9. VLAN & INTER-VLAN

VLAN

VLANs

  • Segment networks based on

    • department

    • functions

    • project

    • application

  • usage

    • security

    • performance

    • cost reduction

    • simplify management

  • Type of VLAN

    • Data VLAN

      • VLAN ID 2-1001

    • Voice VLAN

      • delay <150 ms

    • Default VLAN

      • VLAN ID 1, 1002-1005

      • cannot be deleted

      • used for SVI

    • Management VLAN

      • vlan used for network management

    • Native VLAN

      • untagged frame in trunk

  • VLAN Trunking Protocol (VTP)

    • create and manage VLAN in multiple switches

    • server / client / transparent

    • same domain

    • same password

  • Switchport

    • Access Mode

      • connect to end device, 1 data vlan and 1 voice vlan

    • Trunk Mode

      • link carries more than 1 vlan

      • Dynamic Trunking Protocol (DTP)

        • manage trunk negotiation (auto-desirable), (desirable-desirable)

Vlan Configuration

  • create vlan

  • configure port connect to end devices as access mode

  • assign vlan to specific port

inter-VLAN routing

  • forwarding traffic from one VLAN to another VLAN

Methods

  • Multiple physical interfaces

    • switch port as access mode

    • port with different vlan

    • not scalable

  • Router-on-a-stick

    • single physical interface with multiple sub-interfaces

    • enable 802.1Q protocol

  • Multilayer switches

    • sdm prefer lanbase-routing

    • ip routing enabled

    • configure multiple SVI

    • configure routed port

      • no switchport

VLAN Hopping Attack

  • enable vlan from 1 vlan to be seen by other vlan

  • trunk link to end device

    • can access all vlan on switch

VLAN Doble Tagging Attack

  • attacker in native vlan

Prevention

  • disable trunk on all access ports

  • disable auto trunking

Previous8. Switch ConfigNext10. DHCP

Last updated

Was this helpful?