Contents 17 References: 40 Advantages and Disadvantages of VLANS

Contents
Advantages
and Disadvantages of VLANS. 2
VLANs enable logical grouping of end-stations
that are physically dispersed on network. 2
VLANs reduce the need to have routers deployed on
network to contain broadcast traffic. 2
Confinement of broadcast domains on network
significantly reduces traffic. 2
Port Limits. 2
Performance. 2
Access Ports and Trunk
Ports. 2
Trunking concepts. 3
Frame Tagging. 3
Security of VLAN.. 3
Address Resolution
Protocol (ARP) attack. 3
Double Tagging/Double
Encapsulation VLAN Hopping Attack. 4
Cisco Discovery
Protocol (CDP) Attack. 4
Multicast Brute-Force
Attack. 4
Sub-Interfaces. 4
VTP Types. 4
VTP Modes. 4
Router-Switch Topology. 5
Designing the lab. 5
Configuration files. 6
Testing the
configuration and show commands. 17
References: 40
 

 

 

Advantages and Disadvantages
of VLANS

We Will Write a Custom Essay Specifically
For You For Only $13.90/page!


order now

VLANs provide many
advantages, such as easy administration, reduce broadcast traffic, and prosecution
of security policies.

VLANs allow logical grouping of end-device that
are physically isolated on network

With VLANs there is no need to have more
routers deployed on the network to contain broadcast traffic.

Quarantine of broadcast domains on network reduces
traffic.

Limits
of ports

Physical interfaces are configured to have 1 interface in VLAN. On
networks with more than 1 VLAN, using single router to achieve
inter-VLAN
routing isn’t possible.
Sub interfaces allow router to scale to house more VLANs than
the physical interfaces.

 

Performance

Because there is no contention for bandwidth on physical interfaces. In busy
network, this cause bottleneck for communication.

 

Access
and Trunk Ports

Connecting physical interfaces for inter-VLAN routing needs that the
switch ports be configured as access ports.
sub interfaces need the switch port to be configured as trunk port so
that it can take VLAN tagged (ISL or 802.1Q) traffic on the trunk link.

 

Trunking
concepts

In
the context of Ethernet VLANs use the term Ethernet trunking to mean carrying
multiple VLANs over single network link through the use of trunking protocol.
To allow for many VLANs on single link, frames from distinct VLANs must be recognized.
The most common method, IEEE 802.1Q adds tag to the Ethernet frame, labeling it
as belonging to certain VLAN. Cisco also has proprietary trunking protocol
called Inter-Switch Link which encapsulates Ethernet frame with its container,
which labels frame as belonging to specific VLAN.

Frame
Tagging

Frame tagging is used to
identify the VLAN that the frame belongs to in network with many VLANs. The
VLAN ID is located on the frame when it reaches switch from access port. That
frame can then be forwarded out the trunk link port. Each switch can see what
VLAN the frame belongs to and can forward the frame to equivalent VLAN access
ports or to another VLAN trunk port.

Two trunking
protocols are used today for frame tagging:

·        
Inter-Switch
Link (ISL) – Cisco’s exclusive VLAN tagging protocol.

·        
IEEE
802.1q – IEEE’s VLAN tagging protocol. Since it is open standard, it can be
used for tagging between switches from different brands.

 

Security
of VLAN

there
are several tangible security vulnerabilities that can increase business risk
if they aren’t properly understood and mitigated:

Address Resolution Protocol (ARP) attack

ARP was developed at time when security wasn’t
such issue.  Consequently, this protocol has simple belief that everyone
is friendly and responses can be taken at face value.  If host broadcasts ARP
request to the network, it expects only the relevant host to respond. 
Similarly, if host announces its presence by sending out gratuitous ARP, other
hosts expect that it is telling the truth and believe what it broadcasts. This,
of course, works well until malicious host appears.   In Figure 2, host
starts broadcasting gratuitous ARP, announcing itself to hold the IP address of
the default gateway, 10.3.2.1.  PCs, routers and other hosts may cache
information gained from gratuitous ARPs for future communications.  As result,
anything from legitimate host will be routed through the malicious host as the
default gateway.  The attacker then pushes the data to the real default
gateway.  This will allow the attack to view traffic on the way out of the
network but incoming traffic will by-pass the attacker.  The attacker now
needs to broadcast the address of the host they are trying to target on the LAN
to get the default gateway to send the incoming packets to itself before transmitting
them to the victim. Now it can see all the traffic incoming and outgoing.
  one consideration is that without VLAN, this attacker could affect the
entire LAN, so VLANs do mitigate this sort of attack.  Another way of
mitigating these ‘Man in the Middle’ attacks is to use Private VLANs to force
hosts to only talk to the default gateway but this isn’t always practical.

Double Tagging/Double Encapsulation VLAN Hopping Attack

This is development of Switch Spoofing, as many
systems are now configured correctly to prevent Switch Spoofing.  The
exploit this time is to build packet with 2 802.1Q VLAN headers as shown on the
left of Figure 4.  The first router strips off the first header and sends
it on to router 2.  Router 2 strips the second header and send the packet
to the destination. This attack sends packet in only 1 direction, but still
gives the attacker access to hosts that shouldn’t be accessible.  It only
works if the trunk has the same native VLAN as the attacker.  To mitigate
this attack, auto-trunking should be disabled and dedicated VLAN ID should be
used for all trunk ports.  Finally, avoid using VLAN 1.

Cisco Discovery Protocol (CDP) Attack

CDP is feature that allows Cisco devices to
exchange information and configure the network to work smoothly together. 
The information being sent is sensitive, such as IP addresses, router models,
software versions and so on.  It is all sent in clear text so any attacker
sniffing the network is able to see this information and, as it is
unauthenticated, it is possible to impersonate another device. The best option
is to disable CDP where possible.  However, CDP can be useful and, if it
can be isolated by not allowing it on user ports, then it can help make the
network run more smoothly.

Multicast Brute-Force Attack

A multicast brute-force attack searches for
failings in the switch software.  The attacker tries to exploit any
potential vulnerability in switch, by storming it with multicast frames. 
As with CAM overflow, the aim is to see if switch receiving large amount of
layer 2 multicast traffic will “misbehave”.  The switch should limit the
traffic to its original VLAN, but if the switch doesn’t handle this correctly,
frames might leak into other VLANs, if routing connects them. This type of
attack is pretty speculative as it looks for the switch to mishandle multicast
frames.  The switch should contain all the frames within their appropriate
broadcast domain and attack of this nature shouldn’t be possible. 
However, switches have failed to handle this form of attack in the past and
hence it is another attack vector.

Sub-Interfaces

sub-interface is logical interface that uses
the “parent” physical interface for moving the data. 
If we had router with only 1 physical interface, but need to have the router
connected to 2 IP networks, so that it could do routing, we could create 2
logical sub interfaces, assign each sub interface IP address within each
subnet, and we can route between it.
Creating the sub interfaces on the routers, we tell the router which VLAN to
associate with that sub interface, in the same line as the encapsulate command

VTP
Types

VLAN
Trunk Protocol (VTP) reduces management in switched network. When we configure new
VLAN on 1 VTP server, the VLAN is spread through all switches in the domain.
This decreases the need to configure the same VLAN everywhere. VTP is Cisco-proprietary
protocol.

VTP Modes

You can configure switch to operate in any of
these VTP modes:

·        
Server: In this
mode, we can create, delete and modify VLANs and specify further configuration
parameters, for the entire VTP domain. VTP servers advertise their VLAN
configuration to other devices in the same VTP domain and synchronize VLAN
configuration with other switches based on advertisements received from trunk
links. default mode is VTP server.

·        
Client: VTP
clients act the same way as VTP servers, but we cannot create, or change, or
delete VLANs on VTP client.

·        
Transparent: VTP
transparent switches don’t participate in VTP. VTP transparent switch doesn’t advertise
its VLAN configuration and doesn’t synchronize its VLAN configuration based on
received advertisements.

Router-Switch
Topology

 

Designing
the lab

 

Diagram
1

 

 

 

Configuration files

There
are the config of all routers and switches in the topology:

Umabelh Router

!

version 12.2

no service
timestamps log datetime msec

no service
timestamps debug datetime msec

no service
password-encryption

!

hostname
Umabelh

!

interface
Loopback0

 ip address 172.16.200.1 255.255.255.252

!

interface
FastEthernet0/0

 ip address 17.16.4.1 255.255.255.0

 duplex auto

 speed auto

 no shutdown

!

interface
FastEthernet0/1

 no ip address

 duplex auto

 speed auto

 shutdown

!

interface
Serial0/0

 ip address 172.16.100.2 255.255.255.252

 clock rate 9600

!

interface
Serial0/1

 no ip address

 shutdown

!

router eigrp 10

 network 172.16.100.0 0.0.0.3

 network 172.16.200.0 0.0.0.3

 network 172.16.4.0 0.0.0.255

 no auto-summary

!

ip classless

!

!

line con 0

line vty 0 4

 login

!

!

!

end

 

 

 

 

 

Alkuwair Router

 

!

version
12.2

no
service timestamps log datetime msec

no
service timestamps debug datetime msec

no
service password-encryption

!

hostname
Alkuwair

!

interface
FastEthernet0/0

 no ip address

 duplex auto

 speed auto

!

interface
FastEthernet0/0.1

 encapsulation dot1Q 1 native

 ip address 172.16.1.1 255.255.255.0

!

interface
FastEthernet0/0.10

 encapsulation dot1Q 10

 ip address 172.16.3.1 255.255.255.0

!

interface
FastEthernet0/0.20

 encapsulation dot1Q 20

 ip address 172.16.2.1 255.255.255.0

!

interface
FastEthernet0/1

 no ip address

 duplex auto

 speed auto

 shutdown

!

interface
Serial0/0

 ip address 172.16.100.1 255.255.255.252

!

interface
Serial0/1

 no ip address

 shutdown

!

router
eigrp 10

 network 172.16.1.0 0.0.0.255

 network 172.16.2.0 0.0.0.255

 network 172.16.3.0 0.0.0.255

 network 172.16.100.0 0.0.0.3

 no auto-summary

!

ip
classless

!

line
con 0

line
vty 0 4

 login

!

!

!

End

 

Switch1

 

!

version
12.1

no
service timestamps log datetime msec

no
service timestamps debug datetime msec

no
service password-encryption

!

hostname
Switch1

!

!

!

vlan
10

 name Staff

!

vlan
20

 name Student

!

interface
FastEthernet0/1

 switchport mode trunk

!

interface
FastEthernet0/2

 switchport mode trunk

!

interface
FastEthernet0/3

 switchport mode access

!

interface
FastEthernet0/4

!

interface
FastEthernet0/5

 switchport access vlan 10

 switchport mode access

 switchport port-security

 switchport port-security mac-address sticky

!

interface
FastEthernet0/6

 switchport access vlan 10

 switchport mode access

 switchport port-security

 switchport port-security mac-address sticky

!

interface
FastEthernet0/7

 switchport access vlan 20

 switchport mode access

 switchport port-security

 switchport port-security mac-address sticky

!

interface
FastEthernet0/8

 switchport access vlan 20

 switchport mode access

 switchport port-security

 switchport port-security mac-address sticky

!

interface
FastEthernet0/9

!

interface
FastEthernet0/10

!

interface
FastEthernet0/11

!

interface
FastEthernet0/12

!

interface
FastEthernet0/13

!

interface
FastEthernet0/14

!

interface
FastEthernet0/15

!

interface
FastEthernet0/16

!

interface
FastEthernet0/17

!

interface
FastEthernet0/18

!

interface
FastEthernet0/19

!

interface
FastEthernet0/20

!

interface
FastEthernet0/21

!

interface
FastEthernet0/22

!

interface
FastEthernet0/23

!

interface
FastEthernet0/24

!

interface
Vlan1

 ip address 172.16.1.2 255.255.255.0

!

ip
default-gateway 172.16.1.1

!

!

line
con 0

!

line
vty 0 4

 login

line
vty 5 15

 login

!

!

end

 

 

 

Switch 2

 

!

version
12.1

no
service timestamps log datetime msec

no
service timestamps debug datetime msec

no
service password-encryption

!

hostname
Switch2

!

!

!

interface
FastEthernet0/1

!

interface
FastEthernet0/2

 shutdown

!

interface
FastEthernet0/3

!

interface
FastEthernet0/4

!

interface
FastEthernet0/5

 switchport access vlan 10

 switchport mode access

 switchport port-security

 switchport port-security mac-address sticky

!

interface
FastEthernet0/6

 switchport access vlan 10

 switchport mode access

 switchport port-security

 switchport port-security mac-address sticky

!

interface
FastEthernet0/7

 switchport access vlan 20

 switchport mode access

 switchport port-security

 switchport port-security mac-address sticky

!

interface
FastEthernet0/8

 switchport access vlan 20

 switchport mode access

 switchport port-security

 switchport port-security mac-address sticky

!

interface
FastEthernet0/9

 shutdown

!

interface
FastEthernet0/10

 shutdown

!

interface
FastEthernet0/11

 shutdown

!

interface
FastEthernet0/12

 shutdown

!

interface
FastEthernet0/13

 shutdown

!

interface
FastEthernet0/14

 shutdown

!

interface
FastEthernet0/15

 shutdown

!

interface
FastEthernet0/16

 shutdown

!

interface
FastEthernet0/17

 shutdown

!

interface
FastEthernet0/18

 shutdown

!

interface
FastEthernet0/19

 shutdown

!

interface
FastEthernet0/20

 shutdown

!

interface
FastEthernet0/21

 shutdown

!

interface
FastEthernet0/22

 shutdown

!

interface
FastEthernet0/23

 shutdown

!

interface
FastEthernet0/24

 shutdown

!

interface
Vlan1

 ip address 172.16.1.3 255.255.255.0

!

ip
default-gateway 172.16.1.1

!

!

line
con 0

!

line
vty 0 4

 login

line
vty 5 15

 login

!

!

end

Testing the configuration and
show commands

There are snapshot from devices after applying previous
config and write the appropriate   show
command to ensure correctness of configs.

Umabelh Router

Serial
interface

Loopback
interface

Interfaces
and its ips:

 

EIGRP
routing protocol and assign connected networks:

The
routing table:

 

Alkuwair Router

 

Serial
interface

EIGRP
routing protocol and assign connected networks

The
routing protocol

 

Interfaces and sub interfaces
and its ips:

 

Switch1

 

Vlans
and assigning ports

Port
security on port f0/1

Port
security on port f0/5

 

Port
security on all ports

 

Port
security address

 

 

 

Vtp
status

Interface
vlan 1

Disconnect
pc and connect another pc

Shutdown
the port for port security

Switch2

 

 

 

Vtp
status

Interface
vlan 1

 

Pc connectivity

 

Test
the connection between all Pcs and networks

 

References:

Frame tagging explained

https://en.wikipedia.org/wiki/Trunking

https://library.netapp.com/ecmdocs/ECMP1196907/html/GUID-C9DA920B-F414-4017-8DD1-D77D7FD3CC8C.html

https://www.cisco.com/c/en/us/support/docs/lan-switching/vtp/10558-21.html

https://www.computernetworkingnotes.com/ccna-study-guide/switchport-port-security-explained-with-examples.html

Ten top threats to VLAN security

 

x

Hi!
I'm Brenda!

Would you like to get a custom essay? How about receiving a customized one?

Check it out