Network documentation is essential, providing valuable information and help for network failure. For example, there isn’t much to document in a small network of one or two switches and a firewall, and it is enough to put everything in a single diagram.
However, the network administrators must follow the general principle of a more extensive network. So, the actual documents you need will vary depending on the network. When designing a new network or mapping an existing network, document the network on the following point minimum.
Create a network documentation policy.
A network documentation policy is critical, as it describes what aspects of a network need to be documented.
Create network documentation for topology.
Create a topology that provides a visual reference that indicates the physical connectivity and logical Layer 3 addressing. This topology diagram should include all segments of the network, the routers connecting the various segments, and the servers, gateways and other major pieces of networking hardware. For larger, the administrator can create a block diagram of each segment map and then make a detailed diagram of each individual segment.
Document server names, roles, and IP addresses
The information included in a topology diagram is not enough for specific functions; there is more information that a network administrator needs to do their jobs effectively. So for each server, document the role of the server, IP address, and name. It is possible that a server has multiple IP addresses or multiple NICs, so it is also important to document that information.
Create a log file for each server.
The log file is an important document for any network device and server. When a server and network devices fail to serve, network administrators and engineers trace the failure by looking for recent changes.
The log file maintains and monitors recent changes in the network, such as patch and application installations and modified security settings. It helps troubleshoot problems and can also re-rebuild the server in the event of a failure.
Software versions, proof of licenses and hardware components
The applications, their versions running on each server, and their license must be documented. The receipt of the software is also essential in the network documentation, just in case your customer becomes involved in a software audit. The hardware documents should include the device connected to the network, configuration, backup, firmware revision and the password record.
Document the Active Directory
Documenting all active directories is impossible, but the active directory must be part of network documentation at some critical points.
The domain names in the forest.
The structure of the Active Directory.
The location and contents of each group policy.
Backup procedures
The backup procedure is essential to write and document because it is the best defence against failure. The backup software used and its version must be documented. A description and backup type are also required to be reported.
Label everything
Labelling is an important part of network documentation and networking. It is important to label each server, device, and cable. This will make it easy to recognize the different pieces of hardware listed in your network document.
The primary function of the router is forwarding packets in the direction of their destination. The router received and accepts packets on one interface and forward it out via another interface, this is done by switching function of the router.
A main task of the switching function is to encapsulate packets in the proper data link frame type for the outgoing data link. Cisco routers support three types of packet-forwarding mechanism:
Process switching
This is an older packet forwarding mechanism which is the slowest packet forwarding mechanism. When the packet receives on router interface for processing, the router stores this packet in memory and then the CPU matches the destination address with an entry in its routing table, and then assign the exit interface and forwards the packet.
The router does this process for each incoming packet even if the destination is the same for a stream of packets. Therefore the process-switching mechanism is very slow and rarely implemented in modern networks.
The recent IOS versions have CEF as the default switching method for IP but we can enable process switching using the no ip route-cache interface configuration command in global configuration mode. Process switching solves a problem using math, even if it is the same problem.
Figures 1 illustrate the packet forwarding mechanisms of processed switched. Assume that a traffic flow consisting of three packets and all packets are for the same destination. As shown in Figure, with process switching, each packet must be processed by the CPU one by one.
Fast switching
Fast switching increases the process of switching by making use of a cache and store next-hop information. When the packet arrives on an interface, the router forwards this packet for further process and the CPU search for the match in the fast-switching cache. If it is not there, it is a further process using the process-switched method and forwarded to the exit interface.
The forwarding information for the packet is also sent and stored in the fast-switching cache. If more packets going to the same destination arrive on an interface, the next-hop information in the fast switching cache is re-used without CPU intervention, thus improving on the speed of this switching method.
Fast switching solves a problem using math one time and remembering the answer for next same problems. We use the ip route-cache command in interface configuration mode to enable fast switching, such as.
Router>enable
Router# configure terminal
Router(config)# int fa0/0
Router(config-if)# ip route-cache
Router(config)# int fa0/1
Router(config-if)# ip route-cache
We can verify the fast switching command configuration using show ip int fa0/0 | se ip fast and show ip cache command in user privileged mode. As we discuss that first packet to a destination is always process switched, which slow down and degraded in the event where the router receives a lot of traffic for destinations that stored and cache yet.
It is also, slow and degraded when fast cache invalidated due to route in the routing table changes, fast switching is not suitable where a large number of changing routes like Internet backbone routers occurred.
Figure 2 illustrates the fast switching, where only the first packet of a flow is process-switched and then stored to the fast-switching cache. The next two packets have quickly processed based on the information in the fast-switching cache.
Cisco Express Forwarding (CEF)
This is the method where the cache has built-in advance even before any packets need to be processed. It is the most recent, advanced and fastest mechanism for packet forwarding.
The CEF build a Forwarding Information Base, and adjacency table but the entries are not packet triggered like fast switching. It triggered when there are some changes in the network topology. The CEF solved every possible problem ahead of time in a spreadsheet
So, in the converged network, the Forwarding Information Base and adjacency tables contain all the information when forwarding a packet. The Forwarding Information Base contains pre-computed reverse lookups, next-hop information for routes including the interface and Layer 2 information.
The CEF not waiting for a packet before building the cache which greatly increased the performance of the switching. The configuration process of the CEF is the following:
Router>enable
Router# configure terminal
Router(config)# int fa0/0
Router(config-if)# ip route-cache cef
Router(config)# int fa0/1
Router(config-if)# ip route-cache cef
We can verify the configuration using the show ip cef and show adjacency command in user privileged mode
Figure 3, illustrates the CEF process where the CEF builds the FIB and adjacency tables after the network has converged and processed all packets quickly.
Many devices and technologies are working together to enable a network. The primary device for networking is the router. The routers connect multiple networks. Communication between different networks is not possible without a router
. The main functions of the router are to decide the best path to the destination and send traffic to the next router along that path to the destination.
When a packet arrives on a router, the router uses a routing table to decide the best path for the destination network. The destination may be in the local area network or another country. The router is responsible for delivering this packet.
The effectiveness of communications between networks depends on the ability of routers to send packets in the most efficient way possible. The router does not have video and sound adapters like the computer. It has particular ports and network interface cards to interconnect devices to other networks. The essential parts of the router are the following:
The central processing unit (CPU)
Memory and storage (RAM, ROM, NVRAM, Flash, hard drive)
Operating system (OS)
A router is a unique computer that uses a CPU to execute operating system instructions, such as system initialization, routing, and switching functions.
It also has a memory to store data temporarily and permanently. Cisco devices use the Cisco Internetwork Operating System (IOS) as the software. I already explained the router memory in one of my earlier articles:
Routers CPU, OS, and Memory
People don’t know whether various routers are present on their network or on the Internet. Users want to access web pages, read and send emails, and download music, videos, and software without knowing whether the server accessed is on their network or another network.
Only the networking professionals can understand the router’s responsibility for forwarding packets from network to network, from the source to the destination.
A router connects and communicates between multiple networks. It has multiple interfaces that each belong to a different IP network. When the router receives an IP packet on one of the interfaces, it determines the interface for forwarding the packet to the destination. The interface router forwarding the packet may be the destination or a network linked to another router used to reach the destination.
Each network typically requires a separate interface. Both local-area networks and wide-area networks interconnect through these interfaces. LANs contain devices such as PCs, printers, and servers. WANs connect networks over a large geographical area. For example, a WAN connection is commonly used to connect a LAN to the Internet. The primary functions of the router are the following:
Select the best path to send packets
Forward packets to their destination
The router selects the best path for forwarding data based on its routing table. After receiving a packet, the router examines the packet’s destination IP address and searches the best path in the routing table.
The routing table knows the interfaces to send packets for each known network. When a match is found in the routing table, the router sends the packet into the data link frame of the outgoing interface, and the packet is forwarded toward its destination.
The router has different types of interfaces, so it is possible for a router to receive a packet encapsulated in one kind of data link frame and to send the packet out of an interface using a different kind of data link frame. For example, a router receives a packet on an Ethernet interface. Still, the exit port is Point-to-Point Protocol (PPP), so the data is encapsulated in another data link frame type.
A router can connect to different data link technologies, including Ethernet, PPP, Frame Relay, DSL, cable, and wireless (802.11, Bluetooth). Routers use both static routes and dynamic routing protocols to learn about remote networks and maintain routing tables.
functions of a router in a network
Function
Description
Packet Forwarding
Routers forward data packets between different networks, determining the best path based on routing tables.
Network Layer Routing
Routers connect multiple networks, enabling communication between devices on different networks.
Interconnect Networks
Routers support VPN connections, allowing remote users to access the network over the internet securely.
Traffic Control
Routers manage network traffic by prioritizing packets, implementing Quality of Service (QoS), and controlling bandwidth usage.
Security
Routers provide security features such as access control lists (ACLs), firewalls, and virtual private network (VPN) support to protect networks from unauthorized access and attacks.
NAT (Network Address Translation)
Routers perform NAT to translate private IP addresses to public IP addresses, allowing devices on a private network to access the internet.
DHCP (Dynamic Host Configuration Protocol)
Routers can act as DHCP servers, dynamically assigning IP addresses and other network configuration parameters to devices on a network.
VPN (Virtual Private Network)
Routers support VPN connections, allowing remote users to securely access the network over the internet.
Load Balancing
Routers distribute network traffic across multiple links or paths to optimize performance and prevent congestion.
Redundancy
Routers support redundancy protocols such as HSRP (Hot Standby Router Protocol) and VRRP (Virtual Router Redundancy Protocol) to ensure high availability and fault tolerance.
In the previous article, I explained how trunks work. By default, trunk ports can use all VLANs and pass traffic for multiple VLANs across the same physical link between switches. The VLAN simplifies network administration and maintenance.
It also improves the performance of the network, but it has some backhaul for hackers which is necessary to understand. So in this lesson, we will discuss VLAN attacks, backhaul and how can we protect VLANs from VLAN Attacks.
Switch Spoofing VLAN Attacks
Switch spoofing is VLAN attack, taking advantage of an incorrectly configured trunk port. VLAN hopping enables traffic from one VLAN to be seen by another VLAN.
The attacker tack advantage of the default switchport mode which is dynamic auto. They configure a system to spoof itself as a switch. The attacker tricks a switch into thinking that another switch is attempting to form a trunk, thus an attacker gets access to all the VLANs allowed on the trunk port. The figure below illustrates the switch spoofing/VLAN hopping attack.
How to Protect Spoofing Attack
We can avoid a switch spoofing attack by turning off trunking on all ports, except the ones that specifically require trunking. It is also necessary to disable DTP, and manually enable trunking.
Following are the steps for protecting a switch from a spoofing attacks. Configure all switches in the network like below. Configure all access ports as an access port and disable DTP everywhere.
Configure all the trunk ports as a trunk port and disable DTP on trunk ports. Switch1#configure terminal Switch1(config)#interface range gigabitethernet 0/20 – 23 Switch1(config-if-range)#switchport mode trunk Switch1(config-if-range)#switchport nonegotiate Switch1(config-if-range)#exit Switch1(config)#exit Switch1#
Double-Tagging VLAN Attacks
The double-tagging VLAN attacks are also known as double-encapsulated VLAN hopping attacks. In this type of attack, the attacker takes advantage of the hardware way of operation.
The Double tagging attack is only possible if the attacker has physical connectivity to an interface that belongs to the native VLAN of the trunk port. A double tagging attack is a uni-directional attack. Thwarting this type of attack is not as easy as stopping basic hopping VLAN attacks.
Many switches make one level of 802.1Q tagging and untagging. In this type of attack, an attacker changes the original frame to add two VLAN tags. The outer tag which is his own VLAN tag and the inner hidden tag of the victim’s VLAN tag and the attacker’s PC must belong to the native VLAN of the network.
An important feature of the double-tagging VLAN hopping attack is that it works even if trunk ports are not configured because a host typically sends a frame on a segment that is not a trunk link. The figure below illustrates the double-tagging VLAN hopping attack.
The attacker sends a double-tagged 802.1Q frame to switch1. The frame has two tags, the outer tag is the attacker’s tag, which is the same as the native VLAN of the trunk port in this example VLAN1.
The switch received this frame from the attacker as if it were on a trunk port or a port with a voice VLAN because a switch should not receive a tagged Ethernet frame on an access port. The inner tag is the victim VLAN in this example, VLAN 10.
When the switch1 received the frame, it will read the first 4-byte 802.1Q tag and confirm that the frame is for VLAN1, which is the native VLAN. The switch sends the frame out on all VLAN 1 ports after removing the outer tag of VLAN1.
The trunk is also the part of native VLAN, so the switch will also send the frame on a trunk port without re-tagging and the VLAN 10 tag is still the part of the packet and switch1 has not checked this frame.
The switch0 looks at the 802.1Q tag at this time the tag is an inner tag of VLAN-10 that the attacker sent the frame for VLAN 10, the target VLAN. The switch0 remove the VLAN-10 tag and sends the frame on to the victim port or floods it, depending on the existing MAC address table entry.
The best practice to decrease double-tagging VLAN attacks that the native VLAN of the trunk ports is different from the VLAN of any user ports. Also, use a fixed VLAN that is separate from all user VLANs in the switched network as the native VLAN for all 802.1Q trunks.
PVLAN Edge
The concept of Private VLAN is using in layer2 security. The private VLAN is a method to group hosts and control traffic inside a single broadcast domain. For example, some applications need no communication at Layer 2 between ports on the same switch so that a host does not see the traffic generated by another neighbouring host. The ports configured in PVLAN also known as protected ports.
The PVLAN restricts the direct layer2 communications between any two devices connected to the same switch. So, the attack on PVLANs is very difficult; however, they will only do this in layer2.
PVLANs are not intended or designed to protect against a layer3 attack. Forwarding behaviour between a protected port and a nonprotected port is normal as usual. The figure below shows a switch PVLAN Edge configured on the first 20 ports. As a result PC’s connected to these ports cannot communicate with each other.
Configuration of PVLAN
The Protected ports required manual configuration. To configure the PVLAN Edge feature follow the below steps.
Switch(config)#interface range fa0/22 – 24 Switch(config-if-range)#switchport mode access
Verifying the Configuration
We can verify the configuration using show running-config and we can also use a show interface switchport command that will show if interfaces have set as protected thus showing their PVLAN Edge status.
CAM Table Overflow/Media Access Control (MAC) Attack
The CAM table store information of MAC address on physical port along with the configured VLAN. In CAB table overflow attack the attackers focus on CAM table only. Due to the fixed size of the CAM table attacker target it.
The attacker connects on a physical port and generates a huge number of MAC entries. When the CAM table fills and there is no space for more MAC entries, the switch left the CAB table and sent traffic without a CAM entry sent out on all ports of the VLAN in question.
The host Traffic with a CAM entry is not affected. But the adjacent switches traffic can be affected by the question. We can decrease this type of attack by specifying the allowed MAC address and limiting the number of MAC addresses per port. If the invalid MAC address is found, the mac address can either be blocked or the port shut down.
Address Resolution Protocol (ARP) attack
ARP attack is also known as ARP Spoofing. It is a type of cyber attack carried out over a Local Area Network (LAN). The ARP protocol is working for efficiency, not for security, therefore ARP attack is too easy. The attacker sends false ARP messages over a local area network. This results in the binding of an attacker’s MAC address with the IP address of a legitimate server or a host.
Once the MAC address of the attacker is connected to an authentic IP address, then the attacker begins receiving any data that is destined for that IP address. ARP attack enables attackers to intercept, change or stop data-in-transit. ARP spoofing VLAN attacks can only occur on local area networks that use the Address Resolution Protocol.
VLAN Management Policy Server (VMPS)/ VLAN Query Protocol (VQP) attack
This type of attack uses VMPS. The VMPS is a network switch that has a mapping of device information to VLAN. The VMPS assigns VLAN for network management based on the MAC address of the host and stores these relationships in a database.
This database is usually the part of the VMPS and which is queried by VLAN Query Protocol (VQP), VTP is an unauthenticated protocol that which uses UDP (User Datagram Protocol), that make manipulation very easy for an attacker.
As a result, by using VQP, the hacker very easily hacks the hosts because of no authentication and the hacker easily join the VLAN that he or she is not authorized to access. The decrease the attack chances it is required to monitor the network for miss behaviour, send VQP queries out-of-band or to disable it the protocol.
Cisco Discovery Protocol (CDP) Attack
Most Cisco routers and switches have CDP enabled in the default configuration, out of the box. CDP information is sent in periodic broadcasts that are updated locally in each device’s CDP database. The CDP is a Layer 2 protocol, therefore, the routers do not propagate it.
CDP is a Cisco proprietary protocol which enabled by default in most of Cisco switches. It also allows Cisco devices to exchange information and configure the network to work smoothly together. CDP information is sent in periodic broadcasts which updated each device’s CDP database.
The CDP is a Layer 2 protocol, therefore, a router does not propagate CDP. All the CDP information is sent over a network in cleartext. Therefore any attackers can intercept and see the network information. However, to decrease the chances of hacking disable the CDP where possible.
An attacker can easily sniff information sending the CDP using Wireshark and other networking analyzer software. However, the CDP is useful and, if it can be isolated by not allowing it on user ports, then it can help make the network run more smoothly.
Trunk links are a common problem that mostly occurs due to incorrect configurations. Troubleshooting trunk links problems is a common task in networking. If a problem with a trunk is found and the cause is unknown, first, check the trunks for a native VLAN mismatch.
If the native VLAN is correct, then check for trunk mode mismatches and, lastly, check for the allowed VLAN list on the trunk. The following types of errors generally occur when configuring the trunk links.
Native VLAN mismatches on Trunk links.
Sometimes a port of the switch behaves like a trunk even if it is not configured as a trunk. If an access port accepts frames from VLANs different from the VLAN to which it is assigned, this is called VLAN leaking. To troubleshoot VLAN leaking in the local and peer VLAN matching, use the show interfaces trunk command. VLAN leaking occurs if the native VLAN is not the same on both sides.
Trunk link ports of both sides configured with different native VLANs are known as native VLAN mismatches. The native VLAN mismatches affect inter-VLAN routing, among other problems. This is also a security risk. The CDP displays a console notification message of a native VLAN mismatch.
Figure 1 illustrates the console notification of a native VLAN mismatch. For example, Figure 1 shows that the native VLAN on one side of the trunk link is VLAN 1, and the other side is VLAN 30. A frame sent from VLAN 1 on one side is received on VLAN 30 on the other side, and VLAN 1 leaks into the VLAN 30 segment.
So, static configuration of trunk links is the best practice ever. Cisco Catalyst switches attempt to negotiate a trunk link by default. Use the show interfaces trunk command to display the status of the trunk and the native VLAN used on that trunk link, and verify trunk establishment. Figure 2 illustrates the output of the show interfaces trunk command on Sw-2.
If the native VLAN mismatch occurs, the connectivity issues start in the network. So, the data traffic for other VLANs, except native VLANs, will successfully propagate across the network. Native VLAN mismatch doesn’t keep trunk establishment. The administrator can easily re-configure native VLAN on both sides of the link.
Trunk Mode Mismatches and Wrong VLAN allowed List
Normally switchport mode trunk command is used to configure trunk links. The Cisco Catalyst switch uses DTP to negotiate the state of the trunk link. When a statically configured trunk port on a trunk link is incompatible with the neighboring trunk port, a trunk link fails to form between the two switches.
Figure 3 illustrates that PC-2 and PC-3 can communicate with each other but cannot communicate with PC-4. The topology indicates a valid configuration. But why can PC-2 and PC3 not connect to PC-4? Use the show interfaces trunk command to check the status of the trunk ports on both switches.
The output shown in Figure 4 reveals that interface Gig0/1 on Sw-1 is in dynamic auto mode, and only VLAN 20 is allowed on the trunk link. Gig0/2 is also in dynamic auto mode. Therefore, PCs of VLAN 20 on Sw-1 cannot communicate with PCs of VLAN-20 on Sw-2. Figure 5 illustrates the show interface trunk output of Sw-2, where all VLANs are allowed.
To resolve this problem, manually configure the trunk mode on Fa0/1 ports on Sw-1 and allow all VLANs with the interface mode command “switchport trunk allowed vlan all” or “switchport trunk allowed vlan vlan-id” .
After the configuration change, the output of the show interfaces command on Sw-1 indicates in figure 6 that port Gig0/1 is now in trunking mode, and all VLANs are now allowed to the trunk. Now, all PCs can communicate with each other on both switches.
The Dynamic Trunking Protocol (DTP) is a Cisco proprietary protocol. The Dynamic Trunking Protocol (DTP) is automatically enabled on Catalyst 2960 and Catalyst 3560 Series switches. DTP manages trunk negotiation between two or more Cisco devices before forming the trunk connection. The benefit of DTP is that it boosts traffic on a trunked link.
Ethernet interfaces support different trunking modes. For example, we can set an interface for trunking, non-trunking, or negotiation of trunking with the neighbor interface. The Dynamic Trunking Protocol (DTP) manages trunk negotiation. The default DTP configuration for Cisco Catalyst 2960 and 3560 switches is “dynamic auto” or “dynamic desirable” mode.
The DTP works only on a point-to-point basis between network devices. Some internetworking devices negotiate improperly and send wrong DTP frames, which causes miss-configurations. To avoid this error, turn off Dynamic Trunking Protocol (DTP) on the interface connected to devices that do not support Dynamic Trunking Protocol (DTP).
A Non-Cisco Switches does not support Dynamic Trunking Protocol (DTP). The Dynamic Trunking Protocol (DTP) only negotiates if the port on the neighbor switch is configured in a trunk mode that supports DTP. To enable trunking from a Cisco switch that does not support DTP, use the “switchport mode trunk” and “switchport nonegotiate” interface configuration mode commands. This causes the interface to become a trunk but not generate DTP frames.
In the figure below, the switch0 and switch1 links become trunk because the F0/1 ports on switch0 and switch1 are configured as trunk; therefore, they ignore all DTP packets. The Fa0/2 ports on switch1 and switch2 are set to dynamic auto, so the DTP negotiation results in the access mode state. The ports in dynamic auto create an inactive trunk link.
The Cisco Catalyst switches 2960 and 3560 Series interfaces support different trunking modes with the help of DTP; for example:-
Switchport mode access
A switch interface configured as an access mode prevents the use of trunking. This makes the port a pure access port that does not allow VLAN tagging.
Switchport mode dynamic auto
if a switch port is configured as the dynamic auto, the interface can convert the port to a trunk port. The interface becomes a trunk interface if the neighboring interface is set to trunk or desirable mode. The default switchport mode for all Ethernet interfaces is dynamic auto, so in the default configuration “dynamic auto” mode, the switch will not generate DTP messages on the interface.
The dynamic auto interface will only listen for DTP messages from the neighboring switch’s interface. If the dynamic auto interface receives a DTP message from the interface of the neighbor switch, a port will change itself to the trunk. The configuration command for dynamic auto is the following:-
A switch port configured as the dynamic desirable mode will actively attempt to convert the link to the trunk link using DTP. A trunk link will be established if the neighboring switch port can form a trunk. The interface configured as the dynamic desirable mode will also generate DTP messages on the interface. If the switch receives DTP messages from the other side switch, it will assume that another side port can handle tagged frames, and a trunk link will be established between both switches.
Port configuration as nonegotiate prevents generating DTP frames. This command is required only when the interface switchport mode is accessed or trunk. To establish a trunk link, you must manually configure the neighboring interface as a trunk interface.
Each VLAN in the network requires a unique IP subnet because two devices in the same VLAN with different subnet addresses cannot communicate. This is a common problem during VLAN configuration, and we can solve it by identifying the incorrect IP address configuration and changing the address to the correct one.
For example, if you want to connect a client anywhere in VLAN 10, you must require a valid subnet configuration. If you want to communicate outside the VLAN, you must require a valid default gateway. The default gateway must be the VLAN 10 SVI address. In the figure below, PC-2 cannot connect to PC-3 and PC-4, but PC-3 and PC-4 can communicate.
A check of the IP configuration settings of PC-2 shown in figure-2 Reveals the most common error in configuring VLANs a wrongly configured IP address. PC-2 is configured with an IP address of 192.178.20.1, but it should have been configured with 192.168.20.1.
Solution
Change the PC-2 IP address to the correct IP address, 192.168.20.1. The PC-2 Ethernet configuration now shows the updated IP address of 192.168.10.1. The Figure below illustrates the output on the bottom and reveals that PC-2 has regained connectivity to the Web server found at IP address 192.168.20.1.
SVI Configuration
SVI stands for Switched Virtual Interface. A routed interface in IOS represents the IP addressing space for a VLAN connected to it. Since the VLAN has no physical interface, the SVI provides Layer 3 processing for packets from all switch ports associated with the VLAN.
With this interface, the switch uses virtual layer 3 interfaces to route traffic to another layer 3 interface, eliminating the need for the physical router. For virtual interface configuration, ensure your switch has a VLAN represented by the SVI you want to create. The command is the following:
[supsystic-tables id=12]
FAQs
Q1: What is a VLAN and how does it work?
A1: A VLAN (Virtual Local Area Network) is a subgroup within a switch that segregates network traffic, enhancing security and reducing collisions. VLANs allow devices on different physical LAN segments to communicate as if they were on the same segment.
Q2: What is an SVI and why is it important?
A2: An SVI (Switched Virtual Interface) is a virtual interface on a switch that provides Layer 3 processing for VLANs, allowing them to communicate with each other. SVIs are essential for routing traffic between VLANs.
Q3: What are common issues with VLAN configuration?
A3: Common issues include VLANs not propagating correctly, incorrect VLAN assignment, and security and isolation problems. These issues often stem from misconfigurations in VLAN Trunk Protocol (VTP) settings, incorrect port configurations, and improper access lists.
Q4: How can I troubleshoot VLAN propagation issues?
A4: To troubleshoot VLAN propagation issues, verify that all switches are correctly set in the desired VTP mode and that there are no discrepancies in the VTP domain name. Ensure that trunk links between switches are configured to allow the respective VLANs.
Q5: What should I check if devices are on the wrong VLAN?
A5: Double-check the access mode VLAN settings on individual ports to ensure each port is assigned to the correct VLAN according to your network design. If multiple VLANs need to be accessible from a single port, ensure that the port is configured as a trunk and that all necessary VLANs are tagged appropriately.
Q6: How can I ensure proper security and isolation between VLANs?
A6: Regularly audit VLAN configurations and ensure that access lists and VLAN maps are properly implemented to enforce the desired isolation policies. This helps maintain strict separation and prevent security breaches or unwanted data leaks between VLANs.
Q7: What are common SVI configuration issues and how can I troubleshoot them?
A7: Common SVI configuration issues include SVIs not forwarding traffic as expected. To troubleshoot, check that the SVI is up and operational using commands like show interface vlan [vlan-id]. Ensure that the SVI is correctly configured and that there are no misconfigurations.
I hope these FAQs help! Is there anything else you’d like to know about VLAN and SVI?
A VLAN trunk link carries multiple VLAN traffic between multiple switches unless we restrict the traffic of VLAN manually or dynamically. Port configuration is required at both ends of the physical link with similar sets of commands. The switchport mode trunk command changes port mode permanently to trunking. We can also use DTP for trunking.
Switch port configured as a trunk normally send and receive IEEE 802.1Q VLAN tagged Ethernet frames. In this case, if a switch receives untagged Ethernet frames on its trunk port, they forward the frame to the VLAN configured on the Switch as native VLAN.
Both sides of the trunk link must be configured to be in the same native VLAN. Analyze the following diagram that consists of two switches and two VLANs. The link between the Sw-1 and Sw-2 has been configured as a trunk.
The Cisco IOS switchport trunk native vlan vlan-id command specifies a native VLAN (other than VLAN 1). In the example, VLAN 30 is a native VLAN. The IOS command switchport trunk allowed vlan vlan-list specifies the list of allowed VLANs on the trunk link.
In Figure 2, VLANs 10 and 20 supporting the admin and IT sections of an organization.PC-2, PC-3 and PC-4 are the members of VLAN-10. PC-1, PC-5 and PC-6 are the members of VLAN-20. The GigabitEthernet 0/1 on both switches is configured as a trunk port and forwards traffic for VLANs 10 and 20. VLAN 30 is a native VLAN, and it has no network because it is an unused VLAN.
We have selected Cisco Catalyst 2960 switches which automatically use 802.1Q encapsulation on trunk links. Other switches may need the manual configuration of the encapsulation.
The command for manual encapsulation is switchport trunk encapsulation dot1q. Both ends of a trunk link required the same native VLAN, If 802.1Q trunk configuration is not the same on both sides, Cisco IOS Software reports errors.
[supsystic-tables id=10]
Reset 802.1Q Trunk link to Default State
After resetting the trunk to its default state, the trunk allows all VLANs and uses VLAN 1 as the native VLAN. The table below displays the command to reset all trunking configurations of a trunking interface to the default settings.
We can verify the resetting and reconfiguration of the trunk to its default state using show interfaces interface switchport command.
[supsystic-tables id=11]
Verifying Trunk Configuration
We can verify the trunk configuration of the switch port with the show interfaces interface-ID switchport command.
In telecommunications, the trunk is a link to carry multiple signals simultaneously and providing network access between two points. It provides network access to many clients by sharing a set of lines or frequencies instead of providing them individually.
This is similar to the structure of a tree with one trunk and many branches. Typically, trunks connect switching centres in a communications system. There are two types of trunks using a data network.
Trunks that carry data from multiple local area networks (LANs); or virtual LANs (VLANs) across a single interconnect between switches or routers, called a trunk port.
Trunks that combined multiple physical links to create a single higher-capacity, more reliable logical link, called port trunking.
As we mention above that trunk is a point-to-point link between two network devices that carry data for more than one VLAN. A VLAN trunk extends VLANs to a whole network.
Cisco support standard 802.1Q for VLAN tags for Ethernet frames as they pass between switches, so each frame is routed to its planned VLAN at the other end of the trunk. We can use Ethernet, Fast Ethernet, Gigabit Ethernet, and 10-Gigabit Ethernet interfaces as a trunk port.
Without VLAN trunks VLAN is not very useful. Trunks let all VLAN traffic broadcast between different switches so that devices that are in the same VLAN; but connected to different switches, can communicate without a router.
A VLAN trunk does not belong to a particular VLAN; but, it is a medium for several VLANs between switches and routers. We can use a trunk between a network device and server or other devices configured with an appropriate 802.1Q-capable NIC. By default, All Cisco Catalyst switch support the trunk port.
In the figure, the links between both switches are configured to transmit traffic coming from VLANs 10; and 20 across the network. This network could not function without VLAN trunks.
In the previous article, we discussed normal and extended-range VLANs. Normal-range VLAN configuration is stored in the vlan.dat file, which is located in the switch’s flash memory. Flash memory does not need the copy running-config startup-config or write command.
But, other details are usually configured on a Cisco switch simultaneously when VLANs are created; it is best to save running configuration changes to the startup configuration. The figure below illustrates the Cisco IOS command syntax used to add a VLAN to a Cisco switch and give it a name. Naming each VLAN is the best practice in VLAN configuration.
Vlan <vlan ID>
Name <Name of the VLAN>
The figure below illustrates the topology where Sw-1 has already been configured with VLANs 10 and 20. We can check by using the Syntax Checker show vlan brief command in user exec mode to display the contents of the vlan.dat file. Now, we should create some VLANs, including VLAN-10 and VLAN-20, on Sw-2.
So, we can create VLANs individually, using a series of VLAN IDs and a range. The IDs can be entered separated by commas, and hyphens can separate the range of VLAN IDs, for example, “vlan vlan-id”. Use the following command to create VLANs 10, 20, 30, 40, and 50-60.
Sw-2(config)# vlan 10, 20, 30, 40
Sw-2(config)# vlan 50-60
Assigning Ports to VLAN
Once the VLAN configuration is done, the next step is assigning ports to the VLAN. Port in access mod can belong to only one VLAN at a time. Only in one case, when the access port is connected to an IP phone, two VLANs are associated with this port, one for voice and one for data. Following is the syntax for defining a port as an access port and assigning it to a VLAN.
[supsystic-tables id=8]
Access to the command switch port mode is optional, although it is strongly recommended for security. This command permanently changes the switch interface to access mode. We can use the interface range command to execute the command for multiple interfaces.
In the figure below, VLAN 10 is assigned to port Fa0/1 on switch1. As a result, PC4 became a member of VLAN 10. VLAN-20 is assigned ports fa 0/2 and fa0/3, so PC5 and PC6 are part of VLAN 20. We can use the Syntax Checker “show vlan brief” command to display the contents of the vlan.dat file.
If VLAN does not exist, the switchport access vlan command forces the creation of a VLAN on the switch. For example, VLAN 100 does not exist in the output of the show vlan brief command. If the switchport accesses vlan 30 commands entered on an interface without any prior configuration, then it will display the following:
% Access VLAN does not exist. Creating VLAN 100
Now we can show the vlan.dat file using show vlan brief command.
Changing VLAN Port Membership
There are several ways to change the VLAN port association. The table below shows the syntax for changing a switch port membership to VLAN 1 with the no switchport access vlan interface configuration mode command.
VLAN 10 has assigned interface Fa0/1. The no switchport access vlan command is entered for interface Fa0/1 in interface configuration mode, now check the output in the show vlan brief command that instantly follows as shown in Figure below.
The show vlan brief command displays the VLAN association and type for all switch ports. The show vlan brief command shows one line for every VLAN. The output for every VLAN includes the name, status, and switch ports.
[supsystic-tables id=9]
VLAN 10 is still active, but there are no ports in it. The command show interfaces f0/1 switchport verify that the access VLAN for Fa0/1 interface has been reset to VLAN 1. First, removing a port from a VLAN is not required to change its membership. Now, we can assign these ports to any VLAN again.
Verifying VLAN Information
After a VLAN configuration or some changes in the VLAN configuration, we must validate the configuration using the Cisco IOS show commands. The command syntax is the following:-
Show vlan [ brief | id vlan-id | name vlan-name | summary]
Brief – it displays one line for every VLAN with the name of VLAN, status, and ports.
Idvlan-id – This parameter displays the information about a specific VLAN with VLAN ID number.
namevlan-name – Display the information of a specific VLAN with the name of VLAN.
Show interfaces [interface-id | vlan vlan-name | switchport]
Interface-id—This is a valid interfaceID that includes a module, port numbers, and port channel. The port channel range is 1 to 6.
Idvlan-id—This parameter displays information about a specific VLAN with a VLAN ID number. The range of VLAN ID is 1 to 4096.
switchport—This parameter displays a switch port’s operational and administrative status, including whether it is blocked and what port protection settings are available.
Now, we will use the show VLAN command with a different parameter. The “show vlan name IT” command output is difficult to understand. The figure below illustrates the output of this command. The output parameter will be discussed in the coming articles.
The recommended commands for VLAN verification are “show vlan brief” and “show vlan summary.” These commands display the count of all configured VLANs. We can also use the “show interfaces” command with different parameters, such as “show interfaces fastEthernet 0/1 switchport.”
This will display all information about the switchport FastEthernet 0/1. If we enter the command “show interfaces switchport,” It will display all existing switchport information. We can also use “show interfaces vlan <vlan ID>” command to display the vlan interface information. This command will show the IP address information of this VLAN.
Deleting VLAN
We can delete VLANs with the “no vlan vlan-id” command in global configuration mode. For example, “ no vlan 10 “ in global configuration mode will delete VLAN 10 from switch Sw-2 database. The ports of VLAN 10 are not the members of any VLAN now. You can verify it with “show vlan brief” command that VLAN 10 is no longer present in the vlan.dat file after using the no vlan 10commands.
Best practice before deleting a VLAN is reassigning all member ports to a different VLAN because any port that is not moved to an active VLAN is unable to communicate with other hosts after the deleting VLAN and until it is assigned to an active VLAN.
We can delete the entire vlan.dat file using the “delete flash:vlan.dat” command in privileged EXEC, which is abbreviated “delete vlan.dat.” We can also delete a vlan.dat file if it is stored in its default location.
After executing this command and restarting the switch, the formerly configured VLANs are no longer present. This places the switch into its factory default condition for VLAN configurations.
Conclusion
Configuring VLANs on Cisco switches is an essential aspect of network management. Proper naming, port assignment, and verification of VLAN configurations are crucial steps. Regularly using show commands helps ensure the correct setup of VLANs, and caution should be exercised when deleting VLANs to avoid network disruptions. Following best practices and utilizing recommended commands contribute to a secure and well-organized network infrastructure.
FAQs
Why is naming each VLAN considered a best practice in VLAN configuration? Naming each VLAN provides clarity and documentation for network administrators, making it easier to identify the purpose or function of a specific VLAN.
Can VLANs be created on a Cisco switch individually and in a range? Yes, VLANs can be created on a Cisco switch individually by specifying VLAN IDs or using hyphens to set them in a range. For example, the command vlan 10, 20, 30, 40 creates VLANs 10, 20, 30, and 40, while vlan 50-60 creates VLANs 50 through 60.
What is the purpose of the ‘switchport mode access’ command in VLAN configuration? The switchport mode access command is optional but recommended for security. It permanently sets the switch interface to access mode, ensuring the port can only belong to one VLAN. This command helps prevent unauthorized VLAN hopping.
How can I assign ports to a VLAN after VLAN configuration? Ports can be assigned to a VLAN by entering the interface configuration mode and using the switchport access vlan [VLAN ID] command. This associates the specified VLAN with the port.
What happens if a VLAN does not exist when assigning it to a port? If the VLAN does not exist, the switchport access vlan [VLAN ID] command forces the creation of the VLAN on the switch. For example, if VLAN 100 does not exist, entering the command will create VLAN 100.
How can I verify VLAN information on a Cisco switch? VLAN information can be verified using the show vlan command with various parameters, such as brief, id [VLAN ID], name [VLAN Name], or summary. The show interfaces command can also display information about switch ports and VLAN assignments.
What is the recommended command for VLAN verification? The recommended commands for VLAN verification are shown in the vlan brief and vlan summary. These commands provide a concise overview of all configured VLANs.
How can I delete a VLAN on a Cisco switch? To delete a VLAN, use the no vlan [VLAN ID] command in global configuration mode. Before deleting a VLAN, it’s advisable to reassign member ports to a different VLAN to ensure uninterrupted communication.
Is it possible to delete the entire vlan.dat file on a Cisco switch? The delete flash:vlan.dat command in privileged EXEC mode can delete the entire vlan.dat file. This action, followed by a switch restart, restores the switch to its factory default condition for VLAN configurations.