmitted.

3. From this same source host, generate unicast traffic past "PINGing" the router.

4. It turns out that Windows-based computers periodically generate multicast traffic as they search for services.

5. Did the capture node in the other VLAN see the unicast, multicast or broadcast traffic that was created by the source host? The answer should be "NO."

6. Equally an additional experiment, change the IP address of the capture host so that information technology is on the same network as the source host. They should now be on the same network but in different VLANs. Endeavour to PING between these two nodes. This attempt should fail because even though they are on the aforementioned network, the switch has separated them and the traffic is non immune to cantankerous the VLAN boundary.

Activity 4—Bones Trunking

Materials: A second VLAN capable switch, a trunk capable switch and a router.

1. Connect another switch to the topology already synthetic.

2. On the new switch create the same VLANs.

3. Motility one host into each VLAN. If yous have a shortage of computers, information technology is sufficient to place one in a VLAN on the first switch and a second in the other VLAN on the new switch, as shown in Figure 4-24.

   

   Figure 4-24. Activity 4

4. On each switch, configure every bit trunks the ports used to interconnect the two switches. Handy Cisco commands: switchport mode trunk, switchport torso encapsulation dot1q

5. At this point, the network hosts should exist able to PING each other.

6. As an additional experiment, explore the capabilities of the switches and endeavour to set upwardly a host capable of capturing the traffic running over the trunk. This is typically done with a span, mirror or monitor port. The goal is to examine the IEEE 802.1Q tags used on the trunk. Handy Cisco control: monitor session.

ontiverospored1937.blogspot.com

Source: https://www.oreilly.com/library/view/packet-guide-to/9781449311315/ch04.html

Share this post