8CS02 lC1312 MuL1lLA?

L8 SWl1CPlnC
ASSlCnMLn1 2
Biaw. Builu. Lock.
A ieseaich iepoit on vLAN uesign,
implementation anu secuiity.

N|ge| Sanou 09478S3
02]11]2011




1hls research reporL glves lnslghL lnLo Lhree ma[or areas of lmplemenLlng vlrLual Local Area
neLworks (vLAns) (ln an LLherneL envlronmenL) wlLh a speclflc focus on campus/branch level
appllcaLlons conslderlng besL pracLlce ln deslgn and lmplemenLaLlon of modern mulLllayer swlLched
Lopologles 8y ln large devlce conflguraLlons dlscussed and dlsplayed ln Lhls documenL are vendor
speclflc Lo Clsco and Lhelr lCS however hlgher level lmplemenLaLlon concepLs are appllcable Lo
mulLlple plaLforms
9age 1 of 10

Contents
1able of llgures 1
lnLroducLlon 2
vLAn ueslgn 2
ueslgn of enLerprlse campus neLworks 2
8equlremenLs ueLermlnaLlon 3
vLAn numbers 3
vLAn names 4
vLAn lmplemenLaLlon 4
8aslc vLAn ConflguraLlon 4
vLAn 1runklng ConflguraLlon 3
naLlve vLAn ConflguraLlon 3
lnLervLAn 8ouLlng ConflguraLlon 3
v19 ConflguraLlon 7
vLAn SecurlLy 7
9orL securlLy 8
Concluslon 8
8eferences 9

Table of Figures
llgure 1 11hls dlagram shows Lhe Lhree layer campus neLwork model hlghllghLlng demarcaLlon of
neLwork and daLa llnk layers aL Lhe dlsLrlbuLlon layer 2
llgure 2 1hls Lable shows a loglcal numberlng sysLem assoclaLlng vLAn numbers Lo neLwork
addresses 4
llgure 3 31hls dlagram shows a Lrunk llnk beLween Lwo swlLches whlch conLaln Lhe same vLAns 3

9age 2 of 10

ntroduction
ln Lhe currenL era of l9 neLworks Lhe drlvlng facLor of developmenL has been based on Lhe concepL
of converged neLworks no longer can Lhe conLenL carrled on daLa neLworks be classed as [usL daLa
volce vldeo managemenL and speclflc appllcaLlon servlces belng provlsloned on l9 neLworks
presenL dlfferenL requlremenLs ln bandwldLh laLency and securlLy
Cne faceL of vlrLual Local Area neLworks (vLAns) ls Lhelr ablllLy Lo provlde separaLlon of some of
Lhese servlces as well loglcal segmenLaLlons LhaL can be made for parLlcular geographlc separaLlon
buslness cases or operaLlonal sLrucLures
1vLAns acL by dlvldlng a swlLch lnLo smaller broadcasL domalns A devlce connecLed Lo a swlLch
porL added Lo one vLAn wlll noL be able Lo dlrecLly communlcaLe wlLh a devlce aLLached Lo a swlLch
porL on anoLher vLAn even Lhough boLh devlces are connecLed Lo Lhe same swlLch 1hls sLrucLure
helps meeL Lhe needs of Lhe aforemenLloned servlces
Llnks LhaL carry vLAn Lrafflc beLween swlLches are called Lrunks and assoclaLed swlLch porLs are
called Lrunk or Lagged porLs LLherneL packeLs Lravelllng wlLhln a vLAn are Lagged wlLh a vLAn
number elLher Lhrough lSL encapsulaLlon or 8021C Lagglng SLandard access porLs drop all ouLgolng
vLAn lnformaLlon whereas Lrunks pass Lhese Lags meanlng LhaL hosLs connecLed Lo swlLches
lnLerconnecLed vla a Lrunk can communlcaLe across Lhe llnk assumlng Lhe hosLs are members of
correlaLlng vLAns
VLAN Design
Design of enterprise campus networks
Modern campus lnfrasLrucLure should conslsL of Lhree layers core dlsLrlbuLlon and access
|gure 1 21h|s d|agram shows the three |ayer campus network mode| h|gh||ght|ng demarcat|on of network and data
||nk |ayers at the d|str|but|on |ayer
9age 3 of 10

31he core layer ls Lhe neLwork backbone responslble for Lhe lnLerconnecLlon of mulLlple
campuses/branches lL needs Lo provlslon hlgh speed swlLchlng and or rouLlng wlLh redundancy
As dlsplayed ln llgure 1 newer neLwork's dlsLrlbuLlon layers now conslsL of mulLllayer swlLches Lhls
layer of Lhe campus model acLs as Lhe polnL of demarcaLlon beLween Lhe core and access layers a
polnL for neLwork summary and Lyplcally where CuallLy of Servlce(CoS) ls acLloned and securlLy
pollcy such as Access ConLrol LlsLs (ACLs) are applled 1he dlsLrlbuLlon can also provlde lnLervLAn
rouLlng for Lhe access layer
1he access layer of Lhls composlLe model ls where hosLs connecL Lo Lhe neLwork lncludlng devlces
llke 9Cs l9 9hones and servers 1yplcally vLAns exlsL ln a purely layer 2 envlronmenL aL Lhe access
layer Also porL securlLy ls applled Lo Lhls layer
8esL pracLlce for vLAn deslgn has changed as of laLe due Lo Lhe advenL of layer 3 swlLches Lhe maln
phase shlfL has been Lo keeplng vLAns wlLhln a local conLalnmenL of a glven dlsLrlbuLlon layer as
lnLerconnecLlons beLween dlfferenL dlsLrlbuLlon layers are rouLed and noL swlLched anymore
equirements Determination
1o deLermlne Lhe vLAn sLrucLure for a neLwork can be Lwofold lL ls lmporLanL Lo deflne Lhe Lypes of
Lrafflc LhaL wlll be Lraverslng Lhe domaln as well as Lhe users and hosLs connecLlng Lo Lhe neLwork
and Lhelr role ln Lhe buslness
Some requlremenLs of a neLwork may noL warranL a separaLe vLAn buL conslderaLlon of bandwldLh
laLency and securlLy needs should be Laken
lor speclflc appllcaLlons llke volce over l9 (vol9) and vldeo vLAns separaLe Lo LhaL of normal daLa
should be lmplemenLed lor oLher appllcaLlons speclflc bandwldLh LesLlng may be needed Lo
deLermlne bandwldLh requlremenLs for example sLorage servers LhaL mlrror each oLher would llkely
be worLhy of a dedlcaLed vLAn
vLAns should also be a repllcaLlon of deparLmenLal sLrucLure wlLhln an organlzaLlon so when
plannlng vLAn sLrucLure a clear ldea should corporaLe sLrucLure should be had Lyplcally Lhls
lnformaLlon can be gaLhered ln consulLaLlon wlLh Lhe company
VLAN Numbers
ln a good neLwork deslgn lL ls lmporLanL Lo generaLe a loglcal numberlng sysLem for vLAns Lo make
lL easler for neLwork managemenL SLandards dlcLaLe LhaL Lhere are some reserved vLAn numbers
3vLAns can be numbered from 1 Lo 4094 however lSL only supporLs up Lo 1003 As vLAn 1 ls
defaulL lL should noL be used ln a mulLlvLAn neLwork

9age 4 of 10

Cne good way Lo asslgn numbers Lo vLAns ls by allgnlng Lhem Lo your l9 addresslng scheme lor
example lf flve vLAns needed Lo be creaLed and class C addresslng was used
neLwork vLAn number
192168100 10
192168200 20
192168300 30
192168400 40
192168300 30
|gure 2 1h|s tab|e shows a |og|ca| number|ng system assoc|at|ng VLAN numbers to network addresses
VLAN Names
lor a glven neLwork lnsLallaLlon a namlng convenLlon should be generaLed and followed many
admlnlsLraLors puL vLAn names ln all caplLals 1yplcally vLAn names Lake afLer corporaLe sLrucLure
eg MA8kL1lnC or SALLS dependlng of geographlc layouL of Lhe access layer locaLlon may be
speclfled ln Lhe name eg SALLS8ulLulnC1 Also for speclal servlces lL ls good Lo name vLAns based
on Lhe Lype of Lrafflc llke 'vClCL'
VLAN mplementation
1hls secLlon focuses on Lhe conflguraLlons needed Lo successfully lmplemenL and make use of vLAns
and swlLchlng feaLures perLalnlng Lo vLAns
Basic VLAN Configuration
Step 1 Generat|ng VLANs
(conflg) # vlan 10
(conflgvlan) # name SALLS
Step 2 Ass|gn|ng sw|tch ports to VLANs
(conflg) # lnL fa0/1
(conflglf) # swlLchporL mode access
(conflglf) # swlLchporL access vlan 10
Note mulLlple lnLerfaces can be asslgned Lo a vLAn aL once uslng Lhe range command
9age S of 10

VLAN Trunking Configuration

|gure 3 11h|s d|agram shows a trunk ||nk between two sw|tches wh|ch conta|n the same VLANs
1here are Lwo maln Lrunklng proLocols lSL and 8021C 1lSL ls Clsco proprleLary and ls now only
used for legacy supporL 8021C ls ofLen Lhe only Lrunklng proLocol on swlLches buL Lo remove Lhe
posslblllLy for confllcL lL ls besL Lo seL lL expllclLly 1runks can be negoLlaLed auLomaLlcally Lhrough Lhe
use of uynamlc 1runklng 9roLocol (u19) buL presenL securlLy rlsks and Lake conLrol away from Lhe
neLwork admlnlsLraLor 1o lnvoke a manual Lrunk conflguraLlon musL be compleLed on each
parLlclpaLlng swlLch
Step 1 Sett|ng trunk encapsu|at|on (on both sw|tches)
3
(conflg)# lnL fa0/1
(conflglf)#swlLch porL Lrunk encapsulaLlon doL1q
Step 2 Sett|ng trunk mode (on both sw|tches)
(conflglf)#swlLch porL mode Lrunk
Native VLAN Configuration
naLlve vLAns can ofLen be uLlllzed ln vol9 conflguraLlons where worksLaLlons are connecLed Lo a
small swlLch on Lhe back of an l9 phone and Lhe phone connecLs back Lo a Lrunk porL on Lhe swlLch
ln Lhls lnsLance vol9 Lrafflc wlll recelve a vLAn Lag buL by defaulL worksLaLlon Lrafflc wlll noL be
Lagged 8y addlng a naLlve vLAn number Lo a porL on Lhe swlLch any packeLs wlLhouL a vLAn wlll be
asslgned Lhe naLlve number 1he conflguraLlon ls done aL a per lnLerface level 4
(conflg) # lnL fa0/1
(conflglf) # swlLchporL Lrunk naLlve vlan 10
nter-VLAN outing Configuration
lor vLAns exlsLenL on a layer 2 swlLch Lhere ls no way of communlcaLlng wlLh oLher vLAns wlLhouL a
rouLer ln addlng 'a rouLer on a sLlck' a Lrunk needs Lo be conflgured wlLh a rouLer ln order Lo rouLe
beLween vLAns
9age of 10

AfLer Lhe aforemenLloned Lrunk conflguraLlon on Lhe swlLch slde ls compleLe Lhe rouLer musL be
conflgured
1
Step 1 turn on router |nterface
(conflg)#lnL fa0/1
(conflglf)# no shuL
Step 2 conf|gure sub |nterfaces (sub lnLerface numbers are arblLrary buL ln besL pracLlce should
correlaLe Lo Lhe vLAn belng connecLed)
(conflglf)#lnL fa0/110
(conflgsublf)# encapsulaLlon doL1q 10 (tbls oombet tepteseots tbe toqqeJ vlAN oo tbe sob
lotetfoce)
(conflgsublf)# lp address 192168101 2332332330
(conflgsublf)#lnL fa0/120
(conflgsublf)# encapsulaLlon doL1q 20
(conflgsublf)# lp address 192168201 2332332330
Note noLe no rouLlng conflguraLlon has Lo be done as boLh neLworks are dlrecLly connecLed
Layer 3 swlLches can accompllsh rouLlng beLween vLAns wlLhouL Lhe need for addlLlonal hardware
Lhrough Lhe use of SwlLched vlrLual lnLerfaces (Svls) whlch essenLlally work llke sub lnLerfaces ln a
'rouLer on a sLlck' conflguraLlon
1
Step 1 enab|e rout|ng on the Layer 3 sw|tch
(conflg)#lp rouLlng
Step 2 conf|gure SVIs
(conflg)#lnL vlan10
(conflglf)# lp address 192168101 2332332330
(conflglf)#lnL vlan20
(conflglf)# lp address 192168201 2332332330

9age 7 of 10

VTP Configuration
vlrLual 1runklng 9roLocol (v19) allows vLAns Lo be spread around swlLches whlch are connecLed
LogeLher wlLh Lrunk llnks Lhls funcLlonallLy ls useful ln campuses wlLh large access layers 1here ls
Lhree dlfferenL v19 modes a swlLch can be puL lnLo
v19 server mode (defaulL mode) allows a swlLch Lo change and sLore vLAn lnformaLlon as well as
cllenL propagaLlng vLAn lnformaLlon Lo swlLches ln server or cllenL mode lf all swlLches are lefL wlLh
Lhls defaulL seLLlng vLAn lnformaLlon ls updaLed from Lhe swlLch wlLh Lhe laLesL updaLe revlslon
number 1hls ls noL besL pracLlce
SwlLches on cllenL mode can'L change vLAn lnformaLlon and only hold a vLAn daLabase ln 8AM noL
flash swlLches ln Lhls mode sLlll send and recelve updaLes
1ransparenL mode allows Lhe swlLch Lo change vLAn lnformaLlon forward Lhe lnformaLlon (only
wlLh v19 verslon 2) buL swlLches ln Lhls mode do noL llsLen Lo any v19 adverLlsemenLs
1he below conflguraLlon lmplemenLs a conflguraLlon ln whlch one swlLch acLs ln sever mode whllsL
Lhe oLhers operaLe ln cllenL mode Lhls ls consldered Lo be besL pracLlce
When conflgurlng many vLAns on a v19 domaln lL ls good Lo conslder Lhe maxlmum supporLed
vLAns of Lhe swlLches wlLhln Lhe domaln
Step 1 ver|fy V1 status (on a|| sw|tches)
#show vLp sLaLus
Step 2 conf|gure V1 doma|n (on a|| sw|tches)
(Conflg)# vLp domaln uCMAln1
Step 3 conf|gure V1 mode
SWl1CP1 (conflg)# vLp mode server
SWl1CP2 (conflg)# vLp mode cllenL
SWl1CP2 (conflg)# vLp mode cllenL
Step 4 conf|gure V1 vers|on number (on a|| sw|tches)
(conflg)# vLp verslon
Step S ver|fy conf|gurat|ons (on a|| sw|tches)
#show vLp sLaLus
VLAN Security
AlLhough by naLure vLAns lnLroduce a level of securlLy lnLo a neLwork swlLches are sLlll vulnerable
parLlcularly aL Lhe physlcal layer 8esL pracLlce predlcaLes Lhe need for physlcal securlLy wlLhln a
9age 8 of 10

neLwork measures such as puLLlng neLwork equlpmenL behlnd lock and key reduce Lhe rlsk of
aLLack buL addlLlonal layer 2 securlLy ls also needed
Port security
1SwlLch porLs can be secured ln a number of dlfferenL ways from unused porLs belng shuL down Lo
a range of MAC address securlLy opLlons A good flrsL sLep ln securlng a swlLch ls changlng Lhe swlLch
porL mode on all porLs away from Lhe defaulL of dynamlcdeslrable Lo access mode Lhls can be done
wlLh Lhe 'swlLch porL mode access' command
Medla Access ConLrol (MAC) addresses are unlque layer 2 ldenLlflers and Lherefore swlLches can
uLlllze Lhem Lo secure porLs A maxlmum amounL of slmulLaneous MACs allowed Lo access porL can
be seL
Step 1 enab|e port secur|ty on the se|ected |nterface
(conflg)#lnL fa0/12
(conflglf)#swlLchporL porLsecurlLy
Step 2 set max|mum
(conflglf)#swlLchporL porLsecurlLy maxlmum 3
1he vlolaLlon mode can conflgured wlLh one of Lhree opLlons Lhe glven opLlon wlll acLloned when
Lhe maxlmum has been breached 1he vlolaLlon opLlons are seL Lhrough Lhls conflguraLlon
(conflglf)#swlLchporL porLsecurlLy vlolaLlon sbotJowo/testtlct/ptotect
11he shuLdown opLlon as Lhe name suggesLs shuLs down Lhe porL when a securlLy condlLlon ls
breached 1he oLhers resLrlcL and proLecL boLh allow conLlnued operaLlon by blocklng ouL only Lhe
MACs LhaL breach Lhe condlLlon for example applled Lo Lhe above conflguraLlon Lhe flrsL Lhree MAC
addresses Lo access Lhe swlLch porL fa0/12would sLlll be allowed Lo connecL whlle Lhe fourLh and
flfLh addresses LhaL aLLempL connecLlon wlll be blocked 1he resLrlcL opLlon lncremenLs Lhe vlolaLlon
counLer on Lhe lnLerface where Lhe proLecL opLlon does noL
CLher MAC address condlLlons can be seL for porL securlLy such as Lhe 'swlLchporL porLsecurlLy
macaddress sLlcky' opLlon whlch learns Lhe flrsL MAC address(s) connecLed Lo a porL and conslders
oLhers as a vlolaLlon
Conclusion
ln modern neLwork envlronmenLs vLAns provlde a greaL degree of flexlblllLy and scalablllLy
Moreover vLAns can make beLLer uLlllzaLlon of provlded bandwldLh for prlorlLy servlces allow for
slmpler admlnlsLraLlon and lncrease securlLy WlLhouL vLAns converged neLworks would noL be able
Lo accompllsh as much as Lhey do Loday

9age 9 of 10

eferences

1 C81 nuggeLs wltcb 64281J (vlJeo etles) 2010
2 Clsco LnLerprlse Campus" Clsco Cnllne Avallable
hLLp//wwwclscocom/en/uS/docs/soluLlons/LnLerprlse/SecurlLy/SAlL_8C/chap3hLml
Accessed CcLober 2011
3 8 lroom 8 Slvasubramanlan and L lrahlm lmplemenLlng Clsco SwlLched neLworks (SWl1CP)
loundaLlon Learnlng Culde lndlanapolls Clsco 9ress 2010
4 Clsco vLAns and 1runklng" Clsco 23 CcLober 2002 Cnllne Avallable
hLLp//wwwclscopresscom/arLlcles/arLlcleasp?p29803seqnum3 Accessed CcLober 2011