ITE PC v4.0 Chapter 1

ITE PC v4.0 Chapter 1

Chapter 3: VLANs Switched Networks Presentation_ID 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 1

Chapter 3 3.1 VLAN Segmentation 3.2 VLAN Implementation 3.3 VLAN Security and Design 3.4 Summary Objectives VLANs in a converged network Trunking VLANs in a converged network Configuration of VLANs on switches

Troubleshooting misconfigurations in VLANs 3.1 VLAN Segmentation Presentation_ID 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential

4 Introduction to VLANs Pak se hod mt monost seskupovat libovoln, i jinak, ne jen podle toho, kde kdo sed a kam je pipojen. Umme si pedstavit, e do jedn

skupiny pota budou patit ty, kter jsou pipojen na jeden pepna. Bude to nap. v rmci jednoho patra, kde sdl lid, kte k sob njak pat, teba editelstv, vvoj, ekonomick sek ... Ale co kdy vichni vvoji sed v pzem a jednoho museli posadit do 1. patra?

VLANs VLAN umouj dlit s logicky podle funkce organizace, projektovch tm nebo aplikac, nejen na zklad fyzickho nebo prostorovho uspodn.

VLANs logically segment switched networks based on an organization's functions, project teams, or applications as opposed to a physical or geographical basis. Broadcast Domains Toto je klasick uspodn bez VLAN. Kad oddlen m svj

switch, kter vechny svoje potae obsluhuje jako jednu broadcast domnu. Kad oddlen (tj. kad switch) m svoji s s jinou adresou. Jednotliv st oddluje / spojuje router.

Example: 3 Broadcast Domains, 3 VLANs Stejn poadavky ve stejnm podniku, ale een pomoc VLAN. Vichni sdlej jeden spolen switch. Jsou od sebe oddleni pomoc VLAN. Komunikaci mezi VLAN zajiuje router.

Example: 3 Broadcast Domains, 3 VLANs Sov vrstva jede se podle IP adres. Datov podle MAC adres. Fyzick konektory, kabely, ... Jsou zde ti st s rznmi

adresami. Potae jsou takto logicky seskupeny ... ... bez ohledu na to, jak jsou fyzicky nadrtovny k pepnam.

VLANs in a Converged Network Broadcast domains without VLANs V sti bez VLAN tvo vechny potae jednu velkou broadcast domnu, protoe jsou vechny v jedn sti: 172.17.40.0 / 24. Broadcasty se do vech pota v cel sti. VLANs in a Converged Network Broadcast domains without VLANs

I kdyby ale nepatily vechny PC do jedn st, jako tady: Vlevo je s 192.168.1.x, vpravo je s 192.168.2.x. Kdy lev horn chce poprv pingnout lev doln (tj. ve sv vlastn sti), tak ARP broadcast dostanou vichni, tj. i ti vpravo. VLANs in a Converged Network Broadcast domains with VLANs Je-li s rozdlena na VLAN, kad broadcast se jen v rmci sv VLAN. V sti na obrzku zatm nen vyeena komunikace mezi VLAN nen tam router.

VLANs in a Converged Network Broadcast domains with VLANs VLANs in a Converged Network Tady u je router. Komunikace me bt intra-VLAN (uvnit VLAN) a interVLAN (mezi VLAN). Kdy se komunikuje uvnit VLAN, tak ARP request (dost o zjitn neznm MAC adresy ke znm IP adrese) probhne jako broadcast jen v rmci jedn VLAN.

VLANs in a Converged Network Broadcast domains with VLANs VLANs in a Converged Network Kdy se komunikuje mezi VLAN, nap. z VLAN10 do VLAN20, tak router na ARP request odpov MAC adresou svho portu, co je pro odeslajc PC default gateway. PC to tedy pole na default gateway = router. Kdy pak v dalm kroku router dostane paket s clovou IP adresou do

VLAN20, rozele do VLAN20 ARP request a zjist si MAC adresu clovho potae. Na tu pak pole frame a v nm zabalen paket. VLANs in a Converged Network Broadcast domains with VLANs SVI = Switch Virtual Interface Podobn to funguje s pepnaem, kter um pepnat na vrstv 3, tj. podle IP adres.

VLANs in a Converged Network Types of VLANs Data Default Native Management Voice

Typy VLAN Datov Pednastaven Pvodn, pirozen dic Hlasov VLANs in a Converged Network Data VLAN = Datov VLAN

Datov VLAN je konfigurovan jen pro penos dat, kter generuj uivatel. Nedvaj se do n hlasov data ani data pro zen a sprvu st. Nkdy se j tak k uivatelsk = user VLAN. VLANs in a Converged Network Default VLAN = Pednastaven VLAN Default VLAN je ta, ke kter pat vechny porty, kter nebyly piazeny jinam.

U pepna Cisco je default VLAN vdy VLAN1 a ned se to zmnit. VLAN1 nen mon pejmenovat ani vymazat. VLANs in a Converged Network Native VLAN = pvodn, pirozen VLAN Native VLAN je ta, do kter pat trunk interfaces = hlavn rozhran, v obrzku F0/1, F0/3, F0/5. Jsou to rozhran, po kterch b provoz vech VLAN. Native VLAN m v obrzku slo 99. Framy pochzejc z jednotlivch VLAN dostvaj na vstupu do st znaky (tags), jsou znakovan (tagged). Podle tchto znaek jsou pak rozdlovny do sprvnch VLAN pi

vstupu ze st. 802.1Q je protokol, kterm je toto znakovn zeno. Dostane-li se do st frame neoznaen (untagged), je umstn do native VLAN. Zazen, pipojen k native VLAN (nap. PC vlevo nahoe), generuj framy neoznaen (untagged). VLANs in a Converged Network Management VLAN = dic VLAN dic (management) VLAN je kterkoliv, kter jsme piadili IP adresu a tm j dali schopnost dit pepna. Pes tuto IP adresu meme pepna ovldat na dlku pomoc HTTP, Telnet, SSH nebo SNMP.

Po prvnm zapnut pepnae je dic (management) VLAN1. Kvli bezpenosti je vhodn to zmnit. VLANs in a Converged Network Zvltn loha VLAN1 po prvnm zapnut (out-of-the-box) je VLAN1 data VLAN default VLAN management VLAN po prvnm zapnut do n pat vechny porty

nelze ji vymazat nelze ji pejmenovat vdy zstv default VLAN jde po n dic provoz vrstvy 2, nap. CDP, STP, nelze to zmnit VLANs in a Converged Network Pklad konfigurace VLAN viz pedchoz obrzky Funkce Out-of-the-box

Po konfiguraci VLAN1 VLAN20, VLAN30 Nen dn, protoe switch m vechny interfaces rovnocenn,

dn trunk interfaces VLAN99 Management VLAN VLAN1 VLAN99 Default VLAN

VLAN1 VLAN1 dic provoz vrstvy 2 VLAN1 VLAN1

Data VLAN Native VLAN VLANs in a Converged Network Shrnut VLAN VLAN Data VLAN Vlastnosti

Bhaj po n data generovan uivateli. Default VLAN Pat do n vechny porty, kter jsme nepeadili jinam. Vdy je to VLAN1. Native VLAN Pat do n trunk interfaces.

Management VLAN M IP adresu. VLANs in a Converged Network Overview of VLANs Voice VLANs VoIP traffic is time-sensitive and requires:

Assured bandwidth to ensure voice quality. Transmission priority over other types of network traffic. Ability to be routed around congested areas on the network. Delay of less than 150 ms across the network. The voice VLAN feature enables access ports to carry IP voice traffic from an IP phone. The switch can connect to a Cisco 7960 IP phone and carry IP voice traffic. The sound quality of an IP phone call can deteriorate if the data is unevenly sent; the switch supports quality of service (QoS).

VLANs in a Converged Network VLAN port membership modes Hlasov Datov Hlasov VLAN Port se konfiguruje tak, aby podporoval IP telefon. Nejdv musme vytvoit jednu VLAN pro hlas a jednu pro data. S mus bt konfigurovna tak, aby hlasov provoz penela

pednostn. Kdy poprv pipojme IP telefon k portu v hlasovm mdu, switch poskytne telefonu jeho VLAN ID a konfiguraci. IP telefon pak znakuje svoje rmce tmto pidlenm ID a s hlasov rmce pen po hlasov VLAN. Overview of VLANs Voice VLANs (cont.) The Cisco 7960 IP phone has two RJ-45 ports that each support connections to external devices. Network Port (10/100 SW) - Use this port to connect the

phone to the network. The phone can also obtain inline power from the Cisco Catalyst switch over this connection. Access Port (10/100 PC) - Use this port to connect a network device, such as a computer, to the phone. Overview of VLANs Voice VLANs (cont.) Trunking VLANs

Jak by to bylo bez trunk: Pro kadou VLAN by musel bt mezi pepnai jeden fyzick spoj a na kadm pepnai jeden port, protoe obyejn porty v mdu access je mono piadit jen do jedn VLAN. S pidnm kad dal VLAN by na kadm pepnai ubyl nejmn jeden port, kter se pro ni mus vyhradit. (ern propojka je pro management a native VLAN 99.) Trunking VLANs

S trunky: Pro vechny VLAN sta jeden spolen spoj trunk. Trunking VLANs How a trunk works Kdy PC z nkter datov VLAN vyle frame, pepna ozna frame znakou (tag), zvanou VLAN ID. S touto znakou frame putuje pes trunky mezi pepnai, a podle znaky pepnae poznaj, do kter VLAN frame pat. Kdy potom frame opout posledn pepna na sv cest, m vstoupit do nkter datov VLAN a dojt do clovho PC, posledn pepna znaku z framu vynd, aby z n clov PC nebyl zmaten.

VLANs in a Multi-Switched Environment Tagging Ethernet Frames for VLAN Identification Frame tagging is the process of adding a VLAN identification header to the frame. It is used to transmit multiple VLAN frames through a trunk link. Switches tag frames to identify the VLAN to that they belong. The protocol defines the structure of the tagging header added to the frame.

Switches add VLAN tags to the frames before placing them into trunk links and remove the tags before forwarding frames through nontrunk ports. When properly tagged, the frames can transverse any number of switches via trunk links and still be forwarded within the correct VLAN at the destination. VLANs in a Multi-Switched Environment Tagging Ethernet Frames for VLAN Identification

M3A 9/4/19 VLANs in a Multi-Switched Environment Native VLANs and 802.1Q Tagging Frames that belong to the native VLAN are not tagged. Frames received untagged remain untagged and are placed in the native VLAN when forwarded. If there are no ports associated to the native VLAN and no other trunk links, an untagged frame is dropped.

In Cisco switches, by default, the native VLAN is VLAN 1. VLANs in a Multi-Switched Environment Voice VLAN Tagging 3.2 VLAN Implementations Presentation_ID

2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 36 VLAN Assignment VLAN Ranges on Catalyst Switches Cisco switches support over 4,000 VLANs.

VLANs are split into two categories: Normal range VLANs VLAN numbers from 1 to 1,005 Configurations stored in the vlan.dat (in the flash memory) VTP can only learn and store normal range VLANs Extended Range VLANs VLAN numbers from 1,006 to 4,096 Configurations stored in the running configuration (NVRAM) VTP does not learn extended range VLANs

Configuring VLANs Configuring trunks and VLANs Vytvo VLANs Pia porty Ov VLANs Umoni trunk Ov trunk Configuring VLANs

IOS commands to create a VLAN VLAN Assignment Assigning Ports to VLANs VLAN Assignment Changing VLAN Port Membership

VLAN Assignment Changing VLAN Port Membership (cont.) VLAN Assignment Deleting VLANs VLAN Assignment

Verifying VLAN Information VLAN Assignment Verifying VLAN Information (cont.) Configuring VLANs IOS commands used to create a trunk Vytvo trunk

Kter VLAN bude native (tj. bude slouit trunkm a pjdou po n neoznakovan framy). Kter VLAN budou na tomto trunku povolen. Kdy tento pkaz

vbec nezadme, budou povolen Kdy tento pkaz vbec nezadme, native bude VLAN1. vechny. Bude to fungovat, ale nebude to bezpen. VLAN Assignment Resetting the Trunk To Default State

VLAN Assignment Resetting the Trunk To Default State (cont.) VLAN Assignment Verifying Trunk Configuration Dynamic Trunking Protocol

Introduction to DTP Switch ports can be manually configured to form trunks. Switch ports can also be configured to negotiate and establish a trunk link with a connected peer. The Dynamic Trunking Protocol (DTP) manages trunk negotiation. DTP is a Cisco proprietary protocol. If the port on the neighbor switch is configured in a trunk mode that supports DTP, it manages the negotiation. The default DTP configuration for Cisco switches is dynamic auto.

Trunking VLANs Switch port trunking modes DTP = Dynamic Trunking Protocol, Cisco proprietary => ostatn to neum. Both periodically send DTP frames, called advertisements. Oba periodicky vyslaj DTP informace. The port is in an unconditional (always on) trunking state. Periodicky vysl svoje DTP informace

(advertisments), ale zstv v trunking mdu. The port goes in trunking state only if the remote port is configured to be trunk or desirable. Periodicky vysl svoje DTP informace. Pejde do trunking mdu, pokud ten na druh stran je trunk nebo je ochoten se

jm stt. Jinak zstv v access mdu. Trunking VLANs Switch port trunking modes Jak to dopadne, kdy oba podporuj DTP, a jeden je nastaven tak a druh tak: Je mi to jedno Chci bt trunk

Jsem Trunk Jsem Access Nastavme-li na jedn stran tvrd Access a na druh tvrd Trunk, bude to prchoz (patrn v mdu Access), ale nen to zdrav. Proto se to nedoporuuje. Troubleshooting Problems with VLANs and trunks

Takto je to zapojeno, tak to chceme. Pro to nejde? Viz dal snmek. Troubleshooting Problems with VLANs and trunks Zde hls mismatch => nco k sob nepasuje .... ... a to 100 na S3 a 99 na S1

Toto je pina: Na S3 je jako native VLAN 100 msto VLAN 99 een: Troubleshooting Troubleshooting procedure to fix a problem Takto je to zapojeno, tak to chceme. Pro to nejde? Viz dal snmek.

Troubleshooting Troubleshooting procedure to fix a problem S1 i S3: Obma je to jedno (dynamic auto) => nastav se do mdu access, nikoliv trunk. Troubleshooting

Troubleshooting procedure to fix a problem een: Obma nebo aspo jednomu vnutme md trunk. Troubleshooting Problems with VLANs and trunks Na jednom portu je uren jako native VLAN 99, na jinm VLAN 100 Na jednom portu je

trunk md zapnut, na protjm vypnut VLAN a IP adresy nejdou dohromady Nevyjmenovali jsme vechny st, kter na tomto trunku chceme povolit (pkaz switchport trunk allowed vlan add ...) 3.3 VLAN Security and Design

Presentation_ID 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 60 Attacks on VLANs

Switch Spoofing Attack There are a number of different types of VLAN attacks in modern switched networks; VLAN hopping is one example. The default configuration of the switch port is dynamic auto. By configuring a host to act as a switch and form a trunk, an attacker could gain access to any VLAN in the network. Because the attacker is now able to access other VLANs, this is called a VLAN hopping attack. To prevent a basic switch spoofing attack, turn off trunking on all

ports, except the ones that specifically require trunking. Attacks on VLANs Double-Tagging Attack Double-tagging attack takes advantage of the way that hardware on most switches de-encapsulate 802.1Q tags. Most switches perform only one level of 802.1Q de-encapsulation, allowing an attacker to embed a second, unauthorized attack header in the frame. After removing the first and legit 802.1Q header, the switch forwards

the frame to the VLAN specified in the unauthorized 802.1Q header. The best approach to mitigating double-tagging attacks is to ensure that the native VLAN of the trunk ports is different from the VLAN of any user ports. Attacks on VLANs Double-Tagging Attack (cont.) Attacks on VLANs

PVLAN Edge The Private VLAN (PVLAN) Edge feature, also known as protected ports, ensures that there is no exchange of unicast, broadcast, or multicast traffic between protected ports on the switch. Local relevancy only. A protected port only exchanges

traffic with unprotected ports. A protected port does not exchange traffic with another protected port. Design Best Practices for VLANs VLAN Design Guidelines Move all ports from VLAN 1 and assign them to a not-in-use VLAN Shut down all unused switch ports. Separate management and user data traffic.

Change the management VLAN to a VLAN other than VLAN 1. (The same goes to the native VLAN.) Ensure that only devices in the management VLAN can connect to the switches. The switch should only accept SSH connections. Disable autonegotiation on trunk ports. Do not use the auto or desirable switch port modes. Chapter 3: Summary This chapter:

Introduced VLANs and their types Described the connection between VLANs and broadcast domains Discussed IEEE 802.1Q frame tagging and how it enables differentiation between Ethernet frames associated with distinct VLANs as they traverse common trunk links. Examined the configuration, verification, and troubleshooting of VLANs and trunks using the Cisco IOS CLI and explored basic security and design considerations. Presentation_ID

2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 67

Recently Viewed Presentations

  • Use the FISH Program to Improve Your Organization's Culture

    Use the FISH Program to Improve Your Organization's Culture

    Getting GUNG HO to Improve Your Organizational Culture Prepared by: James J. Messina, Ph.D. Lesson to Learn The Gift of the Goose Is God's Gift We Give Each Other Cheering is a gift that we give to one another because...
  • US Risk in a Global Setting - Fuqua School of Business

    US Risk in a Global Setting - Fuqua School of Business

    Study is in advanced stages of peer review at the Journal of Finance (the top scientific journal in the field of finance) None of the authors are affiliated with GLG Partners In contrast to the PerTrac study, this research Uses...
  • To Mrs. Milis' Class

    To Mrs. Milis' Class

    CP Friendly Letter Instructions Write a friendly introduction letter back to me. Your letter should contain 5 paragraphs and be similar in format to my letter. CP Friendly Letter Instructions Use the following outline to help guide your writing, and...
  • Nonlinear Dimensionality Reduction by Locally Linear Embedding

    Nonlinear Dimensionality Reduction by Locally Linear Embedding

    manifold. In mathematics, more specifically in differential geometry and topology, a manifold is a mathematical space that on a small enough scale resembles the Euclidean space of a specific dimension, called the dimension of the manifold
  • Technology Providers Capability Scorecard

    Technology Providers Capability Scorecard

    Clients receive TA, CM & FA messages and send Ack messages. Sending TA, CM & FA messages is supported but yet to be utilised by Clients.
  • Estimating Project Costs

    Estimating Project Costs

    An Improved Approach to Project Estimation Based on Software Artifact Reuse by David T. Henrickson Overview Introduction What is Reuse Approaches to Project Estimation A comparison of Domain Engineering and Artifact Repository Levels of Reuse to be Considered Adapting an...
  • Position Refinement of Spitzer-Space-Telescope Images Russ ...

    Position Refinement of Spitzer-Space-Telescope Images Russ ...

    Position Refinement of Spitzer-Space-Telescope Images Russ Laher, Howard McCallon, Frank Masci, and John Fowler Spitzer Science Center, MS 314-6, California Institute of Technology, Pasadena, CA 91125
  • Poppies - Miss Cowin's English Literature Resource Site

    Poppies - Miss Cowin's English Literature Resource Site

    "Poppies" - "a multisensory explosion" Weir has acknowledged that 'A lot of my poems are narrative driven or scenarios', and in 'Poppies' she tells the 'story' of a mother's experience of pain and loss as her son leaves home to...