Contents Advantages and Disadvantages of VLANS.
2 VLANs enable logical grouping of end-stations that are physically dispersed on a network. 2 VLANs reduce the need to have routers deployed on a network to contain broadcast traffic. 2 Confinement of broadcast domains on a network significantly reduces traffic. 2 Port Limits. 2 Performance. 2 Access Ports and Trunk Ports. 2 Trunking concepts.
3 Frame Tagging. 3 Security of VLAN.. 3 Address Resolution Protocol (ARP) attack. 3 Double Tagging/Double Encapsulation VLAN Hopping Attack. 4 Cisco Discovery Protocol (CDP) Attack.
4 Multicast Brute-Force Attack. 4 Sub-Interfaces. 4 VTP Types. 4 VTP Modes. 4 Router-Switch Topology.
5 Designing the lab. 5 Configuration files. 6 Testing the configuration and show commands. 17 References: 40 Advantages and Disadvantagesof VLANSVLANs provide anumber of advantages, such as ease of administration, confinement of broadcastdomains, reduced broadcast traffic, and enforcement of security policies.
VLANs enable logical grouping of end-stationsthat are physically dispersed on a network. When users on aVLAN move to a new physical location but continue to perform the same jobfunction, the end-stations of those users do not need to be reconfigured.Similarly, if users change their job functions, they need not physically move:changing the VLAN membership of the end-stations to that of the new team makesthe users’ end-stations local to the resources of the new team. VLANs reduce the need to have routers deployedon a network to contain broadcast traffic. Flooding of apacket is limited to the switch ports that belong to a VLAN.Confinement of broadcast domains on a networksignificantly reduces traffic. By confiningthe broadcast domains, end-stations on a VLAN are prevented from listening toor receiving broadcasts not intended for them. Moreover, if a router is notconnected between the VLANs, the end-stations of a VLAN cannot communicate withthe end-stations of the other VLANs.
Port Limits Physical interfaces are configured to have one interface per VLAN.Onnetworks with many VLANs, using a single router to performinter-VLANrouting is not possible.Sub interfaces allow a router to scale to accommodate more VLANsthanthe physical interfaces permit.PerformanceBecause there is no contention for bandwidth on physical interfaces,physical interfaces have better performance for inter-VLAN routing.
When sub interfaces are used for inter-VLAN routing, the traffic beingrouted competes for bandwidth on the single physical interface. On a busynetwork, this could cause a bottleneck for communication. AccessPorts and Trunk Ports Connecting physical interfacesfor inter-VLAN routing requires that theswitch ports be configured as access ports.sub interfaces require the switch port to be configured as a trunk port sothat it can accept VLAN tagged (ISL or 802.1Q) traffic on the trunk link. TrunkingconceptsInthe context of Ethernet VLANs use the term Ethernet trunking to mean carryingmultiple VLANs through a single network link through the use of a trunkingprotocol. To allow for multiple VLANs on one link, frames from individual VLANsmust be identified. The most common and preferred method, IEEE 802.
1Q adds atag to the Ethernet frame, labeling it as belonging to a certain VLAN. Since802.1Q is an open standard, it is the only option in an environment withmultiple-vendor equipment. Cisco also has a proprietary trunking protocolcalled Inter-Switch Link which encapsulates the Ethernet frame with its owncontainer, which labels the frame as belonging to a specific VLAN. 3Com usedproprietary Virtual LAN Trunking (VLT) before 802.1Q was defined FrameTaggingFrame tagging is used toidentify the VLAN that the frame belongs to in a network with multiple VLANs.The VLAN ID is placed on the frame when it reaches a switch from an accessport, which is a member of a VLAN.
That frame can then be forwarded out thetrunk link port. Each switch can see what VLAN the frame belongs to and canforward the frame to corresponding VLAN access ports or to another VLAN trunkport.Two trunkingprotocols are usually used today for frame tagging:· Inter-SwitchLink (ISL) – Cisco’s proprietary VLAN tagging protocol.· IEEE802.1q – IEEE’s VLAN tagging protocol.
Since it is an open standard, it can beused for tagging between switches from different vendors. Securityof VLANthereare several tangible security vulnerabilities that can increase business riskif they are not properly understood and mitigated:AddressResolution Protocol (ARP) attackARP was developed at a time when security wasnot such an issue. Consequently, this protocol has a simple belief thateveryone is friendly and responses can be taken at face value. If a hostbroadcasts an ARP request to the network, it expects only the relevant host torespond. Similarly, if a host announces its presence by sending out agratuitous ARP, other hosts expect that it is telling the truth and believewhat it broadcasts. This, of course, works well until a malicious host appears. In Figure 2, a host starts broadcasting a gratuitous ARP, announcingitself to hold the IP address of the default gateway, 10.
3.2.1. PCs,routers and other hosts may cache information gained from gratuitous ARPs forfuture communications. As a result, anything from a legitimate host willbe routed through the malicious host as the default gateway. The attackerthen pushes the data to the real default gateway.
This will allow theattack to view traffic on the way out of the network but incoming traffic willby-pass the attacker. The attacker now needs to broadcast the address ofthe host they are trying to target on the LAN to get the default gateway to sendthe incoming packets to itself before transmitting them to the victim. Now itcan see all the traffic incoming and outgoing. One consideration is thatwithout a VLAN, this attacker could affect the entire LAN, so VLANs do mitigatethis sort of attack. Another way of mitigating these ‘Man in the Middle’attacks is to use Private VLANs to force hosts to only talk to the defaultgateway but this is not always practical.
DoubleTagging/Double Encapsulation VLAN Hopping AttackThis is a development of Switch Spoofing, asmany systems are now configured correctly to prevent Switch Spoofing. Theexploit this time is to build a packet with two 802.1Q VLAN headers as shown onthe left of Figure 4. The first router strips off the first header andsends it on to router 2. Router 2 strips the second header and send thepacket to the destination. This attack sends a packet in only one direction,but still gives the attacker access to hosts that should not beaccessible.
It only works if the trunk has the same native VLAN as theattacker. To mitigate this attack, auto-trunking should be disabled and adedicated VLAN ID should be used for all trunk ports. Finally, avoidusing VLAN 1.CiscoDiscovery Protocol (CDP) AttackCDP is a feature that allows Cisco devices to exchangeinformation and configure the network to work smoothly together.
Theinformation being sent is sensitive, such as IP addresses, router models,software versions and so on. It is all sent in clear text so any attackersniffing the network is able to see this information and, as it isunauthenticated, it is possible to impersonate another device. The best optionis to disable CDP where possible. However, CDP can be useful and, if itcan be isolated by not allowing it on user ports, then it can help make thenetwork run more smoothly.MulticastBrute-Force AttackA multicast brute-force attack searches forfailings in the switch software. The attacker tries to exploit anypotential vulnerability in a switch, by storming it with multicastframes.
As with CAM overflow, the aim is to see if a switch receiving alarge amount of layer 2 multicast traffic will “misbehave”. The switchshould limit the traffic to its original VLAN, but if the switch does nothandle this correctly, frames might leak into other VLANs, if routing connectsthem. This type of attack is pretty speculative as it looks for the switch tomishandle multicast frames.
The switch should contain all the frameswithin their appropriate broadcast domain and an attack of this nature shouldnot be possible. However, switches have failed to handle this form ofattack in the past and hence it is another attack vector.Sub-Interfacessub-interface is a logical interface that usesthe “parent” physical interface for actually moving the data. If we had a router with only 1 physical interface, but needed to have therouter connected to two IP networks, so that it could do routing, we couldcreate 2 logical sub interfaces, assign each sub interface an IP address withineach subnet, and we can then route between them.When we create the sub interfaces on the routers, we tell the router which VLANto associate with that sub interface, on the same line as the encapsulatecommand VTPTypesVLANTrunk Protocol (VTP) reduces administration in a switched network. When youconfigure a new VLAN on one VTP server, the VLAN is distributed through allswitches in the domain.
This reduces the need to configure the same VLANeverywhere. VTP is a Cisco-proprietary protocol that is available on most ofthe Cisco Catalyst series products.VTP Modes You can configure a switch to operate in anyone of these VTP modes:· Server—In VTPserver mode, you can create, modify, and delete VLANs and specify otherconfiguration parameters, such as VTP version and VTP pruning, for the entireVTP domain. VTP servers advertise their VLAN configuration to other switches inthe same VTP domain and synchronize their VLAN configuration with otherswitches based on advertisements received over trunk links. VTP server is thedefault mode. · Client—VTPclients behave the same way as VTP servers, but you cannot create, change, ordelete VLANs on a VTP client.· Transparent—VTPtransparent switches do not participate in VTP.
A VTP transparent switch doesnot advertise its VLAN configuration and does not synchronize its VLANconfiguration based on received advertisements, but transparent switches doforward VTP advertisements that they receive out their trunk ports in VTPVersion 2.Router-SwitchTopologyAHub is a networking device that allows one to connect multiple PCs to a singlenetwork. Hubs may be based on Ethernet, Firewire, or USB connections. A switchis a control unit that turns the flow of electricity on or off in a circuit. Itmay also be used to route information patterns in streaming electronic datasent over networks. In the context of a network, a switch is a computernetworking device that connects network segments. Designingthe lab Diagram1 Configuration filesThereare the config of all routers and switches in the topology:Umabelh Router!version 12.2no servicetimestamps log datetime msecno servicetimestamps debug datetime msecno servicepassword-encryption!hostnameUmabelh!interfaceLoopback0 ip address 172.16.200.1 255.255.255.252!interfaceFastEthernet0/0 ip address 184.108.40.206 255.255.255.0 duplex auto speed auto no shutdown!interfaceFastEthernet0/1 no ip address duplex auto speed auto shutdown!interfaceSerial0/0 ip address 172.16.100.2 255.255.255.252 clock rate 9600!interfaceSerial0/1 no ip address shutdown!router eigrp 10 network 172.16.100.0 0.0.0.3 network 172.16.200.0 0.0.0.3 network 172.16.4.0 0.0.0.255 no auto-summary!ip classless!!line con 0line vty 0 4 login!!!end Alkuwair Router !version12.2noservice timestamps log datetime msecnoservice timestamps debug datetime msecnoservice password-encryption!hostnameAlkuwair!interfaceFastEthernet0/0 no ip address duplex auto speed auto!interfaceFastEthernet0/0.1 encapsulation dot1Q 1 native ip address 172.16.1.1 255.255.255.0!interfaceFastEthernet0/0.10 encapsulation dot1Q 10 ip address 172.16.3.1 255.255.255.0!interfaceFastEthernet0/0.20 encapsulation dot1Q 20 ip address 172.16.2.1 255.255.255.0!interfaceFastEthernet0/1 no ip address duplex auto speed auto shutdown!interfaceSerial0/0 ip address 172.16.100.1 255.255.255.252!interfaceSerial0/1 no ip address shutdown!routereigrp 10 network 172.16.1.0 0.0.0.255 network 172.16.2.0 0.0.0.255 network 172.16.3.0 0.0.0.255 network 172.16.100.0 0.0.0.3 no auto-summary!ipclassless!linecon 0linevty 0 4 login!!!End Switch1 !version12.1noservice timestamps log datetime msecnoservice timestamps debug datetime msecnoservice password-encryption!hostnameSwitch1!!!vlan10 name Staff!vlan20 name Student!interfaceFastEthernet0/1 switchport mode trunk!interfaceFastEthernet0/2 switchport mode trunk!interfaceFastEthernet0/3 switchport mode access!interfaceFastEthernet0/4!interfaceFastEthernet0/5 switchport access vlan 10 switchport mode access switchport port-security switchport port-security mac-address sticky !interfaceFastEthernet0/6 switchport access vlan 10 switchport mode access switchport port-security switchport port-security mac-address sticky !interfaceFastEthernet0/7 switchport access vlan 20 switchport mode access switchport port-security switchport port-security mac-address sticky !interfaceFastEthernet0/8 switchport access vlan 20 switchport mode access switchport port-security switchport port-security mac-address sticky !interfaceFastEthernet0/9!interfaceFastEthernet0/10!interfaceFastEthernet0/11!interfaceFastEthernet0/12!interfaceFastEthernet0/13!interfaceFastEthernet0/14!interfaceFastEthernet0/15!interfaceFastEthernet0/16!interfaceFastEthernet0/17!interfaceFastEthernet0/18!interfaceFastEthernet0/19!interfaceFastEthernet0/20!interfaceFastEthernet0/21!interfaceFastEthernet0/22!interfaceFastEthernet0/23!interfaceFastEthernet0/24!interfaceVlan1 ip address 172.16.1.2 255.255.255.0!ipdefault-gateway 172.16.1.1!!linecon 0!linevty 0 4 loginlinevty 5 15 login!!end Switch 2 !version12.1noservice timestamps log datetime msecnoservice timestamps debug datetime msecnoservice password-encryption!hostnameSwitch2!!!interfaceFastEthernet0/1!interfaceFastEthernet0/2 shutdown!interfaceFastEthernet0/3!interfaceFastEthernet0/4!interfaceFastEthernet0/5 switchport access vlan 10 switchport mode access switchport port-security switchport port-security mac-address sticky !interfaceFastEthernet0/6 switchport access vlan 10 switchport mode access switchport port-security switchport port-security mac-address sticky !interfaceFastEthernet0/7 switchport access vlan 20 switchport mode access switchport port-security switchport port-security mac-address sticky !interfaceFastEthernet0/8 switchport access vlan 20 switchport mode access switchport port-security switchport port-security mac-address sticky !interfaceFastEthernet0/9 shutdown!interfaceFastEthernet0/10 shutdown!interfaceFastEthernet0/11 shutdown!interfaceFastEthernet0/12 shutdown!interfaceFastEthernet0/13 shutdown!interfaceFastEthernet0/14 shutdown!interfaceFastEthernet0/15 shutdown!interfaceFastEthernet0/16 shutdown!interfaceFastEthernet0/17 shutdown!interfaceFastEthernet0/18 shutdown!interfaceFastEthernet0/19 shutdown!interfaceFastEthernet0/20 shutdown!interfaceFastEthernet0/21 shutdown!interfaceFastEthernet0/22 shutdown!interfaceFastEthernet0/23 shutdown!interfaceFastEthernet0/24 shutdown!interfaceVlan1 ip address 172.16.1.3 255.255.255.0!ipdefault-gateway 172.16.1.1!!linecon 0!linevty 0 4 loginlinevty 5 15 login!!endTesting the configuration andshow commandsThere are snapshot from devices after applying previousconfig and write the appropriate showcommand to ensure correctness of configs.Umabelh RouterSerialinterfaceLoopbackinterfaceInterfacesand its ips: EIGRProuting protocol and assign connected networks:Therouting table: Alkuwair Router SerialinterfaceEIGRProuting protocol and assign connected networksTherouting protocol Interfaces and sub interfacesand its ips: Switch1 Vlansand assigning portsPortsecurity on port f0/1Portsecurity on port f0/5 Portsecurity on all ports Portsecurity address VtpstatusInterfacevlan 1Disconnectpc and connect another pc Shutdownthe port for port security Switch2 VtpstatusInterfacevlan 1 Pc connectivity Testthe connection between all Pcs and networks References:http://geek-university.com/ccna/frame-tagging-explained/https://en.wikipedia.org/wiki/Trunkinghttps://library.netapp.com/ecmdocs/ECMP1196907/html/GUID-C9DA920B-F414-4017-8DD1-D77D7FD3CC8C.htmlhttps://www.cisco.com/c/en/us/support/docs/lan-switching/vtp/10558-21.htmlhttps://www.computernetworkingnotes.com/ccna-study-guide/switchport-port-security-explained-with-examples.htmlhttps://www.redscan.com/news/ten-top-threats-to-vlan-security/