VLAN Security Routing And Switching Chapter 3 31 VLAN Segmentation 32 VLAN Implementation 33 VLAN Security and Design 34 Summary Chapter 3 Objectives Explain the purpose of ID: 1046181
Download Presentation The PPT/PDF document "Chapter 3: Implementing" is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.
1. Chapter 3: Implementing VLAN SecurityRouting And Switching
2. Chapter 33.1 VLAN Segmentation3.2 VLAN Implementation3.3 VLAN Security and Design3.4 Summary
3. Chapter 3: ObjectivesExplain the purpose of VLAN in a switched networkAnalyze how a switch forwards frames based VLAN configuration in a multi-switched environmentConfigure a switch port to be assigned to a VLAN based on requirementsConfigure a trunk port on a LAN switchConfigure Dynamic Trunk Protocol (DTP)Troubleshoot VLAN and trunk configurations in a switched networkConfigure security features to mitigate attacks in a VLAN-segmented environmentExplain security best practices for a VLAN-segmented environment
4. Overview Of VLANsVLAN DefinitionsVLAN (virtual LAN) is a logical partition of a layer 2 networkMultiple partition can be created, allowing for multiple VLANs to co-existEach VLAN is a broadcast domain, usually with its own IP networkVLANS are mutually isolated and packets can only pass between them through a routerThe partitioning of the layer 2 network takes inside a layer 2 device, usually a switch.The hosts grouped within a VLAN are unaware of the VLAN’s existence
5. Overview Of VLANsVLAN Definitions
6. Overview Of VLANsBenefits of VLANsSecurityCost reductionBetter performanceShrink broadcast domainsImproved IT staff efficiencySimpler project and application management
7. Overview Of VLANsTypes of VLANsData VLANDefault VLANNative VLANManagement VLAN
8. Overview Of VLANsTypes of VLANs
9. Overview Of VLANsVoice VLANsVoIP traffic is time-sensitive and requires:Assured bandwidth to ensure voice qualityTransmission priority over other types of network trafficAbility to be routed around congested areas on the networkDelay of less than 150 ms across the networkThe voice VLAN feature enables access ports to carry IP voice traffic from an IP phoneThe switch can connect to a Cisco 7960 IP Phone and carry IP voice trafficBecause the sound quality of an IP phone call can deteriorate if the data is unevenly sent, the switch supports quality of service (QoS)
10. Overview Of VLANsVoice VLANsThe Cisco 7960 IP Phone contains an integrated three-port 10/100 switch:Port 1 connects to the switchPort 2 is an internal 10/100 interface that carries the IP phone trafficPort 3 (access port) connects to a PC or other device.
11. VLANs in a Multi-Switched EnvironmentVLAN TrunksA VLAN trunk carries more than one VLANUsually established between switches so same-VLAN devices can communicate even if physically connected to different switchesA VLAN trunk is not associated to any VLANs. Neither is the trunk ports used to establish the trunk linkCisco IOS supports IEEE802.1q, a popular VLAN trunk protocol
12. VLANs in a Multi-Switched EnvironmentVLAN Trunks
13. VLANs in a Multi-Switched EnvironmentControlling Broadcast Domains with VLANsVLANs can be used to limit the reach of broadcast framesA VLAN is a broadcast domain of its ownTherefore, a broadcast frame sent by a device in a specific VLAN is forwarded within that VLAN only.This help controlling the reach of broadcast frames and their impact in the network Unicast and multicast frames are forwarded within the originating VLAN as well
14. VLANs in a Multi-Switched EnvironmentTagging Ethernet Frames for VLAN IdentificationFrame tagging is used to properly transmit multiple VLAN frames through a trunk linkSwitches will tag frames to identify the VLAN they belong. Different tagging protocols exist, with IEEE 802.1q being a very popular oneThe protocol defines the structure of the tagging header added to the frameSwitches will add VLAN tags to the frames before placing them into trunk links and remove the tags before forwarding frames through non-trunk portsOnce properly tagged, the frames can transverse any number of switches via trunk links and still be forward within the correct VLAN at the destination
15. VLANs in a Multi-Switched EnvironmentTagging Ethernet Frames for VLAN Identification
16. VLANs in a Multi-Switched EnvironmentNative VLANs and 802.1q TaggingA frame that belongs to the native VLAN will not be taggedA frame that is received untagged will remain untagged and placed in the native VLAN when forwardedIf there are not ports associated to the native VLAN and no other trunk links, an untagged frame will be droppedIn Cisco switches, the native VLAN is VLAN 1 by default
17. VLANs in a Multi-Switched EnvironmentVoice VLAN Tagging
18. VLAN AssignmentVLAN Ranges On Catalyst SwitchesThe Catalyst 2960 and 3560 Series switches support over 4,000 VLANsThese VLANs are split into 2 categories:Normal Range VLANsVLAN numbers from 1 through 1005Configurations stored in the vlan.dat (in the flash)VTP can only learn and store normal range VLANsExtended Range VLANsVLAN numbers from 1006 through 4096Configurations stored in the running-config (in the NVRAM)VTP does not learn extended range VLANs
19. VLAN AssignmentCreating a VLAN
20. VLAN AssignmentAssigning Ports To VLANs
21. VLAN AssignmentAssigning Ports To VLANs
22. VLAN AssignmentChanging VLAN Port Membership
23. VLAN AssignmentChanging VLAN Port Membership
24. VLAN AssignmentDeleting VLANs
25. VLAN AssignmentVerifying VLAN Information
26. VLAN AssignmentVerifying VLAN Information
27. VLAN AssignmentConfiguring IEEE 802.1q Trunk Links
28. VLAN AssignmentResetting the Trunk To Default State
29. VLAN AssignmentResetting the Trunk To Default State
30. VLAN AssignmentVerifying Trunk Configuration
31. Dynamic Trunking ProtocolIntroduction to DTPSwitch ports can be manually configured to form trunksSwitch ports can also be configured to negotiate and establish a trunk link with a connected peerDynamic Trunking Protocol (DTP) is a protocol to manage trunk negotiationDTP is a Cisco proprietary protocol and is enabled by default in Cisco Catalyst 2960 and 3560 switchesIf the port on the neighbor switch is configured in a trunk mode that supports DTP, it manages the negotiationThe default DTP configuration for Cisco Catalyst 2960 and 3560 switches is dynamic auto
32. Dynamic Trunking ProtocolNegotiated Interface ModesCisco Catalyst 2960 and 3560 support the following trunk modes:switchport mode dynamic autoswitchport mode dynamic desirableswitchport mode trunkswitchport nonegotiate
33. Troubleshooting VLANs and TrunksAddressing Issues with VLANIt is very common practice to associate a VLAN with a IP networkSince different IP networks only communicate through a router, all devices within a VLAN must be part of the same IP network in order to communicateIn the picture below, PC1 can’t communicate to the server because it has a wrong IP address configured
34. Troubleshooting VLANs and TrunksMissing VLANsIf all IP addresses mismatch have been solved but device still can’t connect, check if the VLAN exists in the switch.
35. Troubleshooting VLANs and TrunksIntroduction to Troubleshooting Trunks
36. Troubleshooting VLANs and TrunksCommon Problems With TrunksTrunking issues are usually associated with incorrect configurations. The most common type of trunk configuration errors are:Native VLAN mismatchesTrunk mode mismatches Allowed VLANs on trunksIf a trunk problem is detected, the best practice guidelines recommend to troubleshoot in the order shown above.
37. Troubleshooting VLANs and TrunksTrunk Mode MismatchesIf a port on a trunk link is configured with a trunk mode that is incompatible with the neighboring trunk port, a trunk link fails to form between the two switchesCheck the status of the trunk ports on the switches using the show interfaces trunk commandTo fix the problem, configure the interfaces with proper trunk modes.
38. Troubleshooting VLANs and TrunksIncorrect VLAN ListVLANs must be allowed in the trunk before their frames can be transmitted across the linkUse the switchport trunk allowed vlan command to specifuy which VLANs are allowed in a trunk linkTo ensure the correct VLANs are permitted in a trunk, used the show interfaces trunk command
39. Attacks on VLANsSwitch spoofing AttackThere are a number of different types of VLAN attacks in modern switched networks. VLAN hopping is one them. The default configuration of the switch port is dynamic autoBy configuring a host to act as a switch and form a trunk, an attacker could gain access to any VLAN in the network.Because the attacker is now able to access other VLANs, this is called a VLAN hopping attackTo prevent a basic switch spoofing attack, turn off trunking on all ports, except the ones that specifically require trunking
40. Attacks on VLANsDouble-Tagging AttackThe double-tagging attack takes advantage of the way that hardware on most switches de-encapsulate 802.1Q tagsMost switches perform only one level of 802.1Q de-encapsulation, allowing an attacker to embed a second, unauthorized attack header in the frameAfter removing the first and legit 802.1Q header, the switch forwards the frame to the VLAN specified in the unauthorized 802.1Q headerThe best approach to mitigating double-tagging attacks is to ensure that the native VLAN of the trunk ports is different from the VLAN of any user ports
41. Attacks on VLANsDouble-Tagging Attack
42. Attacks on VLANsPVLAN EdgePrivate VLAN (PVLAN) Edge feature, also known as protected ports, ensures that there is no exchange of unicast, broadcast, or multicast traffic between protected ports on the switchLocal relevancy onlyA protected port only exchanges traffic with un-protected portsA protected port will not exchange traffic with another protected port
43. Design Best Practices For VLANsVLAN Design GuidelineMove all ports from VLAN1 and assign them to a not-in-use VLANShut down all unused switch portsSeparate management and user data trafficChange the management VLAN to a VLAN other than VLAN1. The same goes to the native VLANMake sure that only devices in the management VLAN can connect to the switchesThe switch should only accept SSH connectionsDisable autonegotiation on trunk portsDo not use the auto or desirable switch port modes
44. Chapter 3: SummaryThis chapter introduced VLANS and their types.It also covered the connection between VLANs and broadcast domainThe chapter also covers IEEE 802.1Q frame tagging and how it enables differentiation between Ethernet frames associated with distinct VLANs as they traverse common trunk links.This chapter also examined the configuration, verification, and troubleshooting of VLANs and trunks using the Cisco IOS CL and explored basic security and design considerations in the context of VLANs.
45.