Lecture 4

VIRTUAL LOCAL AREA NETWORK

VLAN

BY Basha K | Faculty of Computing and Software Engineering

Outlines

◘Overview of VLANs
◘VLANs in a Multi-Switched Environment
◘VLAN Configuration
◘VLAN Trunks
◘Dynamic Trunking Protocol

2
Overview of VLANs ♣ VLANs are logical connections with other
VLAN Definitions similar devices.
♣ Placing devices into various VLANs have
the following characteristics:
▫ Provides segmentation of the various
groups of devices on the same switches
▫ Provide organization that is more
manageable
▫ Broadcasts, multicasts and unicasts are
isolated in the individual VLAN
▫ Each VLAN will have its own unique
range of IP addressing
▫ Smaller broadcast domains
3
Benefits of a VLAN Design

Benefits of using VLANs are as follows:

Benefits Description
Smaller Broadcast Dividing the LAN reduces the number of broadcast domains
Domains
Improved Security Only users in the same VLAN can communicate together
Improved IT VLANs can group devices with similar requirements, e.g. faculty vs.
Efficiency students
Reduced Cost One switch can support multiple groups or VLANs
Better Performance Small broadcast domains reduce traffic, improving bandwidth
Simpler Similar groups will need similar applications and other network
Management resources
4
Overview of VLANs
Types of VLANs
Default VLAN
VLAN 1 is the following:
◘ The default VLAN
◘ The default Native VLAN
◘ The default Management VLAN
◘ Cannot be deleted or renamed

5
 Types of VLANs ….
 Data VLAN
• Dedicated to user-generated traffic (email and web traffic).
• VLAN 1 is the default data VLAN because all interfaces are assigned to this VLAN.
 Native VLAN
• This is used for trunk links only.
• All frames are tagged on an 802.1Q trunk link except for those on the native VLAN.
 Management VLAN
• Used for SSH/Telnet VTY traffic and should not be carried with end user traffic.
• Typically, the VLAN that is the SVI(switch virtual interface) for the Layer 2 switch.

6
 Types of VLANs …
 Voice VLAN
◘ A separate VLAN is required because
Voice traffic requires:
 Assured bandwidth
 High QoS priority
 Ability to avoid congestion
 Delay less that 150 ms from source to
destination
 The entire network must be designed to
support voice.

7
 VLANs in a Multi-Switched Environment
Defining VLAN Trunks
◘A trunk is a point-to-point link Trunk Line
between two network devices.
◘Cisco trunk functions:
◙ Allow more than one VLAN
◙ Extend the VLAN across the
entire network
◙ By default, supports all VLANs
◙ Supports 802.1Q Trunking

8
VLANs in a Multi-Switched Environment
Networks without / with VLANs
With VLANs, unicast, multicast, and broadcast
Without VLANs, all devices connected to traffic is confined to a VLAN.
the switches will receive all unicast,
multicast, and broadcast traffic. Without a Layer 3 device to connect the VLANs,
devices in different VLANs cannot communicate.

9
VLAN Identification with a Tag
• The IEEE 802.1Q header is 4 Bytes
• When the tag is created the FCS must be
recalculated.
• When sent to end devices, this tag must be
removed and the FCS recalculated back to its
original number.
802.1Q VLAN Tag Field Function
Type • 2-Byte field with hexadecimal 0x8100
• This is referred to as Tag Protocol ID (TPID)
User Priority • 3-bit value that supports
Canonical Format Identifier (CFI) • 1-bit value that can support token ring frames on Ethernet
VLAN ID (VID) • 12-bit VLAN identifier that can support up to 4096 VLANs

10
Native VLANs and 802.1Q Tagging
◘ 802.1Q trunk basics:
►Tagging is typically done on all VLANs.
►The use of a native VLAN was designed
for legacy use, like the hub in the
example.
►Unlesschanged, VLAN1 is the native
VLAN.
►Both ends of a trunk link must be
configured with the same native VLAN.
►Each trunk is configured separately, so it
is possible to have a different native
VLANs on separate trunks.

11
 Voice VLAN Tagging
The VoIP phone is a three port switch:
 The switch will use CDP to inform the phone of
the Voice VLAN.
 The phone will tag its own traffic (Voice) and can
set Cost of Service (CoS).
 CoS is QoS for layer 2.
 The phone may or may not tag frames from the
PC.

Traffic Tagging Function

Voice VLAN tagged with an appropriate Layer 2 class of service (CoS) priority
value
Access VLAN can also be tagged with a Layer 2 CoS priority value

12
VLAN Configuration
VLAN Ranges on Catalyst Switches

Catalyst switches 2960 and 3650

support over 4000 VLANs.

Normal Range VLAN 1 – 1005 Extended Range VLAN 1006 - 4095

Used in Small to Medium sized businesses Used by Service Providers
1002 – 1005 are reserved for legacy VLANs Stored in Running-Config
1, 1002 – 1005 are auto created and cannot be Supports fewer VLAN features
deleted
Stored in the vlan.dat file in flash Requires VTP configurations
VTP can synchronize between switches

13
 VLAN Configuration…
VLAN Creation Commands
VLAN details are stored in the vlan.dat file and create VLANs in the
global configuration mode.
Task IOS Command

Enter global configuration mode. Switch# configure terminal

Create a VLAN with a valid ID number. Switch(config)# vlan vlan-id

Specify a unique name to identify the VLAN. Switch(config-vlan)# name vlan-name

Return to the privileged EXEC mode. Switch(config-vlan)# end

Enter global configuration mode. Switch# configure terminal

14
VLAN Configuration…
VLAN Port Assignment Example

• We can assign the VLAN to the

port interface.
• Once the device is assigned the
VLAN, then the end device will
need the IP address information Prompt Command
for that VLAN S1# Configure terminal/conf t
S1(config)# Interface fa0/18 or int fa0/18
• Student PC receives 172.17.20.22
S1(config-if)# Switchport mode access
S1(config-if)# Switchport access vlan 20
S1(config-if)# end

15
VLAN Configuration…
Data and Voice VLAN Example
 Configuring of VLAN

16
 VLAN Trunks
Trunk Configuration Commands

◘ Configure and verify VLAN trunks. Trunks are layer 2 and carry traffic for all VLANs.

Task IOS Command

Enter global configuration mode. Switch# configure terminal
Enter interface configuration mode. Switch(config)# interface interface-id
Set the port to permanent trunking mode. Switch(config-if)# switchport mode trunk
Sets the native VLAN to something other Switch(config-if)# switchport trunk native vlan
than VLAN 1. vlan-id
Specify the list of VLANs to be allowed on Switch(config-if)# switchport trunk allowed
the trunk link. vlan vlan-list
Return to the privileged EXEC mode. Switch(config-if)# end

17
VLAN Trunks…
Trunk Configuration Example
 The subnets associated with each VLAN are:
 VLAN 10 - Faculty/Staff - 172.17.10.0/24
 VLAN 20 - Students - 172.17.20.0/24
 VLAN 30 - Guests - 172.17.30.0/24
 VLAN 99 - Native - 172.17.99.0/24
Prompt Command
F0/1 port on S1 is configured as a
trunk port. S1(config)# Interface fa0/1
• This assumes a 2960 switch S1(config-if)# Switchport mode trunk
using 802.1q tagging.
• Layer 3 switches require the S1(config-if)# Switchport trunk native vlan 99
encapsulation to be configured S1(config-if)# Switchport trunk allowed vlan 10,20,30,99
before the trunk mode.
S1(config-if)# end
18
Verify Trunk Configuration
Set the trunk mode and native vlan. Default dynamic
Notice show int fa0/1 switchport auto
command:
◘ Is set to trunk administratively
◘ Is set as trunk operationally
(functioning)
◘ Encapsulation is dot1q
◘ Native VLAN set to VLAN 99
◘ All VLANs created on the
switch will pass traffic on this
trunk

19
Dynamic Trunking Protocol (DTP)
Introduction to DTP
 Dynamic Trunking Protocol (DTP) is a proprietary Cisco protocol.

 DTP characteristics are as follows:

♣ On by default on Catalyst 2960 and 2950 switches
♣ Dynamic-auto is default on the 2960 and 2950 switches
♣ May be turned off with the no negotiate command
♣ May be turned back on by setting the interface to dynamic-auto
♣ Setting a switch to a static trunk or static access will avoid negotiation issues with the switchport mode trunk
or the switchport mode access commands.

20
Dynamic Trunking Protocol…
Negotiated Interface Modes
 The switchport mode command has additional options.

 Use the switchport nonegotiate interface configuration command to stop DTP

negotiation.
Option Description
Permanent access mode and negotiates to convert the
access
neighboring link into an access link
Will becomes a trunk interface if the neighboring interface is
dynamic auto
set to trunk or desirable mode
dynamic Actively seeks to become a trunk by negotiating with other
desirable auto or desirable interfaces
Permanent trunking mode and negotiates to convert the
trunk
neighboring link into a trunk link
21
Dynamic Trunking Protocol…
Results of a DTP Configuration
 DTP configuration options are as follows:
Dynamic Dynamic
Mode Trunk Access
Auto Desirable
Dynamic
Access Trunk Trunk Access
Auto
Dynamic
Trunk Trunk Trunk Access
Desirable
Limited
Trunk Trunk Trunk Trunk
connectivity
Limited
Access Access Access Access
connectivity

22
Troubleshooting VLANs and Trunks
Addressing Issues with VLAN
 It is very common practice to associate a VLAN with a IP network
 Since different IP networks only communicate through a router, all devices within a VLAN
must be part of the same IP network in order to communicate
 In the picture below, PC1 can’t communicate to the server because it has a wrong IP address
configured

23
Troubleshooting VLANs and Trunks
Missing VLANs
 If all IP addresses mismatch have been solved but device still can’t
connect, check if the VLAN exists in the switch

24
Troubleshooting VLANs and Trunks
 Introduction to Troubleshooting Trunks

25
Troubleshooting VLANs and Trunks
Common Problems With Trunks
 Trunking issues are usually associated with incorrect configurations.
 The most common type of trunk configuration errors are:
• Native VLAN mismatches
• Trunk mode mismatches
• Allowed VLANs on trunks
 If a trunk problem is detected, the best practice guidelines recommend to
troubleshoot in the order shown above.

26
Troubleshooting VLANs and Trunks
Trunk Mode Mismatches
 If a port on a trunk link is configured with a trunk mode that is incompatible with
the neighboring trunk port, a trunk link fails to form between the two switches
 Check the status of the trunk ports on the switches using the show interfaces
trunk command
 To fix the problem, configure the interfaces with proper trunk modes.

27
Troubleshooting VLANs and Trunks
Incorrect VLAN List
 VLANs must be allowed in the trunk before their frames can be transmitted
across the link
 Use the switchport trunk allowed vlan id command to specify which VLANs are
allowed in a trunk link
 To ensure the correct VLANs are permitted in a trunk, used the show interfaces
trunk command

28
 Attacks on VLANs
Switch spoofing Attack
 There are a number of different types of VLAN attacks in modern switched networks.

 VLAN hopping is one them.

 The default configuration of the switch port is dynamic auto

 By configuring a host to act as a switch and form a trunk, an attacker could gain access to
any VLAN in the network.
 Because the attacker is now able to access other VLANs, this is called a VLAN hopping
attack
 To prevent a basic switch spoofing attack, turn off trunking on all ports, except the ones
that specifically require trunking

29
 Attacks on VLANs
Double-Tagging Attack
 The double-tagging attack takes advantage of the way that hardware on most switches de-
encapsulate 802.1Q tags
 Most switches perform only one level of 802.1Q de-encapsulation, allowing an attacker to
embed a second, unauthorized attack header in the frame
 After removing the first and legit 802.1Q header, the switch forwards the frame to the
VLAN specified in the unauthorized 802.1Q header
 The best approach to mitigating double-tagging attacks is to ensure that the native VLAN
of the trunk ports is different from the VLAN of any user ports

30
 Attacks on VLANs
Double-Tagging Attack

31
 Design Best Practices For VLANs
VLAN Design Guideline
 Move all ports from VLAN1 and assign them to a not-in-use VLAN

 Shut down all unused switch ports

 Separate management and user data traffic

 Change the management VLAN to a VLAN other than VLAN1.

 The same goes to the native VLAN

 Make sure that only devices in the management VLAN can connect to the
switches
 The switch should only accept SSH connections

 Disable auto negotiation on trunk ports

 Do not use the auto or desirable switch port modes 32

The End!
Q?