VLANS Advantages and Disadvantages
VLANs provide many
advantages such as easy administration reduces broadcast traffic and prosecution
of security policies.
VLANs allow logical grouping of end-device that
are physically isolated on network
With VLANs there is no need to have more
routers deployed on the network to contain broadcast traffic.
Quarantine of broadcast domains on network reduces
Limits of ports
Physical interfaces are configured to have 1 interface in VLAN. On
networks with more than 1 VLAN using single router to achieve
routing isn’t possible.
Sub interfaces allow router to scale to house more VLANs than
the physical interfaces.
Because there is no contention for bandwidth on physical interfaces. In busy
network this cause bottleneck for communication.
and Trunk Ports
Connecting physical interfaces for inter-VLAN routing needs that the
switch ports be configured as access ports.
sub interfaces need the switch port to be configured as trunk port so
that it can take VLAN tagged (ISL or 802.1Q) traffic on the trunk link.
the context of Ethernet VLANs use the term Ethernet trunking to mean carrying
multiple VLANs over single network link through the use of trunking protocol.
To allow for many VLANs on single link frames from distinct VLANs must be recognized.
The most common method IEEE 802.1Q adds tag to the Ethernet frame labeling it
as belonging to certain VLAN. Cisco also has proprietary trunking protocol
called Inter-Switch Link which encapsulates Ethernet frame with its container which
labels frame as belonging to specific VLAN.
Frame tagging is used to
identify the VLAN that the frame belongs to in network with many VLANs. The
VLAN ID is located on the frame when it reaches switch from access port. That
frame can then be forwarded out the trunk link port. Each switch can see what
VLAN the frame belongs to and can forward the frame to equivalent VLAN access
ports or to another VLAN trunk port.
protocols are used today for frame tagging:
Link (ISL) – Cisco’s exclusive VLAN tagging protocol.
802.1q – IEEE’s VLAN tagging protocol. Since it is open standard it can be used
for tagging between switches from different brands.
are several security vulnerabilities in Vlans.
If host broadcasts ARP request to the network only
the applicable host reply. This let the attacker to sight traffic on the way
out of the network. The attacker wants to broadcast the address of the device
they are trying to attack on the LAN to get the gateway to send the received
packets to himself before spreading them to the target. it can see all the
traffic received and outbound. one reflection is that without VLAN this
attacker might affect the complete LAN VLANs do alleviate this sort of
attack. Additional way of justifying these ‘Man in the Middle Attack’ is
to use Secluded VLANs to force hosts to only connect to the gateway.
Double Encapsulation/ Double Tagging VLAN Hopping Attack
This is Switch Spoofing systems are now configured
properly to avoid Switch Spoofing. building packet with 802.1Q VLAN headers.
The 1st router strips off the 1st header and sends it on to second router.
Router 2 strips the second header and send the packet to the end point.
It works only if the trunk has the same native VLAN as the attacker. To avoid
this attack disable auto-trunking and use devoted VLAN ID for all trunk ports.
Cisco Discovery Protocol (CDP) Attack
CDP is feature that permits Cisco devices to
exchange information and configure the network to work easily together.
The information sent is sensitive such as router models IP addresses software
versions. It is all sent in plain text so any attacker sniffing the
network is able to get this information and it is possible to impersonate
another host. disable CDP to avoid this.
Multicast Brute-Force Attack
multicast brute-force attack hunts for faults
in switch software. The attacker attempts to exploit any possible weakness
in switch by attack it with multicast frames. with CAM overflow the goal
is to see if switch getting huge amount of layer 2 multicast traffic will “disobey”.
switch should limit the traffic to its own VLAN but if the switch doesn’t handle
this properly frames may leak into another VLAN if routing connects them.
The switch should contain all the frames within their proper broadcast domain
and attack of this nature shouldn’t be conceivable. However, switches
have disastrous to handle this form of attack in the past and henceforth it is additional
sub-interface is logical interface that uses
the “parent” physical interface for moving the data.
If we had router with only 1 physical interface but need to have the router
connected to 2 IP networks so that it could do routing we could create 2
logical sub interfaces assign each sub interface IP address within each subnet and
we can route between it.
Creating the sub interfaces on the routers we tell the router which VLAN to
associate with that sub interface in the same line as the encapsulate command
Trunk Protocol (VTP) reduces management in switched network. When we configure new
VLAN on 1 VTP server the VLAN is spread through all switches in the domain.
This decreases the need to configure the same VLAN everywhere. VTP is Cisco-proprietary
You can configure switch to operate in any of
these VTP modes:
Server: In this
mode we can create delete and modify VLANs and specify further configuration
parameters for the entire VTP domain. VTP servers advertise their VLAN
configuration to other devices in the same VTP domain and synchronize VLAN
configuration with other switches based on advertisements received from trunk
links. default mode is VTP server.
clients act the same way as VTP servers but we cannot create or change or
delete VLANs on VTP client.
transparent switches don’t participate in VTP. VTP transparent switch doesn’t advertise
its VLAN configuration and doesn’t synchronize its VLAN configuration based on