VLAN:- (Virtual
LANs) are logical grouping of devices in the same broadcast domain. Each VLAN being treated as its own subnet or broadcast domain. This
means that frames broadcasted onto the network will be switched only
between the ports within the same vlan, in other word we can say
Vlan means virtual LAN, i.e something virtually exist which in not in real, i.e “VLAN is the method of breaking a single switch to act as a multiple switch”, which means if I create multiple vlan (vlan-1 and vlan-2) and assign some port on each vlan (let port no. 1-to-5 assign in vlan-1 and port no 6 to 10 are assign in vlan-2) then the user connected within vlan-1 could communicate to each other but not with users connected with vlan-2.
Depending on the range of vlan , they are as:-
- Normal VLAN
- Extended VLAN
- Voice VLAN
- VLAN 1 is the default vlan and can’t be renamed
- VLAN 2-1001 can be created and basically used for Ethernet network
- VLAN 1002-1005 are reserved for FDDI/ token ring etc networks
- Default range of VLANs is 1024 (Cisco Catalyst switches supported only upto 1024 VLANs)
- ISL used 10-bit VLAN id (upto 1024 Vlan)
- 802.1Q include a 12-bit Vlan ID field (upto 4096 Vlans)
- Cisco refers to the VLANs between 1025 and 4096 as extended –range VLANs
Restrictions:-1
- · VTP cannot be used for VLAN management (vtp must be
configured as transparent or off)
· i.e Extended vlan range will not work if VTP mode is other
then transparent mode or off mode, If we tried to create a extended vlan in
server mode , we get the message as shown below
Sw1(config)# vtp mode server
Sw1(config)#vlan 3500
Sw1(config)#exit
% fail to create vlan 3500
Extended vlan(s) not allowed in current
VTP mode
%failed to commit extended VLANs
changes.
so if
we are using the extended vlan , we have to use VTP either transparent mode or off mode, so if we
create a extended vlan in transparent mode we would be able to create the vlan
without any problem.
Sw1(config)# vtp mode transparent
Sw1(config)#vlan 3500
Sw1(config)#management
Sw1(config)#exit
Result can be seen by as :-
Sw1(config)#show vlan
Restrictions:-2
- STP – extended system ID feature has to be enabled, by default it is enabled and can’t be disabled.
- Extended system id is the combination of priority + vlan information, i.e when stp going to select the root bridge it select the priority value and add the vlan no. which is called as extended system id.
It can be verified by
SW1# show spanning-tree summary
Switch#sh spanning-tree sum
Switch is in pvst mode
Root bridge for:
Extended system ID is ----------------- enabled
Portfast Default is -------------------------- disabled
PortFast BPDU Guard Default is -------
disabled
Portfast BPDU Filter Default is
----------disabled
Loopguard Default is
-----------------------disabled
EtherChannel misconfig guard is -------disabled
UplinkFast is ----------------------------------disabled
BackboneFast is
-----------------------------disabled
Configured Pathcost method used is short
It can’t be removed by command
SW1# no
spanning-tree extend system-id--------can’t be removed error message shows
So
overall conclusion is for extended vlan is to have a
- vtp in either on transparent mode or off mode
- the system must have extended system id support
Switch>en
Switch#config t
Enter configuration commands, one per line. End with CNTL/Z
Switch(config)#vlan 20----------------------------new vlan with vlan ID 20
Switch(config-vlan)#name Data-----------------Data is the name of created vlan-20
Switch(config-vlan)#vlan 30
Switch(config-vlan)#name Voice---------------- voice is the name of vlan 30
Assigning port to vlan,
Assigning port to vlan,
Switch(config-vlan)#in fa 0/3
Switch(config-if)#switchport mode access-----By default all ports are in dynamic mode
Switch(config-if)#switchport access vlan 20----Assigning a port no.fa 0/3 to vlan 20
similarly
Switch(config-if)#interface fa 0/4
Switch(config-if)# switchport mode access
Switch(config-if)#switchport voice vlan 30
&
Switch(config-if)#in fa 0/5
Switch(config-if)#switchport mode access
Switch(config-if)#switchport access vlan 10
For this scenario if we have a ip phone
connected in our network going to send the voice signal to the switch, so the
switch have to be configured with separate, vlan called voice vlan which Is
going to carry only your voice traffic
Voice vlan :-
Voice vlan :-
- voice vlan
feature enables access ports to carry ip voice traffic form an ip phone
- switch can
connect to ip phone to Carry ie voice
traffic
- cisco ip phone contains an integrated three-port 10/100 switch,
- one is like a access port connected with switch
- another connected with computer system
- port of switch connected with ip phone it can be part of both the vlan (data/voice vlan)
- which will allow the traffic from pc-phone-switch
Default vlan configuration:-
- Voice vlan feature is disabled by default
- Voice vlan can be configured on switch’s access port
- The voice vlan should be present and active on switch for ip phone to correctly communicate with voice vlan
- Port fast feature is enabled automatically when the voice vlan is configured
Voice vlan configuration:-
- In our scenario we are taking three switch port
- One for a dedicated data port
- One for a dedicated voice port
- And one for both data and voice vlan
- Create vlan 20 for DaTA and Vlan 30 for Voice
- Assign port connected with pc to the data vlan and one port with voice vlan to ip phone
Switch>en
Switch#config t
Enter configuration commands, one per line. End with CNTL/Z.
|
Switch(config-vlan)#name Data
Switch(config-vlan)#vlan 30
Switch(config-vlan)#name Voice
Switch(config-vlan)#in fa 0/3
Switch(config-if)#switch mode access
Switch(config-if)#switch access vlan 20
Switch(config-if)#interface fa 0/4
Switch(config-if)#switch mode access
Switch(config-if)#switchport voice vlan
30
Switch(config-if)#in fa 0/5
Switch(config-if)#switch mode access
Switch(config-if)#switchport access
vlan 10
Switch(config-if)#switchport voice vlan
30
Note :-it’s a basic configuration required on switch , router
configuration also needed
Natve
VLAN:-
. If a packet is received on a dot1q link. That
doesn’t have vlan tagged. It is assumed to
belongs to Native VLAN.
. Default native vlan is VLAN1
By default connection between the
switches formed with 802.1q or dot1q/isl trunking protocol so if
·
Any traffic come from vlan 10 and transfer to another
switch bia trunk link ,
·
before sending the packet to trunk link a tag is added
which is called frame adding process
·
b/w switch to switch This method insure that which packet belong to which vlan. And hence
forward the packet to port belong to
that vlan.
·
But if a switch
receive a frame from hub, which don’t understand the concept of vlan, hence
send the packet without a tag
·
So if a switch
receive a frame without a tag, it is assume to belong to native vlan and hence forward it to a port belong to native vlan.
Native vlan configuration:-
·
The best way to configure the native vlan is to create
any vlan and assign it as a native vlan and ensure to not have any port in that
vlan
·
So If any attacker want to use vlan hopping attack
will reach to vlan with no port ,no host.
Configuration
Sw(config)#vlan
111
Sw(config)#in
fa 0/0
Sw(config-if)#switchport
trunk encapsulation dot1q
Sw(config-if)#switchport
mode trunk
Sw(config-if)#switchport
trunk native vlan 111
Varification
Sw# show int trunk
Port mode
Encapsulation status native Vlan
Fa 0/0
on 802.1q trunking 111
Note:- for cisco switch native vlan id
must match on both end on the trunk.
Sw# show int fa 0/0 switchport…………. To
give the complete information about port fa 0/0
No comments:
Post a Comment