© 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 1 VLANs.

Slides:



Advertisements
Similar presentations
© 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.0 VLANs LAN Switching and Wireless – Chapter 3.
Advertisements

© 2006 Cisco Systems, Inc. All rights reserved. ICND v2.3—2-1 Extending Switched Networks with Virtual LANs Introducing VLAN Operations.
© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Chapter 3: VLANs Routing & Switching.
Virtual LANs.
Cisco 3 - Switch Perrine. J Page 15/8/2015 Chapter 8 What happens to the member ports of a VLAN when the VLAN is deleted? 1.They become inactive. 2.They.
© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Chapter 3: VLANs Routing & Switching.
© 2006 Cisco Systems, Inc. All rights reserved.Cisco PublicITE I Chapter 6 1 VLANs LAN Switching and Wireless – Chapter 3.
© 2006 Cisco Systems, Inc. All rights reserved.Cisco PublicITE I Chapter 6 1 VLANs LAN Switching and Wireless – Chapter 3.
© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Chapter 5: Inter-VLAN Routing Routing & Switching.
VLANs- Chapter 3 CCNA Exploration Semester 3 Modified by Profs. Ward
Layer 2: Redundancy and High Availability Part 1: General Overview on Assignment 1.
© Wiley Inc All Rights Reserved. CCNA: Cisco Certified Network Associate Study Guide CHAPTER 8: Virtual LANs (VLANs)
Virtual LANs. VLAN introduction VLANs logically segment switched networks based on the functions, project teams, or applications of the organization regardless.
VLANs.ppt CCNA Exploration Semester 3 Chapter 3
Voice VLANs Lecture 7 VLANs.ppt 21/04/ Apr-17
© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Chapter 3: Implementing VLAN Security Routing And Switching.
Virtual LAN Design Switches also have enabled the creation of Virtual LANs (VLANs). VLANs provide greater opportunities to manage the flow of traffic on.
Sybex CCNA Chapter 11: VLAN’s Instructor & Todd Lammle.
CIT 384: Network AdministrationSlide #1 CIT 384: Network Administration VLANs.
Chapter 3 test.  VLANS group hosts _____________________ logically or physically?  Logically—regardless of physical location  Devices in one VLAN do.
The University of Bolton School of Business & Creative Technologies MWD1014 Computer Networks Virtual Local Area Networks (VLANs) Martin Stanhope
Chapter 9 Virtual LANs (VLANs). Setup 1 Setup 2.
VLAN V irtual L ocal A rea N etwork VLAN Network performance is a key factor in the productivity of an organization. One of the technologies used to.
Chapter 8: Virtual LAN (VLAN)
© 2006 Cisco Systems, Inc. All rights reserved.Cisco PublicBSCI Module 6 1 Basic Switch Concept Prepared by: Akhyari Nasir Resources form Internet.
© 2006 Cisco Systems, Inc. All rights reserved.Cisco PublicITE I Chapter 6 1 LAN Design LAN Switching and Wireless – Chapter 1.
© 2006 Cisco Systems, Inc. All rights reserved.Cisco PublicITE I Chapter 6 1 Configure a Switch LAN Switching and Wireless – Chapter 3.
VLAN-1 Virtual Local Area Networks (VLANs). VLAN-2 Virtual Local Area Networks Introducing VLANs.
Cisco 3 - LAN Perrine. J Page 110/20/2015 Chapter 8 VLAN VLAN: is a logical grouping grouped by: function department application VLAN configuration is.
© 2002, Cisco Systems, Inc. All rights reserved..
Medium-Sized Switched Network Construction NetPro-ITI Implementing VLANs and Trunks.
© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Chapter 3: Implementing VLAN Security Routing And Switching.
1 © 2003, Cisco Systems, Inc. All rights reserved. CCNA 3 v3.0 Module 8 Virtual LANs.
© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Chapter 3: Implementing VLAN Security Routing And Switching 3.0.
1 © 2003, Cisco Systems, Inc. All rights reserved. CCNA 3 v3.0 Module 8 Virtual LANs Cisco Networking Academy.
© 2006 Cisco Systems, Inc. All rights reserved.Cisco PublicITE I Chapter 6 1 VLANs LAN Switching and Wireless – Chapter 3.
Switching Topic 2 VLANs.
Virtual LAN (VLAN) W.lilakiatsakun. VLAN Overview (1) A VLAN allows a network administrator to create groups of logically networked devices that act as.
© 2006 Cisco Systems, Inc. All rights reserved.Cisco PublicITE I Chapter 6 1 Switching in an Enterprise Network Introducing Routing and Switching in the.
Virtual Local Area Networks (VLANs) Part II
Chapter 4 Version 1 Virtual LANs. Introduction By default, switches forward broadcasts, this means that all segments connected to a switch are in one.
© 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.0 VLANs LAN Switching and Wireless – Chapter 3.
W&L Page 1 CCNA CCNA Training 2.5 Describe how VLANs create logically separate networks and the need for routing between them Jose Luis.
© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Chapter 3: VLANs Routing & Switching.
Virtual LAN (VLAN) W.lilakiatsakun.
© 2006 Cisco Systems, Inc. All rights reserved.Cisco PublicITE I Chapter 6 1 VLANs LAN Switching and Wireless – Chapter 3.
+ Lecture#8: VLAN Asma AlOsaimi Topics VLAN Segmentation VLAN Implementation VLAN Security and Design 3.0.
LAN Switching Virtual LANs. Virtual LAN Concepts A LAN includes all devices in the same broadcast domain. A broadcast domain includes the set of all LAN-connected.
© 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 1 VLANs.
Instructor Materials Chapter 2: Scaling VLANs
Chap 3 – Virtual LANs (VLANs) Learning Objectives
Switching and VLANs.
LAN Switching and Wireless – Chapter 3
© 2002, Cisco Systems, Inc. All rights reserved.
Switching and VLANs.
Instructor Materials Chapter 6: VLANs
Virtual Local Area Networks (VLANs) Part I
LAN Switching and Wireless – Chapter 3
Chapter 5: Inter-VLAN Routing
Virtual LANs.
Chapter 2: Scaling VLANs
LAN Switching and Wireless – Chapter 3
Routing and Switching Essentials v6.0
CCNA Routing and Switching Routing and Switching Essentials v6.0
Switching and VLANs.
Chapter 3: Implementing VLAN Security
Chapter 2: Scaling VLANs
LAN Switching and Wireless – Chapter 3
LAN Switching and Wireless – Chapter 3
Presentation transcript:

© 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 1 VLANs

© 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 2 Some requirements of LANs Separate Broadcast Domains  Need to split up broadcast domains to make good use of bandwidth  People in the same department may need to be grouped together.  Security: restrict access by certain users to some areas of the LAN

© 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 3 Some requirements of LANs  Provide a way for different areas of the LAN to communicate with each other  Each LAN must have a on the backbone layer three device (router).  Each LAN must have a separate port on the backbone layer three device (router). Separate Broadcast Domains

© 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 4 Solution using routers BUT  Routers are expensive  Routers are slower than switches  Subnets are restricted to limited physical areas  Subnets are inflexible

© 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 5 Another Solution: Using VLANs in Switches  VLAN membership can be by function/port and not by location.  VLANs managed by switches

© 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 6  VLANs provide segmentation based on.  VLANs provide segmentation based on broadcast domains.  VLANs logically segment switched networks based on the functions, project teams, or applications of the organization not by physical location.  Communication among VLANs still require a router. BUT, will handle all routing.  Communication among VLANs still require a router. BUT, only one physical connection will handle all routing. Separate Broadcast Domains Solution using VLANs

© 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 7 Defining VLANs  A VLAN allows: Creation of groups of logically networked devices.  Each VLAN is a separate broadcast domain. Broadcast traffic is controlled.  Each VLAN is a separate IP subnet. The devices to act as if they are on their own independent network. To communicate among VLANs, you must use a router (MUCH more later).

© 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 8 VLANs  A better design still creates the 3 separate broadcast domains but only requires 1 switch.  The router provides broadcast filtering over a single link. One Physical Link

© 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 9 Benefits of VLANs  Security  Cost reduction  Higher performance  Broadcast storm mitigation  Improved IT staff efficiency and management.

© 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 10 VLAN Numbers  VLAN information is stored in the VLAN database.  vlan.dat in the flash memory of the switch.

© 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 11 VLAN Port Membership Modes

© 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 12 Static VLAN (Port-centric)  Benefit of CLI mode, if a port is put on a VLAN and the VLAN does not exist, then the VLAN is created. So..  If VLAN 20 did not exist before – then it does now.

© 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 13 Dynamic VLAN  Not widely used.  Use a VLAN Membership Policy Server (VMPS).  Assign a device to a VLAN based on its MAC address.  Connect device, server assigns VLAN.  Useful if you want to move devices around.

© 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 14 Types of VLAN  Data or user VLAN  Voice VLAN  Management VLAN  Native VLAN  Default VLAN

© 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 15 Data VLAN  Carry files, s, shared application traffic, most user traffic.  Separate VLAN for each group of users.

© 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 16 Voice VLANs HAS SPECIAL requirements: to ensure voice quality.  Assured bandwidth to ensure voice quality. over other types of network traffic.  Transmission priority over other types of network traffic. around congested areas on the network.  Ability to be routed around congested areas on the network.  Delay of less than 150 milliseconds (ms) across the network. Voice VLAN

© 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 17  Voice VLANs: VLAN 150 is designed to carry voice traffic. ConnectionsConnections Voice VLAN

© 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 18 Ensures that voice traffic is identified as priority traffic. Voice VLAN Data VLAN Voice VLAN

© 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 19 A Cisco IP Phone is a switch.  Voice VLANs: A Cisco IP Phone is a switch. Port 1 connects to the switch or VoIP device. Port 2 is an internal 10/100 interface that carries the phone traffic. Port 3 connects to a PC or other device. Voice VLAN

© 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 20 A Cisco IP Phone is a switch.  Voice VLANs: A Cisco IP Phone is a switch. Switch S3 is configured to carry voice traffic on VLAN 150 and data traffic on VLAN 20. Sending: Phone tags voice traffic with VLAN 150 and sends data traffic untagged. The switch will tag the data traffic for VLAN 20. Sending: Receiving: Phone acts on voice traffic and removes the tag for data traffic destined for the PC. Receiving: MORE on the tagging process later… Voice VLAN

© 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 21 A Cisco IP Phone is a switch.  Voice VLANs: A Cisco IP Phone is a switch. Link to the switch acts as a trunk link to carry both voice and data traffic. CDP is used to communicate between the switch and the phone. CDP Voice VLAN

© 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 22 Voice VLANs : Sample Configuration

© 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 23 Default VLAN  VLAN 1 on Cisco switches.  Carries CDP and STP (spanning tree protocol) traffic.  Initially all ports are in this VLAN.  Do not use it for data, voice or management traffic for security reasons.  Cannot rename or delete VLAN1.

© 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 24 Default VLAN Switch

© 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 25 Management and Native VLAN  Has the switch IP address.  Used for telnet/SSH or web access for management purposes.  Better not to use VLAN 1 for security reasons.

© 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 26 VLAN Trunks  What problem does it solve? Network /24 Network /24 Network /24 Network /24

© 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 27 Tag to identify VLAN  Tag is added to the frame when it goes on to the trunk  Tag is removed when it leaves the trunk

© 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 28 Frame tagging IEEE 802.1Q Dest AddSource AddType/LenDataFCSDest AddSource AddType/LenDataFCSTag Normal frame Add 4-byte tag, recalculate FCS Tag protocol ID 0x8100 PriorityCFI for token ring VLAN ID

© 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 29 Native VLAN and 802.1Q Trunking  Tagged Frames on Native VLAN  Control traffic sent on the native VLAN should be untagged.  Switch will drop tagged frames received from the native VLAN.  Devices from other vendors that support tagged frames on the native VLAN include IP phones, servers, routers, and non-Cisco switches.

© 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 30  Configure the trunk to default to native VLAN 1.  Configure the trunk for native VLAN 99. Configure trunk port  By default native VLAN is 1.

© 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 31 Verification of Trunk Port

© 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 32 Trunking Operation PC1 and PC3 send a broadcast S2 receives the frames and ‘tags’ them with the VLAN ID. The tagged frames are sent across the trunk links between S2 and S1 and S1 and S3. S3 strips the tags and forwards to the destination.

© 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 33 Introduction to DTP  Switch ports can be manually configured to form trunks.  Switch ports can also be configured to negotiate and establish a trunk link with a connected peer.  The Dynamic Trunking Protocol (DTP) manages trunk negotiation.  DTP is a Cisco proprietary protocol and is enabled, by default, in Cisco Catalyst 2960 and 3560 switches.  If the port on the neighbor switch is configured in a trunk mode that supports DTP, it manages the negotiation.  The default DTP configuration for Cisco Catalyst 2960 and 3560 switches is dynamic auto.

© 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 34 Negotiated Interface Modes  Cisco Catalyst 2960 and 3560 support the following trunk modes: Switchport mode dynamic auto Switchport mode dynamic desirable Switchport mode trunk Switchport nonegotiate

© 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 35 Trunking Modes Access Mode Trunk Mode

© 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 36 Controlling Broadcast Domains with VLANs  Intra-VLAN Communications:

© 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 37 Controlling Broadcast Domains with VLANs :  Intra-VLAN Communications :

© 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 38 Controlling Broadcast Domains with VLANs  Intra-VLAN Communications:

© 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 39 Controlling Broadcast Domains with VLANs  Intra-VLAN Communications:

© 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 40 Layer 3 Switch Forwarding  Layer 3 Switch: A Layer 3 switch has the ability to route transmissions between VLANs. The procedure is the same as described for the inter-VLAN communication using a separate router.  Switch Virtual interface (SVI): A logical interface (SVI) is configured for each VLAN configured on the switch.

© 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 41 Layer 3 Switch Forwarding  Layer 3 Switch : Contains the SVI 20 information…NOT SVI 10 SVI 10 knows about SVI 20 (the location of VLAN 20).

© 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 42 Configure VLANs on the Switches in a Converged Network Topology  The steps to configure trunks and VLANs

© 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 43 Creating and Naming VLANs  For verification, use the command S1 # show VLAN brief

© 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 44 Configure a VLAN Verify VLAN configuration

© 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 45 Show commands

© 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 46 Show commands output  S1#show VLAN name student  S1#show VLAN summary

© 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 47 Assign switchport

© 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 48 Verification of port memberships  S1#show vlan brief

© 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 49  S1#show interfaces fa0/18 switchport Verification of port memberships

© 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 50 Managing VLANs  Remove vlan 20 from switchport fa 0/18.  Verification

© 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 51 Managing VLANs - Reassignment  Reassigning vlan20 to port fa0/11  Verification

© 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 52 SW1(config)#no vlan 20 SW1(config)#end  VLAN 20 is deleted.  Any ports still on VLAN 20 will be inactive. They need to be reassigned. SW1#delete flash:vlan.dat  Erasing the startup configuration does not get rid of VLANs because they are saved in a separate file.  Switch goes back to the default with all ports in VLAN 1.  You cannot delete VLAN 1. Managing VLANs – Deleting VLANs

© 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 53 Deleting VLANs  Before deletion.  After deletion.

© 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 54 Configure Trunk Ports

© 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 55 Configuring Trunk Ports

© 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 56 Verification  Verification native trunk

© 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 57 Managing Trunks  Reset Example  Remove Example

© 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 58 VLAN Security and Design

© 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 59 Attacks on VLANs Switch Spoofing Attack  There are a number of different types of VLAN attacks in modern switched networks; VLAN hopping is one example.  The default configuration of the switch port is dynamic auto.  By configuring a host to act as a switch and form a trunk, an attacker could gain access to any VLAN in the network.  Because the attacker is now able to access other VLANs, this is called a VLAN hopping attack.  To prevent a basic switch spoofing attack, turn off trunking on all ports, disable DTP except the ones that specifically require trunking.

© 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 60 Attacks on VLANs Double-Tagging Attack  Double-tagging attack takes advantage of the way that hardware on most switches de-encapsulate 802.1Q tags.  Most switches perform only one level of 802.1Q de-encapsulation, allowing an attacker to embed a second, unauthorized attack header in the frame.  After removing the first and legit 802.1Q header, the switch forwards the frame to the VLAN specified in the unauthorized 802.1Q header.  The best approach to mitigating double-tagging attacks is to ensure that the native VLAN of the trunk ports is different from the VLAN of any user ports.

© 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 61 Attacks on VLANs Double-Tagging Attack (cont.)

© 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 62 Attacks on VLANs PVLAN Edge  The Private VLAN (PVLAN) Edge feature, also known as protected ports, ensures that there is no exchange of unicast, broadcast, or multicast traffic between protected ports on the switch.  Local relevancy only.  A protected port only exchanges traffic with unprotected ports.  A protected port does not exchange traffic with another protected port.

© 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 63 Design Best Practices for VLANs VLAN Design Guidelines  Move all ports from VLAN 1 and assign them to a not-in-use VLAN  Shut down all unused switch ports.  Separate management and user data traffic.  Change the management VLAN to a VLAN other than VLAN 1. (The same goes to the native VLAN.)  Ensure that only devices in the management VLAN can connect to the switches.  The switch should only accept SSH connections.  Disable autonegotiation on trunk ports.  Do not use the auto or desirable switch port modes.

© 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 64 Common Software or Hardware Misconfigurations Associated with VLANs

© 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 65 Native VLAN Mismatch

© 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 66 Native VLAN Mismatch - Solution  Output from Switch 3  Output from Computer PC4

© 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 67 Trunk Mode Mismatch  Outputs from Switch 1  Outputs from Switch 3

© 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 68 Trunk Mode Mismatch-Solution  Output from Switch 1  Output from Switch 3  Output from Computer PC4

© 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 69 Incorrect VLAN List  Output from Switch 3  Output from Switch 1

© 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 70  Outputs from Switch 1  Output from Computer PC5 Incorrect VLAN List - Solution

© 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 71 VLANs and IP Subnets

© 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 72 VLANs and IP Subnets - Solution

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.