9

WIA1005 Chapter 9 Revision

VLANs
- Segment networks based on 
  - department
  - functions
  - project
  - application
- usage
  - security
  - performance
  - cost reduction
  - simplify management  


- Type of VLAN
  - Data VLAN 
    - VLAN ID 2-1001
  - Voice VLAN
    - delay <150 ms
  - Default VLAN 
    - VLAN ID 1, 1002-1005  
    - cannot be deleted
    - used for SVI
  - Management VLAN
    - vlan used for network management
  - Native VLAN
    - untagged frame in trunk

- VLAN Trunking Protocol (VTP)
  - create and manage VLAN in multiple switches
  - server / client / transparent
  - same domain
  - same password

- Switchport
  - Access Mode
    - connect to end device, 1 data vlan and 1 voice vlan
  - Trunk Mode
    - link carries more than 1 vlan
    - Dynamic Trunking Protocol (DTP)
      - manage trunk negotiation (auto-desirable), (desirable-desirable)

Vlan Configuration
- create vlan
- configure port connect to end devices as access mode
- assign vlan to specific port
 
inter-VLAN routing
- forwarding traffic from one VLAN to another VLAN

Methods
- Multiple physical interfaces
  - switch port as access mode
  - port with different vlan
  - not scalable
- Router-on-a-stick
  - single physical interface with multiple sub-interfaces
  - enable 802.1Q protocol

- Multilayer switches  
  - sdm prefer lanbase-routing
  - ip routing enabled
  - configure multiple SVI
  - configure routed port
    - no switchport

VLAN Hopping Attack
- enable vlan from 1 vlan to be seen by other vlan
- trunk link to end device
  - can access all vlan on switch

VLAN Doble Tagging Attack
- attacker in native vlan

Prevention
- disable trunk on all access ports
- disable auto trunking