VLANS Advantages and Disadvantages. 2
VLANs allow logical
grouping of end-device that are physically isolated on network. 2
With VLANs there is
no need to have more routers deployed on the network to contain broadcast
broadcast domains on network reduces traffic. 2
Limits of ports. 2
Access and Trunk Ports. 2
Trunking concepts. 2
Frame Tagging. 2
Security in VLAN.. 3
(ARP) attack. 3
Double Encapsulation/ Double Tagging VLAN Hopping Attack. 3
Cisco Discovery Protocol (CDP) Attack. 3
Multicast Brute-Force Attack. 3
VTP Types. 4
Modes of VTP. 4
Router-Switch Topology. 4
Designing the lab. 4
Configuration files. 6
Testing the configuration and show commands. 16
VLANS Advantages and Disadvantages
VLANs provide many
advantages such as easy administration reduces broadcast traffic and prosecution
of security policies.
VLANs allow logical grouping of end-device that
are physically isolated on network
With VLANs there is no need to have more
routers deployed on the network to contain broadcast traffic.
Quarantine of broadcast domains on network reduces
Limits of ports
Physical interfaces are configured to have 1 interface in VLAN. On
networks with more than 1 VLAN using single router to achieve
routing isn’t possible.
Sub interfaces allow router to scale to house more VLANs than
the physical interfaces.
Because there is no contention for bandwidth on physical interfaces. In busy
network this cause bottleneck for communication.
and Trunk Ports
Connecting physical interfaces for inter-VLAN routing needs that the
switch ports be configured as access ports.
sub interfaces need the switch port to be configured as trunk port so
that it can take VLAN tagged (ISL or 802.1Q) traffic on the trunk link.
the context of Ethernet VLANs use the term Ethernet trunking to mean carrying
multiple VLANs over single network link through the use of trunking protocol.
To allow for many VLANs on single link frames from distinct VLANs must be recognized.
The most common method IEEE 802.1Q adds tag to the Ethernet frame labeling it
as belonging to certain VLAN. Cisco also has proprietary trunking protocol
called Inter-Switch Link which encapsulates Ethernet frame with its container which
labels frame as belonging to specific VLAN.
Frame tagging is used to
identify the VLAN that the frame belongs to in network with many VLANs. The
VLAN ID is located on the frame when it reaches switch from access port. That
frame can then be forwarded out the trunk link port. Each switch can see what
VLAN the frame belongs to and can forward the frame to equivalent VLAN access
ports or to another VLAN trunk port.
protocols are used today for frame tagging:
Link (ISL) – Cisco’s exclusive VLAN tagging protocol.
802.1q – IEEE’s VLAN tagging protocol. Since it is open standard it can be used
for tagging between switches from different brands.
are several security vulnerabilities in Vlans.
If host broadcasts ARP request to the network only
the applicable host reply. This let the attacker to sight traffic on the way
out of the network. The attacker wants to broadcast the address of the device
they are trying to attack on the LAN to get the gateway to send the received
packets to himself before spreading them to the target. it can see all the
traffic received and outbound. one reflection is that without VLAN this
attacker might affect the complete LAN VLANs do alleviate this sort of
attack. Additional way of justifying these ‘Man in the Middle Attack’ is
to use Secluded VLANs to force hosts to only connect to the gateway.
Double Encapsulation/ Double Tagging VLAN Hopping Attack
This is Switch Spoofing systems are now
configured properly to avoid Switch Spoofing. building packet with 802.1Q
VLAN headers. The 1st router strips off the 1st header and sends it on to
second router. Router 2 strips the second header and send the packet to
the end point. It works only if the trunk has the same native VLAN as the
attacker. To avoid this attack disable auto-trunking and use devoted VLAN
ID for all trunk ports.
Cisco Discovery Protocol (CDP) Attack
CDP is feature that permits Cisco devices to
exchange information and configure the network to work easily together.
The information sent is sensitive such as router models IP addresses software
versions. It is all sent in plain text so any attacker sniffing the
network is able to get this information and it is possible to impersonate
another host. disable CDP to avoid this.
Multicast Brute-Force Attack
multicast brute-force attack hunts for faults
in switch software. The attacker attempts to exploit any possible weakness
in switch by attack it with multicast frames. with CAM overflow the goal
is to see if switch getting huge amount of layer 2 multicast traffic will “disobey”.
switch should limit the traffic to its own VLAN but if the switch doesn’t handle
this properly frames may leak into another VLAN if routing connects them.
The switch should contain all the frames within their proper broadcast domain
and attack of this nature shouldn’t be conceivable. However, switches
have disastrous to handle this form of attack in the past and henceforth it is additional
sub interface is logical interface that uses
the “parent” interface for transmitting the information.
it’s useful if we have router with only one physical interface (F0/0) but we
need to connect with two networks so that it routing, we create 2 logical sub
interfaces(F0/0.1) (F0/0.2) and allocate each sub interface IP address within
each subnet and we can route among it.
router will know which VLAN to associate with that sub interface in the same command
as the encapsulate because we create the sub interfaces on the routers.
Trunk Protocol (VTP) reduces management in switched network. When we configure new
VLAN on 1 VTP server the VLAN is spread through all switches in the domain.
This decreases the need to configure the same VLAN everywhere. VTP is Cisco-proprietary
Modes of VTP
transparent switches don’t participate in VTP. VTP transparent switch doesn’t match
its configuration based on received information, and it doesn’t advertise its
VLAN configuration .
clients act the same way as VTP servers but we cannot create or change or
delete VLANs on VTP client.
Server: this mode
allows us to create delete and modify VLANs and specify additional
configuration parameters for the whole VTP domain. VTP servers send their VLAN
configuration to other devices in the same VTP domain and match VLAN configuration
with other switches based on information received from trunk links. default
mode is VTP server.