Contents
Advantages
and Disadvantages of VLANS. 2
VLANs enable logical grouping of end-stations
that are physically dispersed on a network. 2
VLANs reduce the need to have routers deployed on
a network to contain broadcast traffic. 2
Confinement of broadcast domains on a network
significantly reduces traffic. 2
Port Limits. 2
Performance. 2
Access Ports and Trunk
Ports. 2
Trunking concepts. 3
Frame Tagging. 3
Security of VLAN.. 3
Address Resolution
Protocol (ARP) attack. 3
Double Tagging/Double
Encapsulation VLAN Hopping Attack. 4
Cisco Discovery
Protocol (CDP) Attack. 4
Multicast Brute-Force
Attack. 4
Sub-Interfaces. 4
VTP Types. 4
VTP Modes. 4
Router-Switch Topology. 5
Designing the lab. 5
Configuration files. 6
Testing the
configuration and show commands. 17
References: 40
 

 

 

Advantages and Disadvantages
of VLANS

We Will Write a Custom Essay Specifically
For You For Only $13.90/page!


order now

VLANs provide a
number of advantages, such as ease of administration, confinement of broadcast
domains, reduced broadcast traffic, and enforcement of security policies.

VLANs enable logical grouping of end-stations
that are physically dispersed on a network.

When users on a
VLAN move to a new physical location but continue to perform the same job
function, the end-stations of those users do not need to be reconfigured.
Similarly, if users change their job functions, they need not physically move:
changing the VLAN membership of the end-stations to that of the new team makes
the users’ end-stations local to the resources of the new team.

VLANs reduce the need to have routers deployed
on a network to contain broadcast traffic.

Flooding of a
packet is limited to the switch ports that belong to a VLAN.

Confinement of broadcast domains on a network
significantly reduces traffic.

By confining
the broadcast domains, end-stations on a VLAN are prevented from listening to
or receiving broadcasts not intended for them. Moreover, if a router is not
connected between the VLANs, the end-stations of a VLAN cannot communicate with
the end-stations of the other VLANs.

Port Limits

 Physical interfaces are configured to have one interface per VLAN.
On
networks with many VLANs, using a single router to perform
inter-VLAN
routing is not possible.
Sub interfaces allow a router to scale to accommodate more VLANs
than
the physical interfaces permit.

Performance
Because there is no contention for bandwidth on physical interfaces,
physical interfaces have better performance for inter-VLAN routing.
When sub interfaces are used for inter-VLAN routing, the traffic being
routed competes for bandwidth on the single physical interface. On a busy
network, this could cause a bottleneck for communication.

 

Access
Ports and Trunk Ports

 Connecting physical interfaces
for inter-VLAN routing requires that the
switch ports be configured as access ports.
sub interfaces require the switch port to be configured as a trunk port so
that it can accept VLAN tagged (ISL or 802.1Q) traffic on the trunk link.

 

Trunking
concepts

In
the context of Ethernet VLANs use the term Ethernet trunking to mean carrying
multiple VLANs through a single network link through the use of a trunking
protocol. To allow for multiple VLANs on one link, frames from individual VLANs
must be identified. The most common and preferred method, IEEE 802.1Q adds a
tag to the Ethernet frame, labeling it as belonging to a certain VLAN. Since
802.1Q is an open standard, it is the only option in an environment with
multiple-vendor equipment. Cisco also has a proprietary trunking protocol
called Inter-Switch Link which encapsulates the Ethernet frame with its own
container, which labels the frame as belonging to a specific VLAN. 3Com used
proprietary Virtual LAN Trunking (VLT) before 802.1Q was defined

Frame
Tagging

Frame tagging is used to
identify the VLAN that the frame belongs to in a network with multiple VLANs.
The VLAN ID is placed on the frame when it reaches a switch from an access
port, which is a member of a VLAN. That frame can then be forwarded out the
trunk link port. Each switch can see what VLAN the frame belongs to and can
forward the frame to corresponding VLAN access ports or to another VLAN trunk
port.

Two trunking
protocols are usually used today for frame tagging:

·        
Inter-Switch
Link (ISL) – Cisco’s proprietary VLAN tagging protocol.

·        
IEEE
802.1q – IEEE’s VLAN tagging protocol. Since it is an open standard, it can be
used for tagging between switches from different vendors.

 

Security
of VLAN

there
are several tangible security vulnerabilities that can increase business risk
if they are not properly understood and mitigated:

Address
Resolution Protocol (ARP) attack

ARP was developed at a time when security was
not such an issue.  Consequently, this protocol has a simple belief that
everyone is friendly and responses can be taken at face value.  If a host
broadcasts an ARP request to the network, it expects only the relevant host to
respond.  Similarly, if a host announces its presence by sending out a
gratuitous ARP, other hosts expect that it is telling the truth and believe
what it broadcasts. This, of course, works well until a malicious host appears.
  In Figure 2, a host starts broadcasting a gratuitous ARP, announcing
itself to hold the IP address of the default gateway, 10.3.2.1.  PCs,
routers and other hosts may cache information gained from gratuitous ARPs for
future communications.  As a result, anything from a legitimate host will
be routed through the malicious host as the default gateway.  The attacker
then pushes the data to the real default gateway.  This will allow the
attack to view traffic on the way out of the network but incoming traffic will
by-pass the attacker.  The attacker now needs to broadcast the address of
the host they are trying to target on the LAN to get the default gateway to send
the incoming packets to itself before transmitting them to the victim. Now it
can see all the traffic incoming and outgoing.   One consideration is that
without a VLAN, this attacker could affect the entire LAN, so VLANs do mitigate
this sort of attack.  Another way of mitigating these ‘Man in the Middle’
attacks is to use Private VLANs to force hosts to only talk to the default
gateway but this is not always practical.

Double
Tagging/Double Encapsulation VLAN Hopping Attack

This is a development of Switch Spoofing, as
many systems are now configured correctly to prevent Switch Spoofing.  The
exploit this time is to build a packet with two 802.1Q VLAN headers as shown on
the left of Figure 4.  The first router strips off the first header and
sends it on to router 2.  Router 2 strips the second header and send the
packet to the destination. This attack sends a packet in only one direction,
but still gives the attacker access to hosts that should not be
accessible.  It only works if the trunk has the same native VLAN as the
attacker.  To mitigate this attack, auto-trunking should be disabled and a
dedicated VLAN ID should be used for all trunk ports.  Finally, avoid
using VLAN 1.

Cisco
Discovery Protocol (CDP) Attack

CDP is a feature that allows Cisco devices to exchange
information and configure the network to work smoothly together.  The
information being sent is sensitive, such as IP addresses, router models,
software versions and so on.  It is all sent in clear text so any attacker
sniffing the network is able to see this information and, as it is
unauthenticated, it is possible to impersonate another device. The best option
is to disable CDP where possible.  However, CDP can be useful and, if it
can be isolated by not allowing it on user ports, then it can help make the
network run more smoothly.

Multicast
Brute-Force Attack

A multicast brute-force attack searches for
failings in the switch software.  The attacker tries to exploit any
potential vulnerability in a switch, by storming it with multicast
frames.  As with CAM overflow, the aim is to see if a switch receiving a
large amount of layer 2 multicast traffic will “misbehave”.  The switch
should limit the traffic to its original VLAN, but if the switch does not
handle this correctly, frames might leak into other VLANs, if routing connects
them. This type of attack is pretty speculative as it looks for the switch to
mishandle multicast frames.  The switch should contain all the frames
within their appropriate broadcast domain and an attack of this nature should
not be possible.  However, switches have failed to handle this form of
attack in the past and hence it is another attack vector.

Sub-Interfaces

sub-interface is a logical interface that uses
the “parent” physical interface for actually moving the data. 
If we had a router with only 1 physical interface, but needed to have the
router connected to two IP networks, so that it could do routing, we could
create 2 logical sub interfaces, assign each sub interface an IP address within
each subnet, and we can then route between them.
When we create the sub interfaces on the routers, we tell the router which VLAN
to associate with that sub interface, on the same line as the encapsulate
command

VTP
Types

VLAN
Trunk Protocol (VTP) reduces administration in a switched network. When you
configure a new VLAN on one VTP server, the VLAN is distributed through all
switches in the domain. This reduces the need to configure the same VLAN
everywhere. VTP is a Cisco-proprietary protocol that is available on most of
the Cisco Catalyst series products.

VTP Modes

You can configure a switch to operate in any
one of these VTP modes:

·        
Server—In VTP
server mode, you can create, modify, and delete VLANs and specify other
configuration parameters, such as VTP version and VTP pruning, for the entire
VTP domain. VTP servers advertise their VLAN configuration to other switches in
the same VTP domain and synchronize their VLAN configuration with other
switches based on advertisements received over trunk links. VTP server is the
default mode.

·        
Client—VTP
clients behave the same way as VTP servers, but you cannot create, change, or
delete VLANs on a VTP client.

·        
Transparent—VTP
transparent switches do not participate in VTP. A VTP transparent switch does
not advertise its VLAN configuration and does not synchronize its VLAN
configuration based on received advertisements, but transparent switches do
forward VTP advertisements that they receive out their trunk ports in VTP
Version 2.

Router-Switch
Topology

A
Hub is a networking device that allows one to connect multiple PCs to a single
network. Hubs may be based on Ethernet, Firewire, or USB connections. A switch
is a control unit that turns the flow of electricity on or off in a circuit. It
may also be used to route information patterns in streaming electronic data
sent over networks. In the context of a network, a switch is a computer
networking device that connects network segments.

 

Designing
the lab

 

Diagram
1

 

 

 

Configuration files

There
are the config of all routers and switches in the topology:

Umabelh Router

!

version 12.2

no service
timestamps log datetime msec

no service
timestamps debug datetime msec

no service
password-encryption

!

hostname
Umabelh

!

interface
Loopback0

 ip address 172.16.200.1 255.255.255.252

!

interface
FastEthernet0/0

 ip address 17.16.4.1 255.255.255.0

 duplex auto

 speed auto

 no shutdown

!

interface
FastEthernet0/1

 no ip address

 duplex auto

 speed auto

 shutdown

!

interface
Serial0/0

 ip address 172.16.100.2 255.255.255.252

 clock rate 9600

!

interface
Serial0/1

 no ip address

 shutdown

!

router eigrp 10

 network 172.16.100.0 0.0.0.3

 network 172.16.200.0 0.0.0.3

 network 172.16.4.0 0.0.0.255

 no auto-summary

!

ip classless

!

!

line con 0

line vty 0 4

 login

!

!

!

end

 

 

 

 

 

Alkuwair Router

 

!

version
12.2

no
service timestamps log datetime msec

no
service timestamps debug datetime msec

no
service password-encryption

!

hostname
Alkuwair

!

interface
FastEthernet0/0

 no ip address

 duplex auto

 speed auto

!

interface
FastEthernet0/0.1

 encapsulation dot1Q 1 native

 ip address 172.16.1.1 255.255.255.0

!

interface
FastEthernet0/0.10

 encapsulation dot1Q 10

 ip address 172.16.3.1 255.255.255.0

!

interface
FastEthernet0/0.20

 encapsulation dot1Q 20

 ip address 172.16.2.1 255.255.255.0

!

interface
FastEthernet0/1

 no ip address

 duplex auto

 speed auto

 shutdown

!

interface
Serial0/0

 ip address 172.16.100.1 255.255.255.252

!

interface
Serial0/1

 no ip address

 shutdown

!

router
eigrp 10

 network 172.16.1.0 0.0.0.255

 network 172.16.2.0 0.0.0.255

 network 172.16.3.0 0.0.0.255

 network 172.16.100.0 0.0.0.3

 no auto-summary

!

ip
classless

!

line
con 0

line
vty 0 4

 login

!

!

!

End

 

Switch1

 

!

version
12.1

no
service timestamps log datetime msec

no
service timestamps debug datetime msec

no
service password-encryption

!

hostname
Switch1

!

!

!

vlan
10

 name Staff

!

vlan
20

 name Student

!

interface
FastEthernet0/1

 switchport mode trunk

!

interface
FastEthernet0/2

 switchport mode trunk

!

interface
FastEthernet0/3

 switchport mode access

!

interface
FastEthernet0/4

!

interface
FastEthernet0/5

 switchport access vlan 10

 switchport mode access

 switchport port-security

 switchport port-security mac-address sticky

!

interface
FastEthernet0/6

 switchport access vlan 10

 switchport mode access

 switchport port-security

 switchport port-security mac-address sticky

!

interface
FastEthernet0/7

 switchport access vlan 20

 switchport mode access

 switchport port-security

 switchport port-security mac-address sticky

!

interface
FastEthernet0/8

 switchport access vlan 20

 switchport mode access

 switchport port-security

 switchport port-security mac-address sticky

!

interface
FastEthernet0/9

!

interface
FastEthernet0/10

!

interface
FastEthernet0/11

!

interface
FastEthernet0/12

!

interface
FastEthernet0/13

!

interface
FastEthernet0/14

!

interface
FastEthernet0/15

!

interface
FastEthernet0/16

!

interface
FastEthernet0/17

!

interface
FastEthernet0/18

!

interface
FastEthernet0/19

!

interface
FastEthernet0/20

!

interface
FastEthernet0/21

!

interface
FastEthernet0/22

!

interface
FastEthernet0/23

!

interface
FastEthernet0/24

!

interface
Vlan1

 ip address 172.16.1.2 255.255.255.0

!

ip
default-gateway 172.16.1.1

!

!

line
con 0

!

line
vty 0 4

 login

line
vty 5 15

 login

!

!

end

 

 

 

Switch 2

 

!

version
12.1

no
service timestamps log datetime msec

no
service timestamps debug datetime msec

no
service password-encryption

!

hostname
Switch2

!

!

!

interface
FastEthernet0/1

!

interface
FastEthernet0/2

 shutdown

!

interface
FastEthernet0/3

!

interface
FastEthernet0/4

!

interface
FastEthernet0/5

 switchport access vlan 10

 switchport mode access

 switchport port-security

 switchport port-security mac-address sticky

!

interface
FastEthernet0/6

 switchport access vlan 10

 switchport mode access

 switchport port-security

 switchport port-security mac-address sticky

!

interface
FastEthernet0/7

 switchport access vlan 20

 switchport mode access

 switchport port-security

 switchport port-security mac-address sticky

!

interface
FastEthernet0/8

 switchport access vlan 20

 switchport mode access

 switchport port-security

 switchport port-security mac-address sticky

!

interface
FastEthernet0/9

 shutdown

!

interface
FastEthernet0/10

 shutdown

!

interface
FastEthernet0/11

 shutdown

!

interface
FastEthernet0/12

 shutdown

!

interface
FastEthernet0/13

 shutdown

!

interface
FastEthernet0/14

 shutdown

!

interface
FastEthernet0/15

 shutdown

!

interface
FastEthernet0/16

 shutdown

!

interface
FastEthernet0/17

 shutdown

!

interface
FastEthernet0/18

 shutdown

!

interface
FastEthernet0/19

 shutdown

!

interface
FastEthernet0/20

 shutdown

!

interface
FastEthernet0/21

 shutdown

!

interface
FastEthernet0/22

 shutdown

!

interface
FastEthernet0/23

 shutdown

!

interface
FastEthernet0/24

 shutdown

!

interface
Vlan1

 ip address 172.16.1.3 255.255.255.0

!

ip
default-gateway 172.16.1.1

!

!

line
con 0

!

line
vty 0 4

 login

line
vty 5 15

 login

!

!

end

Testing the configuration and
show commands

There are snapshot from devices after applying previous
config and write the appropriate   show
command to ensure correctness of configs.

Umabelh Router

Serial
interface

Loopback
interface

Interfaces
and its ips:

 

EIGRP
routing protocol and assign connected networks:

The
routing table:

 

Alkuwair Router

 

Serial
interface

EIGRP
routing protocol and assign connected networks

The
routing protocol

 

Interfaces and sub interfaces
and its ips:

 

Switch1

 

Vlans
and assigning ports

Port
security on port f0/1

Port
security on port f0/5

 

Port
security on all ports

 

Port
security address

 

 

 

Vtp
status

Interface
vlan 1

Disconnect
pc and connect another pc

Shutdown
the port for port security

Switch2

 

 

 

Vtp
status

Interface
vlan 1

 

Pc connectivity

 

Test
the connection between all Pcs and networks

 

References:

Frame tagging explained

https://en.wikipedia.org/wiki/Trunking

https://library.netapp.com/ecmdocs/ECMP1196907/html/GUID-C9DA920B-F414-4017-8DD1-D77D7FD3CC8C.html

https://www.cisco.com/c/en/us/support/docs/lan-switching/vtp/10558-21.html

https://www.computernetworkingnotes.com/ccna-study-guide/switchport-port-security-explained-with-examples.html

Ten top threats to VLAN security