Contents VLANS Advantages and Disadvantages. 2 VLANs allow logical grouping of end-device that are physically isolated on network. 2 With VLANs there is no need to have more routers deployed on the network to contain broadcast traffic.
2 Quarantine of broadcast domains on network reduces traffic. 2 Limits of ports. 2 Performance. 2 Access and Trunk Ports.
2 Trunking concepts. 2 Frame Tagging. 2 Security in VLAN.
. 3 (ARP) attack. 3 Double Encapsulation/ Double Tagging VLAN Hopping Attack. 3 Cisco Discovery Protocol (CDP) Attack. 3 Multicast Brute-Force Attack. 3 Sub-Interfaces.
3 VTP Types. 4 VTP Modes. 4 Router-Switch Topology.
4 Designing the lab. 4 Configuration files. 6 Testing the configuration and show commands. 16 References: 40 VLANS Advantages and DisadvantagesVLANs provide manyadvantages such as easy administration reduces broadcast traffic and prosecutionof security policies. VLANs allow logical grouping of end-device thatare physically isolated on network With VLANs there is no need to have morerouters deployed on the network to contain broadcast traffic. Quarantine of broadcast domains on network reducestraffic.
Limits of portsPhysical interfaces are configured to have 1 interface in VLAN. Onnetworks with more than 1 VLAN using single router to achieve inter-VLANrouting isn’t possible.Sub interfaces allow router to scale to house more VLANs thanthe physical interfaces. PerformanceBecause there is no contention for bandwidth on physical interfaces. In busynetwork this cause bottleneck for communication. Accessand Trunk PortsConnecting physical interfaces for inter-VLAN routing needs that theswitch ports be configured as access ports.
sub interfaces need the switch port to be configured as trunk port sothat it can take VLAN tagged (ISL or 802.1Q) traffic on the trunk link. TrunkingconceptsInthe context of Ethernet VLANs use the term Ethernet trunking to mean carryingmultiple VLANs over single network link through the use of trunking protocol.To allow for many VLANs on single link frames from distinct VLANs must be recognized.
The most common method IEEE 802.1Q adds tag to the Ethernet frame labeling itas belonging to certain VLAN. Cisco also has proprietary trunking protocolcalled Inter-Switch Link which encapsulates Ethernet frame with its container whichlabels frame as belonging to specific VLAN. FrameTaggingFrame tagging is used toidentify the VLAN that the frame belongs to in network with many VLANs. TheVLAN ID is located on the frame when it reaches switch from access port. Thatframe can then be forwarded out the trunk link port. Each switch can see whatVLAN the frame belongs to and can forward the frame to equivalent VLAN accessports or to another VLAN trunk port.
Two trunkingprotocols are used today for frame tagging:· Inter-SwitchLink (ISL) – Cisco’s exclusive VLAN tagging protocol.· IEEE802.1q – IEEE’s VLAN tagging protocol. Since it is open standard it can be usedfor tagging between switches from different brands. Securityin VLANthereare several security vulnerabilities in Vlans. (ARP) attackIf host broadcasts ARP request to the network onlythe applicable host reply. This let the attacker to sight traffic on the wayout of the network.
The attacker wants to broadcast the address of the devicethey are trying to attack on the LAN to get the gateway to send the receivedpackets to himself before spreading them to the target. it can see all thetraffic received and outbound. one reflection is that without VLAN thisattacker might affect the complete LAN VLANs do alleviate this sort ofattack. Additional way of justifying these ‘Man in the Middle Attack’ isto use Secluded VLANs to force hosts to only connect to the gateway.Double Encapsulation/ Double Tagging VLAN Hopping AttackThis is Switch Spoofing systems are now configuredproperly to avoid Switch Spoofing.
building packet with 802.1Q VLAN headers. The 1st router strips off the 1st header and sends it on to second router. Router 2 strips the second header and send the packet to the end point. It works only if the trunk has the same native VLAN as the attacker. To avoidthis attack disable auto-trunking and use devoted VLAN ID for all trunk ports.Cisco Discovery Protocol (CDP) AttackCDP is feature that permits Cisco devices toexchange information and configure the network to work easily together.
The information sent is sensitive such as router models IP addresses softwareversions. It is all sent in plain text so any attacker sniffing thenetwork is able to get this information and it is possible to impersonateanother host. disable CDP to avoid this.Multicast Brute-Force Attackmulticast brute-force attack hunts for faultsin switch software.
The attacker attempts to exploit any possible weaknessin switch by attack it with multicast frames. with CAM overflow the goalis to see if switch getting huge amount of layer 2 multicast traffic will “disobey”. switch should limit the traffic to its own VLAN but if the switch doesn’t handlethis properly frames may leak into another VLAN if routing connects them. The switch should contain all the frames within their proper broadcast domainand attack of this nature shouldn’t be conceivable. However, switcheshave disastrous to handle this form of attack in the past and henceforth it is additionalattack vector.Sub-Interfacessub-interface is logical interface that usesthe “parent” physical interface for moving the data.
If we had router with only 1 physical interface but need to have the routerconnected to 2 IP networks so that it could do routing we could create 2logical sub interfaces assign each sub interface IP address within each subnet andwe can route between it.Creating the sub interfaces on the routers we tell the router which VLAN toassociate with that sub interface in the same line as the encapsulate command VTPTypesVLANTrunk Protocol (VTP) reduces management in switched network. When we configure newVLAN on 1 VTP server the VLAN is spread through all switches in the domain.This decreases the need to configure the same VLAN everywhere. VTP is Cisco-proprietaryprotocol.
VTP Modes You can configure switch to operate in any ofthese VTP modes:· Server: In thismode we can create delete and modify VLANs and specify further configurationparameters for the entire VTP domain. VTP servers advertise their VLANconfiguration to other devices in the same VTP domain and synchronize VLANconfiguration with other switches based on advertisements received from trunklinks. default mode is VTP server. · Client: VTPclients act the same way as VTP servers but we cannot create or change ordelete VLANs on VTP client.· Transparent: VTPtransparent switches don’t participate in VTP.
VTP transparent switch doesn’t advertiseits VLAN configuration and doesn’t synchronize its VLAN configuration based onreceived advertisements.Router-SwitchTopology Designingthe lab Diagram1 Configuration filesThereare the config of all routers and switches in the topology:Umabelh Router!version 12.2no servicetimestamps log datetime msecno servicetimestamps debug datetime msecno servicepassword-encryption!hostnameUmabelh!interfaceLoopback0 ip address 172.16.200.1 255.255.255.252!interfaceFastEthernet0/0 ip address 18.104.22.168 255.255.255.0 duplex auto speed auto no shutdown!interfaceFastEthernet0/1 no ip address duplex auto speed auto shutdown!interfaceSerial0/0 ip address 172.16.100.2 255.255.255.252 clock rate 9600!interfaceSerial0/1 no ip address shutdown!router eigrp 10 network 172.16.100.0 0.0.0.3 network 172.16.200.0 0.0.0.3 network 172.16.4.0 0.0.0.255 no auto-summary!ip classless!!line con 0line vty 0 4 login!!!end Alkuwair Router !version12.2noservice timestamps log datetime msecnoservice timestamps debug datetime msecnoservice password-encryption!hostnameAlkuwair!interfaceFastEthernet0/0 no ip address duplex auto speed auto!interfaceFastEthernet0/0.1 encapsulation dot1Q 1 native ip address 172.16.1.1 255.255.255.0!interfaceFastEthernet0/0.10 encapsulation dot1Q 10 ip address 172.16.3.1 255.255.255.0!interfaceFastEthernet0/0.20 encapsulation dot1Q 20 ip address 172.16.2.1 255.255.255.0!interfaceFastEthernet0/1 no ip address duplex auto speed auto shutdown!interfaceSerial0/0 ip address 172.16.100.1 255.255.255.252!interfaceSerial0/1 no ip address shutdown!routereigrp 10 network 172.16.1.0 0.0.0.255 network 172.16.2.0 0.0.0.255 network 172.16.3.0 0.0.0.255 network 172.16.100.0 0.0.0.3 no auto-summary!ipclassless!linecon 0linevty 0 4 login!!!End Switch1 !version12.1noservice timestamps log datetime msecnoservice timestamps debug datetime msecnoservice password-encryption!hostnameSwitch1!!!vlan10 name Staff!vlan20 name Student!interfaceFastEthernet0/1 switchport mode trunk!interfaceFastEthernet0/2 switchport mode trunk!interfaceFastEthernet0/3 switchport mode access!interfaceFastEthernet0/4!interfaceFastEthernet0/5 switchport access vlan 10 switchport mode access switchport port-security switchport port-security mac-address sticky !interfaceFastEthernet0/6 switchport access vlan 10 switchport mode access switchport port-security switchport port-security mac-address sticky !interfaceFastEthernet0/7 switchport access vlan 20 switchport mode access switchport port-security switchport port-security mac-address sticky !interfaceFastEthernet0/8 switchport access vlan 20 switchport mode access switchport port-security switchport port-security mac-address sticky !interfaceFastEthernet0/9!interfaceFastEthernet0/10!interfaceFastEthernet0/11!interfaceFastEthernet0/12!interfaceFastEthernet0/13!interfaceFastEthernet0/14!interfaceFastEthernet0/15!interfaceFastEthernet0/16!interfaceFastEthernet0/17!interfaceFastEthernet0/18!interfaceFastEthernet0/19!interfaceFastEthernet0/20!interfaceFastEthernet0/21!interfaceFastEthernet0/22!interfaceFastEthernet0/23!interfaceFastEthernet0/24!interfaceVlan1 ip address 172.16.1.2 255.255.255.0!ipdefault-gateway 172.16.1.1!!linecon 0!linevty 0 4 loginlinevty 5 15 login!!end Switch 2 !version12.1noservice timestamps log datetime msecnoservice timestamps debug datetime msecnoservice password-encryption!hostnameSwitch2!!!interfaceFastEthernet0/1!interfaceFastEthernet0/2 shutdown!interfaceFastEthernet0/3!interfaceFastEthernet0/4!interfaceFastEthernet0/5 switchport access vlan 10 switchport mode access switchport port-security switchport port-security mac-address sticky !interfaceFastEthernet0/6 switchport access vlan 10 switchport mode access switchport port-security switchport port-security mac-address sticky !interfaceFastEthernet0/7 switchport access vlan 20 switchport mode access switchport port-security switchport port-security mac-address sticky !interfaceFastEthernet0/8 switchport access vlan 20 switchport mode access switchport port-security switchport port-security mac-address sticky !interfaceFastEthernet0/9 shutdown!interfaceFastEthernet0/10 shutdown!interfaceFastEthernet0/11 shutdown!interfaceFastEthernet0/12 shutdown!interfaceFastEthernet0/13 shutdown!interfaceFastEthernet0/14 shutdown!interfaceFastEthernet0/15 shutdown!interfaceFastEthernet0/16 shutdown!interfaceFastEthernet0/17 shutdown!interfaceFastEthernet0/18 shutdown!interfaceFastEthernet0/19 shutdown!interfaceFastEthernet0/20 shutdown!interfaceFastEthernet0/21 shutdown!interfaceFastEthernet0/22 shutdown!interfaceFastEthernet0/23 shutdown!interfaceFastEthernet0/24 shutdown!interfaceVlan1 ip address 172.16.1.3 255.255.255.0!ipdefault-gateway 172.16.1.1!!linecon 0!linevty 0 4 loginlinevty 5 15 login!!endTesting the configuration andshow commandsThere are snapshot from devices after applying previousconfig and write the appropriate showcommand to ensure correctness of configs.Umabelh RouterSerialinterfaceLoopbackinterfaceInterfacesand its ips: EIGRProuting protocol and assign connected networks:Therouting table: Alkuwair Router SerialinterfaceEIGRProuting protocol and assign connected networksTherouting protocol Interfaces and sub interfacesand its ips: Switch1 Vlansand assigning portsPortsecurity on port f0/1Portsecurity on port f0/5 Portsecurity on all ports Portsecurity address VtpstatusInterfacevlan 1Disconnectpc and connect another pc Shutdownthe port for port security Switch2 VtpstatusInterfacevlan 1 Pc connectivity Testthe connection between all Pcs and networks References:http://geek-university.com/ccna/frame-tagging-explained/https://en.wikipedia.org/wiki/Trunkinghttps://library.netapp.com/ecmdocs/ECMP1196907/html/GUID-C9DA920B-F414-4017-8DD1-D77D7FD3CC8C.htmlhttps://www.cisco.com/c/en/us/support/docs/lan-switching/vtp/10558-21.htmlhttps://www.computernetworkingnotes.com/ccna-study-guide/switchport-port-security-explained-with-examples.htmlhttps://www.redscan.com/news/ten-top-threats-to-vlan-security/