VLANs: Back to Layer 2 of the OSI Model PDF
Document Details
Uploaded by Deleted User
EFREI
Yaovi Soglo
Tags
Summary
This document discusses VLANs and their importance in modern networks. It covers topics such as configuration, inter-VLAN routing, and security best practices. It also explores different types of VLANs, such as Data VLANs and Voice VLANs.
Full Transcript
VLANs: back to Layer 2 of the OSI model Yaovi SOGLO [email protected] Learning outcomes Understanding the role of VLANs in network segmentation Differentiate between VLANs Configuring VLANs on a switch Implement inter-VLAN routing Apply best security practices for VL...
VLANs: back to Layer 2 of the OSI model Yaovi SOGLO [email protected] Learning outcomes Understanding the role of VLANs in network segmentation Differentiate between VLANs Configuring VLANs on a switch Implement inter-VLAN routing Apply best security practices for VLANs 2 VLANs 3 Introduction Objectives and benefits : Network isolation: Separate workgroups or departments within Definition: A VLAN (Virtual Local Area an organization, increasing data security and confidentiality. Network) is a logical network created within Traffic optimization: Limits the range of broadcasts, improving a physical network. It enables a network to performance and reducing network congestion. be segmented into several isolated parts, Flexibility and simplified management: Facilitates user management by logically grouping resources and enabling even if they use the same physical centralized administration. infrastructure. 4 VLANs in the OSI Model VLANs segment the network at Layer 2 to isolate and manage local traffic. Layer 3 intervenes to enable communication between these logical segments via inter-VLAN routing. Layer 2: The Data Link Layer VLANs operate mainly at Layer 2 (Data Link) of the OSI model. They use MAC addresses to segment the network into several independent broadcast domains, creating logical sub-networks within the physical network. Layer 3: The Network Layer Although VLANs are created at Layer 2, inter-VLAN routing (communication between VLANs) requires a Layer 3 device (router or Layer 3 switch). Inter-VLAN routing enables VLANs to communicate with each other via IP addresses, facilitating interconnection between network segments. 5 VLAN types Voice VLANs: VoIP (Voice over IP) Data VLANs: These are the most common, and communications are sensitive to latency and are used to isolate data generated by different require high quality of service (QoS). By assigning user groups or departments. For example, you VoIP traffic to a specific VLAN, it is possible to could create one VLAN for marketing department prioritize this traffic and ensure better call quality. users and another for IT department users. There are several types of VLAN: Management VLAN: A management VLAN is used Native VLAN: Native VLAN is used to manage to administer network equipment such as untagged traffic, i.e. frames that are not tagged to switches and routers. This allows management a specific VLAN. By default, all unconfigured ports traffic to be separated from the rest of the user are assigned to the native VLAN. In most traffic, guaranteeing greater security and better implementations, this role is held by VLAN 1. management. 6 Switches L2 and L3: Roles in VLANs Layer 2 (L2) switch : Main function: connects devices within the same VLAN and manages the segmentation of broadcast domains. How it works : Works at Layer 2 (Data Link) and uses MAC addresses to transmit data between ports. Segment the network into VLANs, isolating each VLAN's traffic without the need for routing. Limitation: Does not allow direct communication between VLANs without the intervention of a router or L3 switch. Layer 3 switch (L3) : Main function: In addition to VLAN segmentation, the L3 switch enables inter-VLAN routing. How it works : Works at Layer 3 (Network) and uses IP addresses to enable communication between VLANs. Performs routing functions without the need for an external router, optimizing network speed and efficiency. Benefit: Integrated into a single device, the L3 switch combines routing and switching for more efficient VLAN management. 7 CISCO switches At Cisco, several switch ranges support VLANs. Here are the most common models, classified according to their use: Cisco Catalyst 2960, 3560, 3650, 3850: Entry-level and intermediate models, widely used for enterprise VLAN segmentation. Cisco Catalyst 9300, 9400, 9500: Modular, high- performance switch ranges that enable VLAN segmentation and inter-VLAN routing, ideal for enterprise networks. Cisco Catalyst 6500, 6800, 9600: top-level switches for large networks requiring advanced VLAN functionality, high availability and enhanced security. 8 Other switches Many switch models from other major network brands support VLANs. Here are a few popular examples from HP, Juniper and Netgear: Entry-level: Aruba 2530 Series, Juniper EX Series (EX2200, EX2300, EX3400), Netgear ProSAFE Smart Managed (GS728, GS752). Mid-level switches: Aruba 2930F and 2930M Series, Juniper QFX Series (QFX5100, QFX5200), Netgear M4300 Series. High-performance switches: Aruba 3810 and 5400R Series, Juniper MX Series, Netgear M4500 Series. 9 Basic VLAN configurations Creating, viewing and assigning ports 10 Basic VLAN configuration Access global 1 configuration mode To create VLANs on a Cisco switch 2 Create VLANs 3 Assigning ports to specific VLANs Controls Objective Other commands: show vlan Displaying vlans and port assignments no vlan Displaying vlans and port assignments 11 Trunk mode Trunk mode is used to transport traffic from several VLANs between two network devices, usually between two switches or between a switch and a router. How it works: A port configured in Trunk mode allows frames from several VLANs to pass through. Each frame is tagged to indicate its VLAN of origin, except for the native VLAN. Benefit: Essential for linking several VLANs between different switches and enabling them to communicate across the network. Connecting switches without trunk mode Connecting switches in trunk mode 12 Trunk mode Trunk mode is required to transport multiple VLANs between switches and ensure network continuity. configuration To configure Trunk mode, the command is: switchport mode trunk switchport trunk allowed vlan 13 VLANs Protocols associated with VLANs 14 Protocols associated with VLANs ▪ There's more to VLANs than simply configuring them on a switch. To simplify VLAN management in a complex network environment, several protocols facilitate the configuration, management and automatic negotiation of VLANs between switches. ▪ The main protocols used are VTP (VLAN Trunking Protocol) and DTP (Dynamic Trunking Protocol). 15 VTP (VLAN Trunking Protocol) Purpose: to manage and propagate VLANs across multiple switches on the same network, reducing the need for manual configuration on each switch. Operation: When a VLAN is created or deleted on a switch, the VTP server propagates this change to the other VTP client switches. VTP modes : Server: Creates, modifies and deletes VLANs. Propagation to clients. Client: Cannot create or modify VLANs, but receives information from servers. Transparent: The switch can create and delete VLANs locally, but does not propagate the information to other switches. Advantages : Disadvantages : Centralized VLAN management on multiple Server mode can be risky if misconfigured. switches. Can cause inconsistencies if VLANs are incorrectly Reduces configuration errors. propagated. 16 In this example, the switch is configured to belong to the "MyDomain" Example of VTP VTP domain and is set up as a VTP server, capable of managing VLANs. The use of a VTP password ("MyPassword") secures VTP announcements configuration against unauthorized modification. Here's an example of how to configure a VTP server: 17 DTP (Dynamic Trunking Protocol) Purpose: Automatically negotiates the formation of trunks between two switches. Operation: Allows ports to decide whether they should be in Access or Trunk mode, depending on link configuration and negotiation. DTP modes : Dynamic Auto: The port is waiting for a trunk request. Dynamic Desirable: The port actively initiates trunk negotiation. Access: The port does not allow trunking, it is in access mode. Trunk: The port is forced into trunk mode without negotiation. Advantages : Disadvantages : Automatic negotiation, reducing the need for Can lead to unwanted trunk connections if manual trunk configuration. misconfigured. Suitable for dynamic networks where connections may change frequently. 18 Example of DTP In this example, GigabitEthernet port 0/1 is configured in trunk mode, the native VLAN is set configuration to 999, and DTP negotiation is disabled with the nonegotiate command. 19 VTP/DTP Features VTP DTP Goal Centralized VLAN management across Automatic negotiation of trunks multiple switches between two switches Modes Server, Client, Transparent Dynamic Auto, Dynamic Desirable, Access, Trunk Configuration Reduce VLAN configuration manually Configuring trunk negotiation Benefits Centralized management, fewer errors Easy to set up, dynamic link adaptation Disadvantages Risk of incorrect VLAN propagation Can cause unwanted trunks if incorrectly configured 20 VLANs Routing between VLANs 21 VLANs can be used to segment a network into several Routing independent logical networks. However, to enable these VLANs between VLANs to communicate with each other, an inter-VLAN routing mechanism is required. Inter-VLAN routing allows data to pass between different VLANs via a router or Layer 3 switch. There are two main ways of implementing inter-VLA routing: Router on a Stick (ROAS) Switch Virtual Interface (SVI) 22 Router on a Stick (ROAS) Router on a Stick is a method where a router with a single physical interface is used to route traffic between several VLANs. This physical interface is divided into several sub-interfaces, each associated with a specific VLAN. The switch uses a trunk to transport traffic from several VLANs to the router. The router routes between the various VLANs using these sub- interfaces. Advantages : Disadvantages : Easy-to-implement solution. The router can become a bottleneck if traffic Ideal for small networks with a limited between VLANs is heavy, as all traffic number of VLANs. between VLANs must pass through this single interface. 23 Router on a Stick (ROAS) 24 ▪ Switch Virtual Interface (SVI) is a more modern Switch Virtual Interface (SVI) method based on Layer 3 switches (switches capable of performing routing functions). ▪ With this approach, inter-VLAN routing is performed directly by the switch, without the need for an external router. ▪ How it works : A Layer 3 (or multi-level) switch is used for routing between VLANs. For each VLAN, a virtual interface (SVI) is ▪ Advantages : created. Each SVI acts as a gateway for the No need for an external router. devices in the VLAN. High-performance, scalable solution for The Layer 3 switch routes traffic between large networks. VLANs via SVIs. Routing is performed locally by the switch, reducing potential bottlenecks. 25 On a level 3 switch: (In this example, two virtual interfaces (VLAN Switch Virtual 10 and VLAN 20) are created on the switch, each with an IP address serving as a gateway for hosts in the corresponding Interface (SVI) VLAN. The switch then routes traffic between the VLANs internally). 26 VLAN security 27 Main VLAN threats VLAN security is an essential element in the design of a segmented network. They are vulnerable to: ▪ VLAN Hopping: An attack technique in which an attacker gains access to an unauthorized VLAN by taking advantage of loopholes in the configuration of trunks or native VLANs. ▪ Attacks on trunks: Exploit loopholes in trunk configurations, for example, to access unauthorized VLANs. ▪ Double-tagging attacks: an attack technique in which a frame with two VLAN tags is injected into the network, enabling the attacker to jump from one VLAN to another. 28 Best practices for securing VLANs Configuring native VLANs to prevent VLAN hopping attacks change the default native VLAN (VLAN 1) by setting it to an inactive or isolated VLAN, usually an empty VLAN: this limits the possibilities of exploiting untagged frames. Use of separate VLANs for different types of traffic Segmentation of networks into distinct VLANs can be used to isolate different types of traffic. This separation limits user access to certain parts of the network and improves bandwidth and performance management. Disabling unused ports Unused switch ports should be disabled or placed in a quarantine VLAN that has no access to the network. This prevents attackers from connecting to inactive ports and exploiting the network. Using ACLs (Access Control Lists) Access Control Lists (ACLs) filter traffic between VLANs, limiting communications to authorized flows only. Port Security Port Security limits the number of MAC addresses that can be dynamically learned on a VLAN access port. Securing the VTP protocol We recommend configuring switches in transparent mode, unless VTP synchronization is absolutely necessary. 29 30 Conclusion ▪ We explore the world of VLANs and their crucial importance in segmenting and organizing modern networks. By implementing VLANs, network administrators can isolate user groups, improve security and optimize bandwidth utilization, while simplifying network management. ▪ VLANs are a fundamental element in corporate networks, enabling more efficient management and greater flexibility. Understanding VLANs, port modes and associated management protocols prepares you to design robust, scalable networks capable of meeting the needs of organizations. ▪ With the skills acquired in this module, you are now able to configure and optimize a local network using VLANs, taking into account best practices and security considerations. 31 Thank you for your attention!
