Chapter 1: Virtual LAN Concepts "notes"

Vlan - is a broadcast domain by using vlans switch ports can be separated into many broadcast domains instead of just one.

Reasons for Virtual LANs

  • to create flexibility by separating groups by department, or physical location.
  • create smaller LANs reducing the size of the broadcast domain
  • reduce overhead of STP 
  • enforce better security 
  • separate traffic protocols VOIP and Data
Trunking - Injects a header into the frames "tagging" the frames with VLAN IDs so that other switches can correctly forward frames to VLANs.

Trunking Protocols

ISL - old Cisco proprietary trunking protocol. ISL fully encapsulates each original Ethernet frame in an ISL header and trailer. The original Ethernet frame inside the ISL header and trailer remain unchanged. Inside the ISL header is the VLAN ID.

IEEE 802.1Q - Standard protocol for trunking, 802.1Q uses a different header method than ISL. 802.1Q does not encapsulate the original frame in another Ethernet header and trailer. It inserts and extra 4-byte vlan header into the original frame's Ethernet header. Unlike ISL the 802.1Q frame still has the original source and destination MAC address on it. Also 802.1Q  recalculate the FCS frame check sequence because it added the 4-bytes to the header. 

Both ISL and 802.1Q support 4096 VLANs minus two reserved vlans values ( 0 and 4095 )
VLAN IDs 1-1005 are considered to be normal range
VLAN IDs higher than 1005 are considered extended range VLANs

ISL and 802.1Q support Spanning Tree Protocol (STP) 

Native VLAN used by 802.1Q, by default the native vlan is vlan 1. When a switch using the native lan forwards a frame it does not insert the vlan information into the header, then when a switch receives that frame with no vlan information it will then broadcast it to the native vlan which is VLAN 1.

Each VLAN needs it's own subnet associated with it because it is a different network and different broadcast domain. Broadcast domains are separated by routers and must pass through a router in order to communicate with other networks or other vlans.

VLAN Trunking Protocol (VTP) - communicates VLAN information dynamically across switches

Modes of VTP
  • Server - controls config, able to make vlan changes, and send updates
  • Client - only able to receive updates and forward updates
  • Transparent - standalone switch can send, receive, and make changes, but does not affect other switches.
VTP cannot be disabled, to disable VTP place all switches into transparent mode.

VTP configuration revision number update process
  1. vlan change is made
  2. revision number incremented upwards
  3. triggered update
  4. vtp update message out all trunk interfaces with revision number
  5. if the update is higher than the revision number on the receiving switch and the switch updates the vlan information. 

Requirements of VTP between two switches

  1. the links must be operating as a vlan trunk 
  2. the switches must have a matching case-sensitive VTP domain name
  3. if configured, both must have a matching VTP case-sensitive password
Switches running in server mode or client mode store vlan configuration information \ vlan database in a file called vlan.dat located in flash memory. This information is not stored in the running or the start up config and can only be viewed with show commands.

The process of storing the file in flash allows the servers and clients to update dynamically and store new configurations automatically. 

VTP version 1 vs. version 2 - version 1 requires that the vtp domain and password match, if not the vtp update is discarded. This caused other switches to no receive vtp updates, version two of VTP allows transparent mode switches to ignore domain name and password and forwards the update to the needed client \ server mode switches connected to it.

VTP Pruning - a dynamic method of preventing unnecessary vlan broadcasts to switches that do not need that information. Some switches do not need to learn of all vlan data because they do not have certain vlans attached to them, vtp pruning prevents those switches from getting broadcasts containing vlan information the switch does not need. VTP pruning is a dynamic method, but the same can be configured with an allowed vlan list manually.

Configure a VLAN
sw#configure terminal
sw(config)#vlan 2
sw(config)#name Duffneys-vlan
sw(config)#interface range fastethernet 0/13 - 14
sw(config-if)#switchport access vlan 2

Confirm VLAN
sw#show running-config
sw#show vlan brief

Trunking configuration involves two important choices

  • the type of trunking: IEEE 802.1Q, ISL, or negotiate
  • the administrative mode: whether to trunk, not trunk, or negotiate
Cisco switches can either negotiate or configure the type of trunking to use ( ISL or 802.1Q) By default, Cisco negotiates the type of trunking to use by using Dynamic Trunking Protocol DTP. When negotiating, if both switches support ISL or 802.1Q they chose ISL. Most switches today don't have ISL and use dot1q encapsulation. dot1q is short for 802.1Q. 

The administrative mode for a switch refers to whether or not trunking should be enabled on the interface. To configure the admistrative mode of a switchport the command switchport mode is used.

Switchport modes
  • access - prevents trunking
  • trunk - always uses trunking
  • dynamic desirable - initiates and responds to negotiation messages
  • dynamic auto - passively waits to receive trunk negotiation messages
Controlling which vlans can be supported on a trunk

the allowed vlan list feature provides a way to control which vlans can access certain trunk ports. Below lists the available commands to control the vlan access

switchport trunk allowed vlan {add | all | except | remove } vlan-list

an example of except

sw1(config)# switchport trunk allowed vlan except 200-300

would allow vlans 1-199 and 301 to 4094

VoIP vlan is called voice vlan

Vlan used for data is called the access and or data vlan

Voice and Data Vlan configuration

phone | voice or auxiliary vlan | switchport voice vlan vlan-id

pc | data or access VLAN | switchport access vlan vlan-id

Securing vlans and trunking

  • administratively disable the unused interface
  • prevent trunking from being negotiated when the port is enabled by using switchport nonegotiate or switchport mode access
  • assign the port to an unused vlan sometimes called a parking lot vlan  
VTP default configuration leaves a security hole by which a DOS attack could be used. If a switch does not have VTP configured it will sync with a switch that has a VTP domain configured on it, once that change takes place the switch with the highest vlan database revision number will overwrite the vlan database of the other switch allowing a hacker to erase all vlan data causing all data to be on one broadcast domain. avoid this by configuring non vtp domain switches to be a transparent switch, which will ignore the vtp domain change.

No comments:

Post a Comment