VLANS and prosecution of security policies. VLANs allow

VLANS Advantages and DisadvantagesVLANs provide manyadvantages such as easy administration reduces broadcast traffic and prosecutionof security policies.

VLANs allow logical grouping of end-device thatare physically isolated on network With VLANs there is no need to have morerouters deployed on the network to contain broadcast traffic. Quarantine of broadcast domains on network reducestraffic. Limits of portsPhysical interfaces are configured to have 1 interface in VLAN. Onnetworks with more than 1 VLAN using single router to achieveinter-VLANrouting isn’t possible.Sub interfaces allow router to scale to house more VLANs thanthe physical interfaces.

Don't waste your time
on finding examples

We can write the essay sample you need

 PerformanceBecause there is no contention for bandwidth on physical interfaces. In busynetwork this cause bottleneck for communication. Accessand Trunk PortsConnecting physical interfaces for inter-VLAN routing needs that theswitch ports be configured as access ports.sub interfaces need the switch port to be configured as trunk port sothat it can take VLAN tagged (ISL or 802.1Q) traffic on the trunk link. TrunkingconceptsInthe context of Ethernet VLANs use the term Ethernet trunking to mean carryingmultiple VLANs over single network link through the use of trunking protocol.To allow for many VLANs on single link frames from distinct VLANs must be recognized.The most common method IEEE 802.

1Q adds tag to the Ethernet frame labeling itas belonging to certain VLAN. Cisco also has proprietary trunking protocolcalled Inter-Switch Link which encapsulates Ethernet frame with its container whichlabels frame as belonging to specific VLAN. FrameTaggingFrame tagging is used toidentify the VLAN that the frame belongs to in network with many VLANs. TheVLAN ID is located on the frame when it reaches switch from access port. Thatframe can then be forwarded out the trunk link port. Each switch can see whatVLAN the frame belongs to and can forward the frame to equivalent VLAN accessports or to another VLAN trunk port.Two trunkingprotocols are used today for frame tagging:·        Inter-SwitchLink (ISL) – Cisco’s exclusive VLAN tagging protocol.·        IEEE802.

1q – IEEE’s VLAN tagging protocol. Since it is open standard it can be usedfor tagging between switches from different brands. Securityin VLANthereare several security vulnerabilities in Vlans. (ARP) attackIf host broadcasts ARP request to the network onlythe applicable host reply. This let the attacker to sight traffic on the wayout of the network.  The attacker wants to broadcast the address of the devicethey are trying to attack on the LAN to get the gateway to send the receivedpackets to himself before spreading them to the target.

it can see all thetraffic received and outbound. one reflection is that without VLAN thisattacker might affect the complete LAN VLANs do alleviate this sort ofattack.  Additional way of justifying these ‘Man in the Middle Attack’ isto use Secluded VLANs to force hosts to only connect to the gateway.Double Encapsulation/ Double Tagging VLAN Hopping AttackThis is Switch Spoofing systems are now configuredproperly to avoid Switch Spoofing.  building packet with 802.1Q VLAN headers. The 1st router strips off the 1st header and sends it on to second router. Router 2 strips the second header and send the packet to the end point.

 It works only if the trunk has the same native VLAN as the attacker.  To avoidthis attack disable auto-trunking and use devoted VLAN ID for all trunk ports.Cisco Discovery Protocol (CDP) AttackCDP is feature that permits Cisco devices toexchange information and configure the network to work easily together. The information sent is sensitive such as router models IP addresses softwareversions.  It is all sent in plain text so any attacker sniffing thenetwork is able to get this information and it is possible to impersonateanother host. disable CDP to avoid this.Multicast Brute-Force Attackmulticast brute-force attack hunts for faultsin switch software.

  The attacker attempts to exploit any possible weaknessin switch by attack it with multicast frames.  with CAM overflow the goalis to see if switch getting huge amount of layer 2 multicast traffic will “disobey”. switch should limit the traffic to its own VLAN but if the switch doesn’t handlethis properly frames may leak into another VLAN if routing connects them. The switch should contain all the frames within their proper broadcast domainand attack of this nature shouldn’t be conceivable.

  However, switcheshave disastrous to handle this form of attack in the past and henceforth it is additionalattack vector.Sub-Interfacessub-interface is logical interface that usesthe “parent” physical interface for moving the data. If we had router with only 1 physical interface but need to have the routerconnected to 2 IP networks so that it could do routing we could create 2logical sub interfaces assign each sub interface IP address within each subnet andwe can route between it.Creating the sub interfaces on the routers we tell the router which VLAN toassociate with that sub interface in the same line as the encapsulate command VTPTypesVLANTrunk Protocol (VTP) reduces management in switched network. When we configure newVLAN on 1 VTP server the VLAN is spread through all switches in the domain.This decreases the need to configure the same VLAN everywhere. VTP is Cisco-proprietaryprotocol.VTP Modes You can configure switch to operate in any ofthese VTP modes:·        Server: In thismode we can create delete and modify VLANs and specify further configurationparameters for the entire VTP domain.

VTP servers advertise their VLANconfiguration to other devices in the same VTP domain and synchronize VLANconfiguration with other switches based on advertisements received from trunklinks. default mode is VTP server. ·        Client: VTPclients act the same way as VTP servers but we cannot create or change ordelete VLANs on VTP client.·        Transparent: VTPtransparent switches don’t participate in VTP. VTP transparent switch doesn’t advertiseits VLAN configuration and doesn’t synchronize its VLAN configuration based onreceived advertisements.

x

Hi!
I'm Owen!

Would you like to get a custom essay? How about receiving a customized one?

Check it out