Sie sind auf Seite 1von 80

Chapter 3: VLANs

Routing & Switching

Presentation_ID

2008 Cisco Systems, Inc. All rights reserved.

Cisco Confidential

Chapter 3
3.1 VLAN Segmentation
3.2 VLAN Implementation
3.3 VLAN Security and Design
3.4 Summary

Presentation_ID

2008 Cisco Systems, Inc. All rights reserved.

Cisco Confidential

Chapter 3: Objectives
Explain the purpose of VLANs in a switched network.
Analyze how a switch forwards frames based on VLAN configuration
in a multi-switched environment.
Configure a switch port to be assigned to a VLAN based on
requirements.
Configure a trunk port on a LAN switch.
Configure Dynamic Trunk Protocol (DTP).
Troubleshoot VLAN and trunk configurations in a switched network.
Configure security features to mitigate attacks in a VLAN-segmented
environment.
Explain security best practices for a VLAN-segmented environment.

Presentation_ID

2008 Cisco Systems, Inc. All rights reserved.

Cisco Confidential

3.1 VLAN Segmentation

Presentation_ID

2008 Cisco Systems, Inc. All rights reserved.

Cisco Confidential

Overview of VLANs

VLAN Definitions
A VLAN is a logical partition of a Layer 2 network.
Multiple partitions can be created, allowing for multiple VLANs to
co-exist.
Each VLAN is a broadcast domain, usually with its own IP network.
VLANs are mutually isolated and packets can only pass between
them via a router.
The partitioning of the Layer 2 network takes place inside a Layer
2 device, usually via a switch.
The hosts grouped within a VLAN are unaware of the VLANs
existence.

Presentation_ID

2008 Cisco Systems, Inc. All rights reserved.

Cisco Confidential

Overview of VLANs

VLAN Definitions (cont.)

Presentation_ID

2008 Cisco Systems, Inc. All rights reserved.

Cisco Confidential

Overview of VLANs

Benefits of VLANs
Security
Cost reduction
Better performance
Shrink broadcast domains
Improved IT staff efficiency
Simpler project and application management

Presentation_ID

2008 Cisco Systems, Inc. All rights reserved.

Cisco Confidential

Overview of VLANs

Types of VLANs
Data VLAN
Default VLAN
Native VLAN
Management VLAN

Presentation_ID

2008 Cisco Systems, Inc. All rights reserved.

Cisco Confidential

Overview of VLANs

Types of VLANs (cont.)

Presentation_ID

2008 Cisco Systems, Inc. All rights reserved.

Cisco Confidential

Overview of VLANs

Voice VLANs
VoIP traffic is time-sensitive and requires:
Assured bandwidth to ensure voice quality.

Transmission priority over other types of network traffic.

Ability to be routed around congested areas on the network.

Delay of less than 150 ms across the network.

The voice VLAN feature enables access ports to carry IP voice traffic
from an IP phone.
The switch can connect to a Cisco 7960 IP phone and carry IP voice
traffic.
The sound quality of an IP phone call can deteriorate if the data is
unevenly sent; the switch supports quality of service (QoS).

Presentation_ID

2008 Cisco Systems, Inc. All rights reserved.

Cisco Confidential

10

Overview of VLANs

Voice VLANs (cont.)


The Cisco 7960 IP phone has two RJ-45 ports that each
support connections to external devices.
Network Port (10/100 SW) - Use this port to connect the
phone to the network. The phone can also obtain inline power
from the Cisco Catalyst switch over this connection.
Access Port (10/100 PC) - Use this port to connect a network
device, such as a computer, to the phone.

Presentation_ID

2008 Cisco Systems, Inc. All rights reserved.

Cisco Confidential

11

Overview of VLANs

Voice VLANs (cont.)

Presentation_ID

2008 Cisco Systems, Inc. All rights reserved.

Cisco Confidential

12

VLANs in a Multi-Switched Environment

VLAN Trunks
A VLAN trunk carries more than one VLAN.
A VLAN trunk is usually established between switches so sameVLAN devices can communicate, even if physically connected to
different switches.
A VLAN trunk is not associated to any VLANs; neither is the trunk
ports used to establish the trunk link.
Cisco IOS supports IEEE802.1q, a popular VLAN trunk protocol.

Presentation_ID

2008 Cisco Systems, Inc. All rights reserved.

Cisco Confidential

13

VLANs in a Multi-Switched Environment

VLAN Trunks (cont.)

Presentation_ID

2008 Cisco Systems, Inc. All rights reserved.

Cisco Confidential

14

VLANs in a Multi-Switched Environment

Controlling Broadcast Domains with VLANs


VLANs can be used to limit the reach of broadcast frames.
A VLAN is a broadcast domain of its own.
A broadcast frame sent by a device in a specific VLAN is forwarded
within that VLAN only.
VLANs help control the reach of broadcast frames and their impact
in the network.
Unicast and multicast frames are forwarded within the originating
VLAN.

Presentation_ID

2008 Cisco Systems, Inc. All rights reserved.

Cisco Confidential

15

VLANs in a Multi-Switched Environment

Tagging Ethernet Frames for VLAN Identification


Frame tagging is the process of adding a VLAN identification
header to the frame.
It is used to properly transmit multiple VLAN frames through a trunk
link.
Switches tag frames to identify the VLAN to that they belong.
Different tagging protocols exist; IEEE 802.1Q is a vey popular
example.
The protocol defines the structure of the tagging header added to
the frame.
Switches add VLAN tags to the frames before placing them into
trunk links and remove the tags before forwarding frames through
nontrunk ports.
When properly tagged, the frames can transverse any number of
switches via trunk links and still be forwarded within the correct
VLAN at the destination.
Presentation_ID

2008 Cisco Systems, Inc. All rights reserved.

Cisco Confidential

16

VLANs in a Multi-Switched Environment

Tagging Ethernet Frames for VLAN Identification

Presentation_ID

2008 Cisco Systems, Inc. All rights reserved.

Cisco Confidential

17

VLANs in a Multi-Switched Environment

Native VLANs and 802.1Q Tagging


Frames that belong to the native VLAN are not tagged.
Frames received untagged remain untagged and are placed in the
native VLAN when forwarded.
If there are no ports associated to the native VLAN and no other
trunk links, an untagged frame is dropped.
In Cisco switches, the native VLAN is VLAN 1, by default.

Presentation_ID

2008 Cisco Systems, Inc. All rights reserved.

Cisco Confidential

18

VLANs in a Multi-Switched Environment

Voice VLAN Tagging

Presentation_ID

2008 Cisco Systems, Inc. All rights reserved.

Cisco Confidential

19

3.2 VLAN Implementations

Presentation_ID

2008 Cisco Systems, Inc. All rights reserved.

Cisco Confidential

20

VLAN Assignment

VLAN Ranges on Catalyst Switches


Cisco Catalyst 2960 and 3560 Series switches support over 4,000
VLANs.
VLANs are split into two categories:
Normal range VLANs

Presentation_ID

VLAN numbers from 1 to 1,005

Configurations stored in the vlan.dat (in the flash memory)

VTP can only learn and store normal range VLANs

Extended Range VLANs


VLAN numbers from 1,006 to 4,096

Configurations stored in the running configuration (NVRAM)

VTP does not learn extended range VLANs

2008 Cisco Systems, Inc. All rights reserved.

Cisco Confidential

21

VLAN Assignment

Creating a VLAN

Presentation_ID

2008 Cisco Systems, Inc. All rights reserved.

Cisco Confidential

22

VLAN Assignment

Assigning Ports to VLANs

Presentation_ID

2008 Cisco Systems, Inc. All rights reserved.

Cisco Confidential

23

VLAN Assignment

Assigning Ports to VLANs (cont.)

Presentation_ID

2008 Cisco Systems, Inc. All rights reserved.

Cisco Confidential

24

VLAN Assignment

Changing VLAN Port Membership

Presentation_ID

2008 Cisco Systems, Inc. All rights reserved.

Cisco Confidential

25

VLAN Assignment

Changing VLAN Port Membership (cont.)

Presentation_ID

2008 Cisco Systems, Inc. All rights reserved.

Cisco Confidential

26

VLAN Assignment

Deleting VLANs

Presentation_ID

2008 Cisco Systems, Inc. All rights reserved.

Cisco Confidential

27

VLAN Assignment

Verifying VLAN Information

Presentation_ID

2008 Cisco Systems, Inc. All rights reserved.

Cisco Confidential

28

VLAN Assignment

Verifying VLAN Information (cont.)

Presentation_ID

2008 Cisco Systems, Inc. All rights reserved.

Cisco Confidential

29

VLAN Assignment

Configuring IEEE 802.1q Trunk Links

Presentation_ID

2008 Cisco Systems, Inc. All rights reserved.

Cisco Confidential

30

VLAN Assignment

Resetting the Trunk To Default State

Presentation_ID

2008 Cisco Systems, Inc. All rights reserved.

Cisco Confidential

31

VLAN Assignment

Resetting the Trunk To Default State (cont.)

Presentation_ID

2008 Cisco Systems, Inc. All rights reserved.

Cisco Confidential

32

VLAN Assignment

Verifying Trunk Configuration

Presentation_ID

2008 Cisco Systems, Inc. All rights reserved.

Cisco Confidential

33

Dynamic Trunking Protocol

Introduction to DTP
Switch ports can be manually configured to form trunks.
Switch ports can also be configured to negotiate and establish a
trunk link with a connected peer.
The Dynamic Trunking Protocol (DTP) manages trunk negotiation.
DTP is a Cisco proprietary protocol and is enabled, by default, in
Cisco Catalyst 2960 and 3560 switches.
If the port on the neighbor switch is configured in a trunk mode that
supports DTP, it manages the negotiation.
The default DTP configuration for Cisco Catalyst 2960 and 3560
switches is dynamic auto.

Presentation_ID

2008 Cisco Systems, Inc. All rights reserved.

Cisco Confidential

34

Dynamic Trunking Protocol

Negotiated Interface Modes


Cisco Catalyst 2960 and 3560 support the following trunk modes:
Switchport mode dynamic auto

Presentation_ID

Switchport mode dynamic desirable

Switchport mode trunk

Switchport nonegotiate

2008 Cisco Systems, Inc. All rights reserved.

Cisco Confidential

35

Dynamic Trunking Protocol

Negotiated Interface Modes


Access - Basically is for end devices, and hard set. If
you put a trunk on this, it wouldn't work.
Dynamic - Makes the interface actively attempt to
convert the link to a trunking link. The interface
becomes a trunk interface if the neighboring interface is
set to trunk, desirable, or auto mode.
Auto - same as dynamic, but doesn't actively attempt to
convert to a trunk.

Presentation_ID

2008 Cisco Systems, Inc. All rights reserved.

Cisco Confidential

36

Troubleshooting VLANs and Trunks

IP Addressing Issues with VLAN


It is a common practice to associate a VLAN with an IP network.
Because different IP networks only communicate through a router,
all devices within a VLAN must be part of the same IP network to
communicate.
The figure displays that PC1 cannot communicate to the server
because it has a wrong IP address configured.

Presentation_ID

2008 Cisco Systems, Inc. All rights reserved.

Cisco Confidential

37

Troubleshooting VLANs and Trunks

Missing VLANs
If all the IP addresses mismatches have been solved, but the
device still cannot connect, check if the VLAN exists in the switch.

Presentation_ID

2008 Cisco Systems, Inc. All rights reserved.

Cisco Confidential

38

Troubleshooting VLANs and Trunks

Introduction to Troubleshooting Trunks

Presentation_ID

2008 Cisco Systems, Inc. All rights reserved.

Cisco Confidential

39

Troubleshooting VLANs and Trunks

Common Problems with Trunks


Trunking issues are usually associated with incorrect configurations.
The most common type of trunk configuration errors are:
1. Native VLAN mismatches
2. Trunk mode mismatches
3. Allowed VLANs on trunks
If a trunk problem is detected, the best practice guidelines
recommend to troubleshoot in the order shown above.

Presentation_ID

2008 Cisco Systems, Inc. All rights reserved.

Cisco Confidential

40

Troubleshooting VLANs and Trunks

Trunk Mode Mismatches


If a port on a trunk link is configured with a trunk mode that is
incompatible with the neighboring trunk port, a trunk link fails to
form between the two switches.
Use the show interfaces trunk command to check the status of
the trunk ports on the switches.
To fix the problem, configure the interfaces with proper trunk modes.

Presentation_ID

2008 Cisco Systems, Inc. All rights reserved.

Cisco Confidential

41

Troubleshooting VLANs and Trunks

Incorrect VLAN List


VLANs must be allowed in the trunk before their frames can be
transmitted across the link.
Use the switchport trunk allowed vlan command to specify which
VLANs are allowed in a trunk link.
Use the show interfaces trunk command to ensure the correct
VLANs are permitted in a trunk.

Presentation_ID

2008 Cisco Systems, Inc. All rights reserved.

Cisco Confidential

42

VLAN Trunking
Protocol

Presentation_ID

2008 Cisco Systems, Inc. All rights reserved.

Cisco Confidential

43

VLAN Trunking Protocol (VTP)

VTP is a Cisco-proprietary protocol that automates the propagation of


VLAN information between switches via trunk links. This minimizes
misconfigurations and configuration inconsistencies.
VTP does not configure switch ports for VLAN membership.
Three types of VTP messages are sent via Layer 2 multicast on VLAN 1.
VTP domains define sets of interconnected switches sharing the same
VTP configuration.
Presentation_ID

2008 Cisco Systems, Inc. All rights reserved.

Cisco Confidential

44

Role of VTP in a Converged Switched


Network
Reduces administration in a switched
network.
When you configure a new VLAN on one
VTP server, the VLAN is distributed
through all switches in the domain.

Presentation_ID

2008 Cisco Systems, Inc. All rights reserved.

Cisco Confidential

45

VTP Operation

Presentation_ID

2008 Cisco Systems, Inc. All rights reserved.

Cisco Confidential

46

VTP Operation
A device that receives VTP summary advertisements checks various parameters
before incorporating the received VLAN information. First, the management domain
name and password in the advertisement must match those configured in the local
switch. Next, if the configuration revision number indicates that the message was
created after the configuration currently in use, the switch incorporates the
advertised VLAN information if the switch is a VTP server or client.
One of the most critical components of VTP is the configuration revision number.
Each time a VTP server modifies its VLAN information, it increments the
configuration revision number by 1. It then sends out a VTP advertisement with the
new configuration revision number. If the configuration revision number that is
advertised is higher than the number stored on the other switches in the VTP
domain, the rest of the switches in the domain overwrite their VLAN configurations
with the new information advertised.
Because a VTP-transparent switch does not participate in VTP, that switch does not
advertise its VLAN configuration or synchronize its VLAN database upon receipt of
a VTP advertisement.
The overwrite process means that if the VTP server deletes all VLANs and
advertises with a higher revision number, the client devices in the VTP domain also
delete their VLANs.
Presentation_ID

2008 Cisco Systems, Inc. All rights reserved.

Cisco Confidential

47

VTP Versions
Three VTP versions: V1, V2, V3.
Versions are not interoperable (e.g., V2 supports token ring VLANs
but V1 does not).
Unrecognized Type-Length-Value (TLV) configuration changes are
propagated by V2 servers and clients and these unrecognized
TLVs can be stored in NVRAM.
V1 transparent switches inspect VTP messages for the domain
name and version and forward a message only if the version and
domain name match. V2 transparent switches forward VTP
messages in transparent mode without checking versions.
V2 performs VLAN consistency checks (VLAN names and values)
only when you enter new information through the CLI or via SNMP.
V2 does not perform checks when new information is obtained
from a VTP message or when information is read from NVRAM. If
the MD5 hash on a received VTP message is correct, V2 accepts
the VTP message information.

Presentation_ID

2008 Cisco Systems, Inc. All rights reserved.

Cisco Confidential

48

VTP Authentication
VTP domains can be secured by using the VTP password
feature. It is important to make sure that all the switches in
the VTP domain have the same password and domain
name; otherwise, a switch will not become a member of
the VTP domain. Cisco switches use MD5 to encode
passwords in 16-byte words. These passwords propagate
inside VTP summary advertisements. In VTP, passwords
are case-sensitive and can be 8 to 64 characters in length.
The use of VTP authentication is a recommended
practice.
By default, a Catalyst switch does not have a VTP
password. The switch does not automatically set the
password parameter, unlike other parameters that are set
automatically when a VTP advertisement is received.
Presentation_ID

2008 Cisco Systems, Inc. All rights reserved.

Cisco Confidential

49

VTP Concept

Presentation_ID

2008 Cisco Systems, Inc. All rights reserved.

Cisco Confidential

50

Benefits of VTP
VTP maintains VLAN configuration consistency by
managing the addition, deletion, and renaming of
VLANs across multiple Catalyst switches in a network.
VTP offers a number of benefits for network managers:
VLAN configuration consistency across the network
Accurate tracking and monitoring of VLANs
Dynamic reporting of added VLANs across a network

Presentation_ID

2008 Cisco Systems, Inc. All rights reserved.

Cisco Confidential

51

VTP Default Configuration

Presentation_ID

2008 Cisco Systems, Inc. All rights reserved.

Cisco Confidential

52

VTP Components
VTP domain: Consists of one or more interconnected switches.

Presentation_ID

2008 Cisco Systems, Inc. All rights reserved.

Cisco Confidential

53

VTP Components
VTP advertisements:
VTP uses a hierarchy of advertisements, to distribute and
synchronize the VLAN configuration across a VTP domain.
Switches share information about VLANs using VTP advertisements

Presentation_ID

2008 Cisco Systems, Inc. All rights reserved.

Cisco Confidential

54

VTP Components
VTP modes:
A switch can be configured in one of three modes: server, client, or
transparent,

VTP server:
VTP servers advertise the VTP domain VLAN information to other VTP
enabled switches in the same VTP domain.
VTP servers store the VLAN information for the entire domain in NVRAM.
The server is where VLANs can be created, deleted, or renamed for the
domain.

VTP client:
VTP clients function similar to the way VTP servers do, but you cannot create, change,
or delete VLANs on a VTP client.

VTP transparent:
VTP transparent mode switches forward VTP advertisements to VTP clients and VTP
servers, but do not originate or otherwise process VTP advertisements.

VTP pruning:
VTP pruning increases available network bandwidth by restricting flooded traffic to trunk
links that the traffic must use to reach the destination devices.

Presentation_ID

2008 Cisco Systems, Inc. All rights reserved.

Cisco Confidential

55

Mode

Description

VTP Modes
Cannot create, change, or delete VLANs on command-line interface

Client

(CLI).
Forwards advertisements to other switches.
Synchronizes VLAN configuration with latest information received from
other switches in the management domain.
Does not save VLAN configuration in nonvolatile RAM (NVRAM).
Server

Can create, modify, and delete VLANs.


Sends and forwards advertisements to other switches.
Synchronizes VLAN configuration with latest information received from
other switches in the management domain.
Saves VLAN configuration in NVRAM.

Transparent

Can create, modify, and delete VLANs only on the local switch.
Forwards VTP advertisements received from other switches in the same
management domain.
Does not synchronize its VLAN configuration with information received
from other switches in the management domain.
Saves VLAN configuration in NVRAM.

Presentation_ID

2008 Cisco Systems, Inc. All rights reserved.

Cisco Confidential

56

VTP Domains

Presentation_ID

2008 Cisco Systems, Inc. All rights reserved.

Cisco Confidential

57

VTP Domains
VTP exchanges domain and VLAN information between
switches in the same VTP domain

Presentation_ID

2008 Cisco Systems, Inc. All rights reserved.

Cisco Confidential

58

VTP Modes
VTP modes play a role in enabling VTP to distribute
and synchronize domain and VLAN configuration
information in a network

Presentation_ID

2008 Cisco Systems, Inc. All rights reserved.

Cisco Confidential

59

VTP Server-to-Client Behavior

Presentation_ID

2008 Cisco Systems, Inc. All rights reserved.

Cisco Confidential

60

VTP Server-to-Transparent-to-Client Behavior

Presentation_ID

2008 Cisco Systems, Inc. All rights reserved.

Cisco Confidential

61

VTP Pruning

VTP pruning prevents flooded traffic from propagating to switches that do not
have members in specific VLANs.
VTP pruning uses VLAN advertisements to determine when a trunk connection
is flooding traffic needlessly. Switches 1 and 4 in the figure support ports
statically configured in the Red VLAN.
The broadcast traffic from Station A is not forwarded to Switches 3, 5, and 6
because traffic for the Red VLAN has been pruned on the links indicated on
Switches 2 and 4.
Presentation_ID

2008 Cisco Systems, Inc. All rights reserved.

Cisco Confidential

62

VTP Pruning

VTP pruning prevents


unnecessary flooding of
broadcast information
from one VLAN across all
trunks in a VTP domain.
VTP pruning permits
switches to negotiate
which VLANs are
associated to ports at the
opposing end of trunks
and,
hence, prune the VLANs
that are not associated
with ports on the remote
switch.

Presentation_ID

2008 Cisco Systems, Inc. All rights reserved.

Cisco Confidential

63

Configuring VTP
Step 1. Enter global configuration mode:
Switch# configure terminal

Step 2. Configure the VTP mode as server:


Switch(config)# vtp mode server

Step 3. Configure the domain name:


Switch(config)# vtp domain domain_name

Step 4. (Optional.) Enable VTP version 2:


Switch(config)# vtp version 2

Step 5. (Optional.) Specify a VTP password:


Switch(config)# vtp password password_string

Step 6. (Optional.) Enable VTP pruning in the management domain:


Switch(config)# vtp pruning

Presentation_ID

2008 Cisco Systems, Inc. All rights reserved.

Cisco Confidential

64

VTP Configuration Example


This example creates a VTP server with domain name
Modular_Form, password genus, and pruning enabled.

Switch# configure terminal


Switch(config)# vtp mode server
Setting device to VTP SERVER mode.
Switch(config)# vtp domain Modular_Form
Switch(config)# vtp password genus
Switch(config)# vtp pruning
Switch(config)# end

Presentation_ID

2008 Cisco Systems, Inc. All rights reserved.

Cisco Confidential

65

Verifying VTP Configuration (1)


The most useful command for verifying VTP configuration is
the show vtp status command. The output displayed
includes the VTP version, the VTP configuration revision
number, the number of VLANs supported locally, the VTP
operating mode, the VTP domain name, and the VTP
pruning mode.
Switch# show vtp status
VTP Version : 2
Configuration Revision : 247
Maximum VLANs supported locally : 1005
Number of existing VLANs : 33
VTP Operating Mode : Server
VTP Domain Name : Modular_Form
VTP Pruning Mode : Enabled
VTP V2 Mode : Disabled
VTP Traps Generation : Disabled
MD5 digest : 0x45 0x52 0xB6 0xFD 0x63 0xC8 0x49 0x80
Configuration last modified by 0.0.0.0 at 8-12-99 15:04:4
Presentation_ID

2008 Cisco Systems, Inc. All rights reserved.

Cisco Confidential

66

Verifying VTP Configuration (2)


Use the show vtp counters command to display
statistics about VTP operation. If there are any problems
regarding the VTP operation, this command helps look for
VTP message type updates.
Switch# show vtp counters
VTP statistics:
Summary advertisements received : 7
Subset advertisements received : 5
Request advertisements received : 0
Summary advertisements transmitted : 997
Subset advertisements transmitted : 13
Request advertisements transmitted : 3
Number of config revision errors : 0
Number of config digest errors : 0
Number of V1 summary errors : 0
VTP pruning statistics:
Trunk Join Transmitted
device
------ ---------------Fa5/8
43071

Presentation_ID

Join Received

Summary advts received from non-pruning-capable

------------42766

----------------5

2008 Cisco Systems, Inc. All rights reserved.

Cisco Confidential

67

VTP Troubleshooting
Check that switches are interconnected by active trunk
links.
Check that the trunking protocol matches on opposite
ends of a trunk link.
Check VTP domain name (case-sensitive) and
password.
Check the VTP mode of the switches.
Check the VTP versions of the switches.

Presentation_ID

2008 Cisco Systems, Inc. All rights reserved.

Cisco Confidential

68

VTP Troubleshooting
Common VTP configuration problems

Presentation_ID

2008 Cisco Systems, Inc. All rights reserved.

Cisco Confidential

69

VTP Configuration
Manage VLANs on a VTP enabled network

Presentation_ID

2008 Cisco Systems, Inc. All rights reserved.

Cisco Confidential

70

Summary
VTP is a Cisco proprietary protocol used to exchange
VLAN information across trunk links.
A switch can be in one of 3 VTP operating modes
Client
Cannot create, modify or delete VLAN
Server
Can create, modify & delete VLAN
Transparent
Can create, modify, & delete LOCAL VLAN
Forwards VTP advertisements.

Presentation_ID

2008 Cisco Systems, Inc. All rights reserved.

Cisco Confidential

71

Summary
VTP pruning
Limits unnecessary dissemination of VLAN information.

Verify VTP configuration


Show VTP status
Show interfaces trunk

Presentation_ID

2008 Cisco Systems, Inc. All rights reserved.

Cisco Confidential

72

3.3 VLAN Security and


Design

Presentation_ID

2008 Cisco Systems, Inc. All rights reserved.

Cisco Confidential

73

Attacks on VLANs

Switch Spoofing Attack


There are a number of different types of VLAN attacks in modern
switched networks; VLAN hopping is one example.
The default configuration of the switch port is dynamic auto.
By configuring a host to act as a switch and form a trunk, an
attacker could gain access to any VLAN in the network.
Because the attacker is now able to access other VLANs, this is
called a VLAN hopping attack.
To prevent a basic switch spoofing attack, turn off trunking on all
ports, except the ones that specifically require trunking.

Presentation_ID

2008 Cisco Systems, Inc. All rights reserved.

Cisco Confidential

74

Attacks on VLANs

Double-Tagging Attack
Double-tagging attack takes advantage of the way that hardware on
most switches de-encapsulate 802.1Q tags.
Most switches perform only one level of 802.1Q de-encapsulation,
allowing an attacker to embed a second, unauthorized attack header
in the frame.
After removing the first and legit 802.1Q header, the switch forwards
the frame to the VLAN specified in the unauthorized 802.1Q header.
The best approach to mitigating double-tagging attacks is to ensure
that the native VLAN of the trunk ports is different from the VLAN of
any user ports.

Presentation_ID

2008 Cisco Systems, Inc. All rights reserved.

Cisco Confidential

75

Attacks on VLANs

Double-Tagging Attack (cont.)

Presentation_ID

2008 Cisco Systems, Inc. All rights reserved.

Cisco Confidential

76

Attacks on VLANs

PVLAN Edge
The Private VLAN (PVLAN) Edge
feature, also known as protected
ports, ensures that there is no
exchange of unicast, broadcast, or
multicast traffic between protected
ports on the switch.
Local relevancy only.
A protected port only exchanges
traffic with unprotected ports.
A protected port does not exchange
traffic with another protected port.

Presentation_ID

2008 Cisco Systems, Inc. All rights reserved.

Cisco Confidential

77

Design Best Practices for VLANs

VLAN Design Guidelines


Move all ports from VLAN 1 and assign them to a not-in-use VLAN
Shut down all unused switch ports.
Separate management and user data traffic.
Change the management VLAN to a VLAN other than VLAN 1.
(The same goes to the native VLAN.)
Ensure that only devices in the management VLAN can connect to
the switches.
The switch should only accept SSH connections.
Disable autonegotiation on trunk ports.
Do not use the auto or desirable switch port modes.

Presentation_ID

2008 Cisco Systems, Inc. All rights reserved.

Cisco Confidential

78

Chapter 3: Summary
This chapter:
Introduced VLANs and their types
Described the connection between VLANs and broadcast domains
Discussed IEEE 802.1Q frame tagging and how it enables
differentiation between Ethernet frames associated with distinct
VLANs as they traverse common trunk links.
Examined the configuration, verification, and troubleshooting of
VLANs and trunks using the Cisco IOS CLI and explored basic
security and design considerations.

Presentation_ID

2008 Cisco Systems, Inc. All rights reserved.

Cisco Confidential

79

Presentation_ID

2008 Cisco Systems, Inc. All rights reserved.

Cisco Confidential

80