What Device Is Required to Move Traffic Between Vlans

Chapter four. VLANs and Trunking

The move from hubs (shared networks) to switched networks was a big improvement. Control over collisions, increased throughput, and the additional features offered past switches all provide ample incentive to upgrade infrastructure. But Layer two switched topologies are not without their difficulties. Extensive flat topologies can create congested broadcast domains and can involve compromises with security, back-up, and load balancing. These issues tin can exist mitigated through the use of virtual local expanse networks, or VLANs. This chapter provides the structure and operation of VLANs every bit standardized in IEEE 802.1Q. This discussion will include trunking methods used for interconnecting devices on VLANs.

Problem: Big Broadcast Domains

With any single shared media LAN segment, transmissions propagate through the entire segment. Equally traffic activity increases, more collisions occur and transmitting nodes must back off and wait before attempting the transmission again. While the standoff is cleared, other nodes must also wait, farther increasing congestion on the LAN segment.

The left side of Figure iv-1 depicts a pocket-size network in which PC ii and PC 4 attempt transmissions at the same time. The frames propagate away from the computers, eventually colliding with each other somewhere in between the two nodes as shown on the correct. The increased voltage and ability then propagate away from the scene of the collision. Note that the collision does not continue past the switches on either end. These are the boundaries of the standoff domain. This is one of the principal reasons for switches replacing hubs. Hubs (and access points) simply practice not scale well as network traffic increases.

Effigy 4-ane. Before and after collision

The utilise of switches at Layer 2 eliminates much of the scaling problem because they filter out issues such as collisions. Instead, transmissions are now governed past the behavior of the switches and the broadcast domain. A broadcast domain defines the area over which a broadcast frame will propagate. For example, an ARP request issued by PC 3 results in a broadcast frame that propagates through the switches all the way to the routers equally shown in Effigy 4-2. A broadcast frame has the broadcast address (FF-FF-FF-FF-FF-FF) equally the destination MAC.

Figure iv-2. Circulate domain

With the improved performance and filtering resulting from the use of switches, there is a temptation to create large Layer ii topologies and add lots of nodes, but this creates a large circulate domain. The trouble is that all devices on a network (computers, printers, switching equipment, etc.) generate broadcast and multicast frames that traverse the entire broadcast domain, competing with data traffic for bandwidth. Much of this traffic is for direction of the network and includes protocols for address resolution (ARP), dynamic host configuration (DHCP), spanning tree (STP), and an assortment of Windows tasks. Figure 4-3 illustrates the potential difficulty. Assume that PC1 has generated the post-obit requests: ARP, Windows registration, and DHCP.

Figure iv-3. Circulate frame growth

Because all of the requests use a broadcast frame, as they are received at Switch 1, the frames are forwarded in all directions. As the other switches in the topology follow adjust, the frames traverse the entire network and are received at all other nodes and the routers.

As the number of network nodes increases, the amount of overhead also increases. Each switch might be continued to dozens of nodes, with each node generating the several circulate frames. If enough traffic is created, even a switched network tin have poor performance. Deploying VLANs tin assist solve this problem past breaking up the broadcast domain and separating the traffic.

What Is a VLAN?

A virtual local surface area network (VLAN) is a logical grouping of ports which is independent of location. A single VLAN (and the nodes connected in a single VLAN) will bear in the same way as if information technology was a separate Layer 3 network. VLAN membership demand non be limited to sequential ports or even ports on the same switch. Effigy 4-4 depicts a very common deployment in which nodes are connected to a switch and the switch is connected to a router. Looking at the left side, the automatic assumption would be that all of the nodes are on the same IP network since they all connect to the aforementioned router interface.

Figure iv-iv. Basic switch and VLAN topology

What is non obvious from the topology on the left is that by default, all of these nodes are actually part of the same VLAN. Then, another way to recollect near this topology is based on the VLAN as shown on the right. For case, with Cisco devices the default VLAN is VLAN ane. This is likewise chosen the management VLAN. Its initial configuration includes all ports as members and this reflected in the source address tabular array or Saturday. This table is often described equally being used to forrad frames to the proper Layer 2 port based on the destination MAC. With the introduction of VLANs, the source address table reflects the port to MAC address mapping on a per-VLAN basis resulting in more advanced forwarding decisions. Figure 4-5 displays the output from both the show mac-accost-table and bear witness vlan commands. All of the ports (Fa0/1 – Fa0/24) are in VLAN one.

Effigy iv-5. Switch Sabbatum and VLAN output

Another common topology can be seen in Figure 4-6 in which two switches are separated by a router. In this case, a group of nodes are connected to each switch. The nodes on a particular switch share a common IP addressing scheme. There are two networks, 192.168.1.0 and 192.168.2.0.

Effigy 4-6. Router, switch and VLANs

Note that both of the switches take the same VLAN since, in the absence of any configuration changes, switches from the same vendor volition take the same numbering convention. Nonlocal network traffic must be sent to the router for forwarding. Routers will not forwards Layer 2 unicast, multicast and broadcast frames. VLANs provide a very similar logical topology in that nodes within a VLAN share a mutual addressing scheme and that nonlocal traffic (traffic destined for nodes on a different VLAN) must be sent to the router for forwarding. By creating an extra VLAN on one of the switches and removing the other, Figure 4-half-dozen can now be redrawn as shown in Figure iv-7.

Effigy 4-seven. Unmarried switch, multiple VLANs

A VLAN operates in the aforementioned way as a Layer 3 IP-based network. Thus, nodes on the 192.168.1.0 network must go to the router when trying to communicate with nodes on the 192.168.2.0 network even though all of the computers are continued to the same switch. In order to communicate between VLANs, routing functionality must be part of the topology. Layer ii unicast, multicast and broadcast traffic will not cross VLAN boundaries, therefore traffic generated on VLAN 1 will non exist seen past nodes on VLAN 2. But the switch is aware of the VLANs. The nodes and the router have no idea that VLANs are in use—they are "non VLAN-enlightened." With the addition of the routing decision, Layer 3 functionality tin now be leveraged for additional security settings, trouble/traffic containment and load balancing.

The Effect of VLANs

Configuring a switch for multiple VLANs reduces the size of each broadcast domain. Therefore the corporeality of overhead traffic is lower which reduces bandwidth contest with information traffic. Stated another mode, a node in a detail VLAN has less circulate traffic with which to debate. Since switch forwarding behavior is based on MAC addresses stored in the source address table, the following rules utilise:

• For known unicast destinations, the switch will frontward the frame to the destination port simply.

• For unknown unicast destinations, the switch will forward the frame to all agile ports except the originating port. This is called flooding.

• For multicast and broadcast destinations, the switch will forward the frame to all active ports except the originating port.

However, the switch now has the additional requirement of considering the VLAN of the destination node. Referring to Figure 4-7, if PC1 were to issue an ARP request, instead of but forwarding this frame to every port, the switch determines that the frame originated on VLAN 1. The effect is that only PC2 and the leftmost router interface (192.168.1.254) actually see the frame.

Aims and benefits from the 802.1Q standard:

• VLANs are supported over all IEEE 802 LAN MAC protocols, over shared media LANs besides equally point-to-point LANs.

• VLANs facilitate easy administration of logical groups of stations that can communicate as if they were on the same LAN. They also facilitate easier administration of moves, adds, and changes in members of these groups.

• Traffic betwixt VLANs is restricted. Switches forward unicast, multicast, and broadcast traffic simply on LAN segments that serve the VLAN to which the traffic belongs.

• As far every bit possible, VLANs maintain compatibility with existing switches and cease stations.

• If all switch ports are configured to transmit and receive untagged frames (frames to/from non-VLAN aware devices), switches will work in plug-and-play ISO/IEC 15802-3 style. End stations volition be able to communicate throughout the Bridged LAN.

VLAN Ports Do Not Need to be Continuous

Since VLANs are logical groupings of nodes that are independent of location, it does non matter where the nodes connect. Figure iv-8 demonstrates this concept. The topology in Figure 4-7 has been redrawn with the IP addresses of network nodes changed. To help with clarity, in this example VLAN ane is also carmine and VLAN 2 is bluish. Ports 1, 4 and five are part of red VLAN i while ports 2, 3 and half-dozen are office of the blue VLAN two.

It is often the case that network technicians do not wish to rewire the topology every time that a new node is continued. So, a host may simply be continued to any bachelor port and the port is then assigned to a detail VLAN. The disquisitional thought is that the behavior is the aforementioned whether or not the ports are right next to each other. Thus, PC1 and PC4 can communicate direct with each other but must use the router to go to PC2 and PC3. Frames issued on reddish VLAN 1 will non exist seen by nodes on blue VLAN 2.

Effigy 4-eight. Noncontinuous VLANs

Types of VLANs

There are ii types of VLANs: static and dynamic. Both of these types tin be used to cover pocket-size or large geographic areas. The blazon of VLAN that has been discussed thus far (a unmarried switch divided into multiple VLANs) is called a static VLAN. Membership is largely determined by geographical location and to which port a item node is connected. Near of the nodes in a particular VLAN are probable to exist located in the same building, flooring or ready of offices. These VLANs can as well be thought of as having local membership.

Effigy 4-9 depicts an example of how nodes and VLANs might be arranged. PC1 and PC2 are physically located in the same part of the building and and so are assigned to the same VLAN. The aforementioned is true for PC3 and PC4. It is likely that they serve users from the same department. This type of topology is configured manually by a network administrator who assigns ports on the switch to a particular VLAN. Over again, the nodes and router exercise not have any knowledge about the VLANs.

Figure iv-9. Static VLAN, local membership

Nearly VLANs are configured with static membership. In topologies like those described above, nodes remain connected to the same port and so there is no demand to change VLAN membership. The desktop computer is usually associated with an office desk or cubicle assigned to an employee and then in that location is little need to worry that the machine volition move.

There are times when nodes do move around. There may be a need to access different resources. Ports may exist used by different departments at different times or differing levels of security may be required. Dynamic VLANs are more advisable for these situations. Dynamic VLANs let nodes to motility around without altering VLAN membership. This means that as they plug into a particular port, the switch automatically configures the port for membership in the correct VLAN. A port that was configured for admission in VLAN one for node A may now switch to VLAN 2 for node B. Consider the case in Effigy 4-10. PC4, now a laptop, is moved from a port in VLAN 2 to a port in VLAN 1.

Figure 4-10. Moving from one VLAN to another

Case 1—DHCP

If DHCP has been deployed, when PC4 moves, it will simply obtain a new IP address on the new network, though this is not guaranteed. This may actually exist the virtually common behavior for nodes connecting to a network on a detail VLAN. However, if services or security measures are in identify and the organizations' policy is to maintain separation between VLANs, then this configuration may pose a trouble—access to the server. Once on the new network, PC4 may no longer exist able to attain the right server or may require additional configuration to support the move.

Case 2—No DHCP

If the IP accost of PC4 is statically configured, when it moves to the new location, its IP address will not lucifer the network. It will no longer be able to attain the IP address of the gateway or the server. In this example, the node will not have any connectivity at all.

Solution: Dynamic VLANs

However, if the switch is smart enough to recognize that PC4 has now moved to a new port, it may be able to automatically repair the connection. In one case PC4 connects to the new port, information technology will generate traffic. Upon receipt of a frame from PC4, the switch completes a database wait up to determine the VLAN membership and so will assign the port to the proper VLAN. Once this has occurred, PC4 will be able to communicate just every bit information technology did before the motility. The new topology would expect like the one shown in Figure four-eleven. The node volition non even have to change its IP address.

Figure 4-11. New dynamic VLAN topology

Merely how does the switch know? The most common method of assigning dynamic VLAN membership is via the MAC address. As soon as the node generates a single frame, the switch completes the MAC address query and then assigns the port. The nodes still do not have any knowledge that VLANs are used. VLAN membership tin can also be based on other criteria or tied to hallmark schemes such as 802.1X.

VLANs Between Switches

So far, the VLANs discussed have been deployed on a single switch. The question arises: "What happens if multiple switches are part of the overall network fabric? How does information technology work?" The answers depend on the switch configurations. A default topology is shown in Figure 4-12 where 2 switches have just been powered up and several nodes connected. The default VLAN for both switches (if we assume Cisco devices) will be VLAN 1. This also means that the connections running between the switches will also be in VLAN 1. The router provides the egress signal for all nodes.

Effigy 4-12. Multiple switches, single VLAN

In this default topology, the nodes will not have whatever problem connecting to each other because the source address tables on the switches volition evidence that they are all in the same VLAN. This will allow the unicast, multicast and circulate traffic to flow freely. Note as well that the nodes exist on the same IP network. The connection between the switches uses either a crossover cable or an uplink port.

Problems occur when new VLANs are created as shown in Effigy 4-13. Since the VLANs create Layer 3 boundaries around the ports connected to the hosts, they are not able to communicate.

Effigy 4-13. Bug with additional VLANs

Examining Figure 4-thirteen, there are a couple of bug. Starting time, the computers are all on the same IP network, despite being connected to different VLANs. Secondly, the router is isolated from all of the nodes because it is in VLAN one. Lastly, the switches are interconnected via dissimilar VLANs. Each of these would create advice difficulties, but taken together, there is niggling or no communication betwixt network elements.

It is often the case that a switch may be total or that nodes within the same administrative unit are geographically separated from each other. In these cases, a VLAN can be extended to neighboring switches through the use of a trunk line. Trunks will be discussed in greater item later in this chapter, but for at present it is sufficient to say that trunks connecting separate switches can, amidst other things, convey VLAN data between network devices. Effigy 4-14 suggests several changes to repair the items noted in Effigy iv-13.

Figure 4-14. Topology repaired with trunking

Repairs to the topology include:

• PC1 and PC2 have been assigned to the 192.168.one.0 network and VLAN two

• PC3 and PC4 accept been assigned to the 192.168.2.0 network and VLAN 3

• The router interfaces are connected to VLANs 2 and 3.

• The switches are interconnected via trunk lines.

Note that while the trunk ports appear to exist in VLAN i, they are not equally denoted by the letter of the alphabet T. Trunk ports exercise non accept membership in any particular VLAN. Now that the VLANs persist across multiple switches, the nodes can be physically located anywhere and still be members of the aforementioned VLAN. When several switches are configured with VLANs and ports maintain their VLAN membership, the architecture is referred to as "stop-to-end" and "static." It is not uncommon to accept these switches located in unlike wiring closets, or even unlike buildings. Switches in the same closet can as well be interconnected via trunk lines.

What is a Trunk?

Generally, there are two ways to look at a torso line. In telephony, the term trunk refers to connections between offices or distribution facilities. These connections represent an increased number of lines or time sectionalization multiplexed connections as shown in Effigy 4-15. Examples include 25 pair bundles or T carriers.

Figure 4-15. Telephone lines and trunks

For data networking, trunks have little to practise with increasing the number of connections betwixt switches. The master utilize of a trunk line in a information network is to convey VLAN information. The trunk line shown in Figure four-14 carries VLAN and quality of service data for the participating switch.

When a body line is installed, a trunking protocol is used to change the Ethernet frames as they travel across the trunk line. In Effigy 4-xiv the ports interconnecting the switches are trunk ports. This also ways that there is more than than one operational way for switch ports. By default, all ports are chosen "access ports." This describes a port used past a computer or other end node to "access" the network. When a port is used to interconnect switches and convey VLAN information, the operation of the port is changed to a trunk. For example, on a Cisco switch the mode command would be used to make this change. Other vendors point that the port is now "tagged," indicating that a VLAN id will now be inserted into the frames. The 802.1Q standard likewise includes a provision for "hybrid" ports that understand both tagged and untagged frames. To exist clear, nodes and routers are often unaware of the VLANs and use standard Ethernet or "untagged" frames. Trunk lines providing VLAN or priority values volition be using "tagged" frames. An example of a tagged frame tin exist seen in Effigy 4-17.

So, on the trunk ports, a trunking protocol is run that allows the VLAN information to be included in each frame as it travels over the trunk line. For configuration, in that location are generally two steps: converting the port to body mode and determining the encapsulation (trunking protocol) to be used.

Using Figure 4-xvi nosotros'll get through an instance of 2 nodes communicating over a torso line. There are several steps to the process (in addition to host routing) so Figure 4-xvi is labeled based on the steps listed.

Effigy 4-16. Trunking traffic betwixt switches

PC1 sends traffic to PC2 after processing its host routing tabular array. These nodes are in the same VLAN merely they are continued to unlike switches. The basic procedure:

1. The Ethernet frame leaves PC1 and is received by Switch 1.

2. The Switch 1 Saturday indicates that the destination is on the other end of the torso line.

3. Switch 1 uses the trunking protocol to modify the Ethernet frame by calculation the VLAN id.

4. The new frame leaves the trunk port on Switch1 and is received by Switch ii.

5. Switch2 reads the VLAN id and strips off the trunking protocol.

6. The original frame is forwarded to the destination (port four) based on the SAT of Switch 2.

The packet shown in Figure iv-17 provides detail on this modification. In this particular case, the trunking protocol that has been used is IEEE 802.1Q. This frame is an ICMP repeat request from PC1→PC2 and because information technology traverses the trunk line, the VLAN tag must be included so that Switch 2 knows how to properly forward the packet.

Effigy 4-17. Ethernet frame with 802.1Q trunking

The Ethernet frame is intact but at present has several additional fields such as the VLAN ID. In this example, the two computers communicating are on VLAN ii. The binary value of 0000 0000 0010 is shown. Note that the IP and ICMP headers have non been modified. Still, because this is a modify to the actual frame, the Cyclical Redundancy Check (CRC) at the end of the Ethernet frame must be recalculated. Trunking probably doesn't get every bit much attention as information technology should but, equally soon as VLANs are configured on the switches, a trunking protocol must exist used if the VLANs are to persist from i switch to some other. Without a trunk, the nodes will probably all exist on the same VLAN which can pb to the problems noted earlier. Trunks and VLANs are a vital function of standard topologies.

Trunking Protocol Standards

There are two trunking protocols used on modern communication networks: Inter-Switch Link (ISL) from Cisco and the aforementioned nonproprietary IEEE 802.1Q. Of the two, IEEE 802.1Q is the industry standard. Even Cisco switches now apply IEEE 802.1Q (dot1q) past default.

IEEE 802.1Q

The IEEE 802.1Q standard is actually entitled "IEEE Standards for Local and Metropolitan Area Networks: Virtual Bridged Local Area Networks" and is primarily concerned with VLANs themselves. The trunking protocol or "tagging" of frames is discussed in latter sections of 802.1Q. Every bit a reminder, IEEE 802.1D is the standard for MAC Admission Control Bridges upon which Layer ii networks are synthetic. Switch vendors attach to both of these standards and then add enhancements such equally management. The IEEE 802.1Q standard bases much of its language on documents such as the ISO/IEC 15802-3 standard for MAC bridges.

When using IEEE 802.1Q, a 4-byte header is inserted in between the Ethernet and IP headers. Per the 802.1D standard, it is inserted 12 bytes into the frame immediately following the source MAC address. Therefore, frame is actually changed. So, the Ethernet type, which indicates the kind of encapsulated data, must likewise modify. As an example, IP packets accept an Ethertype value of 0800 but when running over a trunk it is changed to 8100 as shown in Figure iv-eighteen.

Effigy 4-18. Ethertype for IEEE 802.1Q

The 802.1Q header is straightforward and includes the following fields:

• The tag protocol identifier (2-byte TPID)
• The value of 8100 can be seen just before the highlighted hexadecimal.
• The tag command information (two-byte TCI)

At that place are three ways that this information tin can be structured simply those used in token ring and FDDI networks will not exist covered here. The TCI includes the priority, Approved Format Indicator and VLAN ID. The two-byte hexadecimal TCI from Figure 4-18 is 20 65.

Priority

Used in quality of service implementations, also chosen class of service. This is a three scrap field with values ranging from 000 (0) to 111 (7). The default value is 0 though vendors recommend higher values for certain types of traffic. For example, VoIP traffic is typically set to binary 101 (base 10: five). Effigy 4-xviii depicts a slightly elevated priority of 2. Figure 4-19 depicts prioritized traffic from some other network. In this case, the priority is ready to 111 (7).

Canonical Format Indicator (CFI)

This single bit field was used to indicate bit orders or flags for routing information associated with legacy protocols such equally token ring and FDDI. Today, about all switching is Ethernet. So, the field is almost never used and the value is typically 0.

VLAN ID

The final twelve bits are allocated for the VLAN ID for values ranging from ane to 4095. The VLAN ID in binary is 1100101. This corresponds to VLAN 101 in base x numbers.

Figure iv-xix. Tagged frame with priority field

Inter-switch link (ISL)

As this is an older Cisco proprietary protocol, not much time will be spent on its description. Figure iv-20 shows an ISL tagged frame and illustrates a different approach to tagging. IEEE 802.1Q performs what is called "internal tagging" by inserting the VLAN header in between the Ethernet and IP headers. This also forces a recalculation of the frame CRC. ISL prepends the tag. The ISL header is also considerably larger than the 802.1Q header and does not provide for priority treatment. Modern Cisco equipment uses IEEE 802.1Q equally the default trunking and tagging protocol.

Figure 4-twenty. ISL tagged frame

Pruning

While a particular VLAN may extend well across a single switch and may be throughout much of a topology, information technology is not necessary to have it persist on every switch.

In Figure four-21, VLANs 1, and ii exist on both Switches. But VLAN three(xanthous) only exists on Switch 1. It doesn't make much sense to have the traffic for VLAN three forwarded to Switch 2. The benefits include a reduction in body line traffic and potential security improvement through this pruning capability, especially with static topologies. Switch 1 prunes VLAN 3 traffic (prevents passage) out its trunk port.

Effigy 4-21. Pruning example

Vendors have unlike approaches to pruning; some allow all VLANs by default (Cisco), others deny all VLANs by default. Regardless of vendor, information technology is ever a good idea to examine the trunking configuration and make up one's mind the all-time arroyo for tagged frames and untagged frames and pruning.

VLAN Design Considerations

VLANs create boundaries that can isolate nodes or traffic so some thought should go into the design of a multi-VLAN topology. The full general question to ask is "Who is talking to whom and what are they trying to become washed?" The following listing provides some guidelines.

Scaling considerations

How big is the network and how far does the traffic have to get?

Traffic patterns

Over what pathways practise packets/frames travel?

Applications

Why is the traffic there? What are the hosts trying to do?

Network direction

Is SNMP or some other management protocol running? How will yous get to all of the nodes?

Group commonality

What do nodes have in mutual? Are at that place shared resources or traffic patterns?

IP addressing scheme

What does the IP address space look similar? How many nodes volition be in each VLAN?

Concrete location

Practise the nodes occupy the same office? Floor? Building?

Static versus Dynamic

Are the nodes moving around or are they stationary?

End-to-end versus Local VLANs

Are there nodes exterior of a location that should be part of the same VLAN?

fourscore/20 versus 20/80 traffic catamenia pattern

Is a majority of the flow internal or external? Is this pattern changing?

Mutual security requirements

Are these nodes servers? End nodes? Wireless? Exercise the nodes stand for vital visitor resources? Are these public facing machines?

Quality of service

Are there quality of service concerns?

In addition to these general questions, at that place are other proficient practices to follow that will help reduce exposure to security risk and protect vital network resources.

• Wireless should be in its own VLAN. Since wireless is a shared media, all circulate and much of the multicast traffic coming from the switch volition be shared as well. In addition, whatever flooded unicast traffic will be seen by all wireless nodes. Creating a VLAN for wireless nodes narrows the traffic that they can come across. In addition, a potential attack via wireless will accept a purlieus to cross before reaching other portions of the network.

• VoIP elements should likewise be in their own VLAN. This is as much for quality of service as information technology is for protection. Anytime real time vox traffic has to compete for bandwidth, there is the potential for performance degradation. Security concerns are to some extent relieved by the VLANs every bit well. Tools such as Wireshark can not only capture but decode and play vox traffic so it is important to keep voice traffic separated wherever possible.

• Other important network devices such as servers or even users of sensitive data should exist placed in their ain VLANs. In addition to the reasons already stated, many vendors have features that allow the creation of VLAN specific security and QoS policies.

Security Considerations

This chapter has discussed the need to isolate traffic. Organizations demand not forward data to every single port because this is inefficient and represents a security risk due to potential eavesdroppers. In that location are several configuration items that should be part of whatever VLAN deployment checklist. I of the biggest challenges associated with deploying a network device is understanding default behavior. Switches and routers are no different, particularly as the number of features increases.

One of these items is the default configuration mode of the ports on the switch. Most switch ports will current of air up connected to computers and so will human activity every bit access ports. What is not obvious is that on many devices, the default configuration is not access, simply dynamic. This means that the port is willing to negotiate the manner of operation. If two switches are connected together, and one switch is configured with a body port, information technology is often the case that it will generate dynamic trunking protocol messages. Once received, this message may cause the 2nd switch to convert its port to a torso automatically. This is shown in Figure iv-22.

Figure four-22. Dynamic port configuration security exposure

Initially this auto-configuration sounds user-friendly but what is to stop an attacker from generating the same message and converting a port in the same fashion? The assailant's port will then receive circulate, multicast and flooded unicast traffic for all VLANs not pruned. In addition to assuasive the attacker to learn more than about the network, it too means that the attacker may be able to generate tagged frames that will exist delivered over the unabridged network. Whenever possible, dynamic configuration should be turned off.

In addition to pruning for proper VLAN boundaries and the default configurations of the ports, it may be prudent to add a couple of additional configuration changes. Unused ports can be collected into a "deadend VLAN" that is not routed and is pruned from the network. Anyone connecting to a port in this VLAN will be isolated. In addition, many vendors offer security enhancements to ports such as authorized MAC addresses and restricting the number of MAC addresses allowed. When invalid MAC addresses are seen on the port, the port will automatically exist shutdown or disabled.

Reading

• IEEE 802.1Q standard is really entitled "IEEE Standards for Local and Metropolitan Surface area Networks: Virtual Bridged Local Surface area Networks"
• ISO/IEC 15802-3 ANSI/IEEE Std 802.1D Information technology—Telecommunications and information commutation between systems—Local and metropolitan expanse networks—Common specifications—Part iii: Media Access Control (MAC) Bridges

Summary

VLANs are a basic tool for creating network boundaries. While they tin create challenges regarding the forwarding of traffic, they can be a powerful tool for handling security and quality of service concerns. This chapter discussed the operation of VLANs and the methods used for propagating VLANs throughout a larger topology. When deploying VLANs and trunks, there are several design considerations to take into account. One must address the basic questions of "Who is talking to whom and why?" As topologies and the VLANs grow, so does the complexity. It is important to review the default operation and configuration of network elements in order to ensure that locally created configurations do not identify the network at risk.

Review Questions

1. Circulate frames will keep to propagate until they reach a routed interface.

   1. Truthful

   2. Fake

2. Circulate and multicast traffic will cross VLAN boundaries but unicast traffic volition not.

   1. TRUE

   2. Faux

3. Past default, all hosts are connected to the same VLAN.

   1. TRUE

   2. Simulated

4. Hosts exercise not usually know to what VLAN they are connected.

   1. TRUE

   2. Imitation

5. In a contemporary data network, the primary used of a trunk line is to convey VLAN information.

   1. TRUE

   2. FALSE

6. While they are both part of a switch, the source accost table and the VLANs are not integrated in any way.

   1. TRUE

   2. Simulated

7. Which of the post-obit is the industry standard trunking protocol?

   1. ISL

   2. IEEE 802.1

   3. VLANs

8. Pruning is the practice of preventing unauthorized access to torso lines.

   1. TRUE

   2. FALSE

9. Dynamic port mode is a security risk because by default attackers tin can see all unpruned VLAN traffic.

   1. True

   2. Fake

10. Services such as VoIP and wireless users should exist placed in their own VLANs.

    1. True

    2. Fake

Review Answers

1. Truthful

2. Simulated

3. True

4. True

5. TRUE

6. FALSE

7. B

8. Faux

9. FALSE

10. Truthful

Lab Activities

Activeness ane—Setting Upwards a Local VLANs

Materials: A VLAN capable switch and a router. Note: A home gateway may exist used if it can be converted to a router to avoid confusion over the NAT operation.

Annotation: The goal of this particular activity is only to empathise the basic configuration necessary for routing betwixt VLANs without trunks, as shown in Figure 4-23.

Figure four-23. Activity 1

1. On the switch create a pair of VLANs.

2. Add a host to teach VLAN and make up one's mind the IP addressing scheme. As an example one VLAN might utilize 192.168.1.0 and the other 192.168.2.0. Handy Cisco command: switchport access vlan X.

3. Connect a router interface to each of the VLANs and assign the proper IP addressing. At this indicate, the nodes on different networks should be able to successfully PING each other.

Activity 2—VLANs and the Sabbatum

Materials: A VLAN capable switch and a router.

1. In one case the topology from activity one is complete, PING between all of the nodes and router interfaces.

2. On the switch, examine the source address (MAC accost) table. Handy Cisco control: prove mac-address-table

3. Compare this table to one in which all of the nodes are in the same VLAN.

4. Using the information in the Sat and the routing table of the router, develop a step by step procedure for forwarding packets from one figurer to the other.

Activity 3—What Can You See?

Materials: A VLAN capable switch, a router and Wireshark.

During this activity, the goal is to determine how far traffic in one VLAN will travel and if it can be seen on another VLAN on the aforementioned switch.

1. Starting time a capture on i of the network hosts in i of the VLANs.

2. In the other VLAN, generate broadcast traffic by "PINGing" an unused IP accost on the aforementioned network. This will cause an ARP request to be transmitted.

3. From this same source host, generate unicast traffic by "PINGing" the router.

4. It turns out that Windows-based computers periodically generate multicast traffic as they search for services.

5. Did the capture node in the other VLAN run into the unicast, multicast or broadcast traffic that was created by the source host? The answer should be "NO."

6. Every bit an additional experiment, change the IP accost of the capture host so that it is on the same network as the source host. They should now be on the same network but in dissimilar VLANs. Attempt to PING between these 2 nodes. This attempt should neglect because fifty-fifty though they are on the same network, the switch has separated them and the traffic is not allowed to cantankerous the VLAN boundary.

Activity 4—Bones Trunking

Materials: A second VLAN capable switch, a trunk capable switch and a router.

1. Connect another switch to the topology already constructed.

2. On the new switch create the aforementioned VLANs.

3. Move 1 host into each VLAN. If y'all have a shortage of computers, it is sufficient to place one in a VLAN on the first switch and a second in the other VLAN on the new switch, as shown in Figure iv-24.

   

   Figure 4-24. Activity iv

4. On each switch, configure as trunks the ports used to interconnect the two switches. Handy Cisco commands: switchport style trunk, switchport trunk encapsulation dot1q

5. At this point, the network hosts should be able to PING each other.

6. As an additional experiment, explore the capabilities of the switches and attempt to set upward a host capable of capturing the traffic running over the trunk. This is typically done with a span, mirror or monitor port. The goal is to examine the IEEE 802.1Q tags used on the trunk. Handy Cisco command: monitor session.

dominguezbefousball.blogspot.com

Source: https://www.oreilly.com/library/view/packet-guide-to/9781449311315/ch04.html