Advantages and Disadvantages of VLANS. 2
VLANs allow logical
grouping of end-device that are physically isolated on network. 2
With VLANs there is
no need to have more routers deployed on the network to contain broadcast
broadcast domains on network reduces traffic. 2
Limits of ports. 2
Access and Trunk Ports. 2
Trunking concepts. 2
Frame Tagging. 2
Security of VLAN.. 3
Address Resolution Protocol (ARP) attack. 3
Double Tagging/Double Encapsulation VLAN Hopping Attack. 3
Cisco Discovery Protocol (CDP) Attack. 3
Multicast Brute-Force Attack. 4
VTP Types. 4
VTP Modes. 4
Router-Switch Topology. 4
Designing the lab. 4
Configuration files. 6
Testing the configuration and show commands. 16
Advantages and Disadvantages
VLANs provide many
advantages, such as easy administration, reduce broadcast traffic, and prosecution
of security policies.
VLANs allow logical grouping of end-device that
are physically isolated on network
With VLANs there is no need to have more
routers deployed on the network to contain broadcast traffic.
Quarantine of broadcast domains on network reduces
Limits of ports
Physical interfaces are configured to have 1 interface in VLAN. On
networks with more than 1 VLAN, using single router to achieve
routing isn’t possible.
Sub interfaces allow router to scale to house more VLANs than
the physical interfaces.
Because there is no contention for bandwidth on physical interfaces. In busy
network, this cause bottleneck for communication.
and Trunk Ports
Connecting physical interfaces for inter-VLAN routing needs that the
switch ports be configured as access ports.
sub interfaces need the switch port to be configured as trunk port so
that it can take VLAN tagged (ISL or 802.1Q) traffic on the trunk link.
the context of Ethernet VLANs use the term Ethernet trunking to mean carrying
multiple VLANs over single network link through the use of trunking protocol.
To allow for many VLANs on single link, frames from distinct VLANs must be recognized.
The most common method, IEEE 802.1Q adds tag to the Ethernet frame, labeling it
as belonging to certain VLAN. Cisco also has proprietary trunking protocol
called Inter-Switch Link which encapsulates Ethernet frame with its container,
which labels frame as belonging to specific VLAN.
Frame tagging is used to
identify the VLAN that the frame belongs to in network with many VLANs. The
VLAN ID is located on the frame when it reaches switch from access port. That
frame can then be forwarded out the trunk link port. Each switch can see what
VLAN the frame belongs to and can forward the frame to equivalent VLAN access
ports or to another VLAN trunk port.
protocols are used today for frame tagging:
Link (ISL) – Cisco’s exclusive VLAN tagging protocol.
802.1q – IEEE’s VLAN tagging protocol. Since it is open standard, it can be
used for tagging between switches from different brands.
are several tangible security vulnerabilities that can increase business risk
if they aren’t properly understood and mitigated:
Address Resolution Protocol (ARP) attack
ARP was developed at time when security wasn’t
such issue. Consequently, this protocol has simple belief that everyone
is friendly and responses can be taken at face value. If host broadcasts ARP
request to the network, it expects only the relevant host to respond.
Similarly, if host announces its presence by sending out gratuitous ARP, other
hosts expect that it is telling the truth and believe what it broadcasts. This,
of course, works well until malicious host appears. In Figure 2, host
starts broadcasting gratuitous ARP, announcing itself to hold the IP address of
the default gateway, 10.3.2.1. PCs, routers and other hosts may cache
information gained from gratuitous ARPs for future communications. As result,
anything from legitimate host will be routed through the malicious host as the
default gateway. The attacker then pushes the data to the real default
gateway. This will allow the attack to view traffic on the way out of the
network but incoming traffic will by-pass the attacker. The attacker now
needs to broadcast the address of the host they are trying to target on the LAN
to get the default gateway to send the incoming packets to itself before transmitting
them to the victim. Now it can see all the traffic incoming and outgoing.
one consideration is that without VLAN, this attacker could affect the
entire LAN, so VLANs do mitigate this sort of attack. Another way of
mitigating these ‘Man in the Middle’ attacks is to use Private VLANs to force
hosts to only talk to the default gateway but this isn’t always practical.
Double Tagging/Double Encapsulation VLAN Hopping Attack
This is development of Switch Spoofing, as many
systems are now configured correctly to prevent Switch Spoofing. The
exploit this time is to build packet with 2 802.1Q VLAN headers as shown on the
left of Figure 4. The first router strips off the first header and sends
it on to router 2. Router 2 strips the second header and send the packet
to the destination. This attack sends packet in only 1 direction, but still
gives the attacker access to hosts that shouldn’t be accessible. It only
works if the trunk has the same native VLAN as the attacker. To mitigate
this attack, auto-trunking should be disabled and dedicated VLAN ID should be
used for all trunk ports. Finally, avoid using VLAN 1.
Cisco Discovery Protocol (CDP) Attack
CDP is feature that allows Cisco devices to
exchange information and configure the network to work smoothly together.
The information being sent is sensitive, such as IP addresses, router models,
software versions and so on. It is all sent in clear text so any attacker
sniffing the network is able to see this information and, as it is
unauthenticated, it is possible to impersonate another device. The best option
is to disable CDP where possible. However, CDP can be useful and, if it
can be isolated by not allowing it on user ports, then it can help make the
network run more smoothly.
Multicast Brute-Force Attack
A multicast brute-force attack searches for
failings in the switch software. The attacker tries to exploit any
potential vulnerability in switch, by storming it with multicast frames.
As with CAM overflow, the aim is to see if switch receiving large amount of
layer 2 multicast traffic will “misbehave”. The switch should limit the
traffic to its original VLAN, but if the switch doesn’t handle this correctly,
frames might leak into other VLANs, if routing connects them. This type of
attack is pretty speculative as it looks for the switch to mishandle multicast
frames. The switch should contain all the frames within their appropriate
broadcast domain and attack of this nature shouldn’t be possible.
However, switches have failed to handle this form of attack in the past and
hence it is another attack vector.
sub-interface is logical interface that uses
the “parent” physical interface for moving the data.
If we had router with only 1 physical interface, but need to have the router
connected to 2 IP networks, so that it could do routing, we could create 2
logical sub interfaces, assign each sub interface IP address within each
subnet, and we can route between it.
Creating the sub interfaces on the routers, we tell the router which VLAN to
associate with that sub interface, in the same line as the encapsulate command
Trunk Protocol (VTP) reduces management in switched network. When we configure new
VLAN on 1 VTP server, the VLAN is spread through all switches in the domain.
This decreases the need to configure the same VLAN everywhere. VTP is Cisco-proprietary
You can configure switch to operate in any of
these VTP modes:
Server: In this
mode, we can create, delete and modify VLANs and specify further configuration
parameters, for the entire VTP domain. VTP servers advertise their VLAN
configuration to other devices in the same VTP domain and synchronize VLAN
configuration with other switches based on advertisements received from trunk
links. default mode is VTP server.
clients act the same way as VTP servers, but we cannot create, or change, or
delete VLANs on VTP client.
transparent switches don’t participate in VTP. VTP transparent switch doesn’t advertise
its VLAN configuration and doesn’t synchronize its VLAN configuration based on