inter-vlanrouting ht11

Inter-VLAN RoutingMalin Bornhager

Halmstad University

Session NumberVersion 2002-1 1© 2002, Svenska-CNAP Halmstad University

Objectives

•

•

•

•

Inter-VLAN Routing

Router-on-a-Stick

Subinterface configuration

Switch Security

Version 2002-1 2© 2002, Svenska-CNAP / Halmstad University.

VLANs

• VLANs can be used to segment the network

Reduce the size of the broadcast domain

•

–

–

Each VLAN is a unique broadcast domain

Different IP subnets

•

•

No communication between VLANs

Inter-VLAN routing is the process of forwarding network traffic from one VLANto another VLAN using a router

Version 2002-1 3© 2002, Svenska-CNAP / Halmstad University.

© 2002, Svenska-CNAP / Halmstad University.

Inter-VLAN Routing

• The router interfaces can be connected separate VLANs

One subnet on each interface

to

•

– Routing between subnetworks

Version 2002-1 4

Inter-VLAN Routing

• Traditionally, LAN routing has used routers withmultiple physical interfaces

Each interface needed to be connected to a separate network

•

– Configured for a different subnet

• Each router interface is connected to a switchport, associated with a specific VLAN

The router can accept traffic from the VLAN associated with the switch interface it is connected to, and route the traffic to other VLANs

•

Version 2002-1 5© 2002, Svenska-CNAP / Halmstad University.

Physical and Logical Interfaces

•

•

Router interfaces can be configured as trunk links

Multiple VLANs can be supported on one physicallink

Version 2002-1 6© 2002, Svenska-CNAP / Halmstad University.

Router-on-a-Stick

• A type of router configuration in which asingle router interface routes traffic between multiple VLANs

The connection between the switch and the router is a single trunk link

The router accept VLAN tagged traffic on the trunk interface

Route traffic between the different VLANs

•

•

•

Version 2002-1 7© 2002, Svenska-CNAP / Halmstad University.

© 2002, Svenska-CNAP / Halmstad University.

Router-on-a-Stick

• The physical interface is divided intosubinterfaces

multiple

• Each subinterface is associated with one VLAN andone IP subnet

Version 2002-1 8

Router-on-a-Stick

• By configuring IP addresses on the interfaces, therouter can be used as a gateway to access devices connected to the other VLANs

If the destination address is on a remote network•(another VLAN), the routing table is used to forwardthe data to the correct destination

Version 2002-1 9© 2002, Svenska-CNAP / Halmstad University.

Configuring Inter-VLAN Routing

Version 2002-1 10© 2002, Svenska-CNAP / Halmstad University.

Configuring inter-VLAN Routing (cont.)

Routing Table for this subinterface configuration

Version 2002-1 11© 2002, Svenska-CNAP / Halmstad University.

Communication between VLANs

Version 2002-1 12© 2002, Svenska-CNAP / Halmstad University.

Router interface and Subinterface Comparison

•

•

•

•

•

Port Limits

Performance

Access ports

Cost

Complexity

and Trunk ports

Version 2002-1 13© 2002, Svenska-CNAP / Halmstad University.

Switch Security

Important to secure the switchesbasic knowledge of:

and have a

•

•

•

Passwords

Common security attacks

Port security and unused ports

Version 2002-1 14© 2002, Svenska-CNAP / Halmstad University.

Passwords

• Secureaccess

the console port of unauthorized

Version 2002-1 15© 2002, Svenska-CNAP / Halmstad University.

Passwords

•

•

Secure the vty ports from unauthorized access

Make sure to secure all available vty lines

Version 2002-1 16© 2002, Svenska-CNAP / Halmstad University.

Passwords

• Configure privileged EXECpasswords

mode

• Clear text or encrypted

Version 2002-1 17© 2002, Svenska-CNAP / Halmstad University.

Passwords

• Configure allpasswords

passwords as encrypted

Version 2002-1 18© 2002, Svenska-CNAP / Halmstad University.

Common security attacks

• MAC flooding attack

– MAC table incorrect, overflow

• DHCP spoofing

– Illegal DHCP server answer on requests

DHCP

• CDP attacks

–

–

CDP information is

Information can be network

sent as

used to

broadcasts

attack your

Version 2002-1 19© 2002, Svenska-CNAP / Halmstad University.

Port Security

• Port security limits the number of valid MACaddresses on a switch port

Implement port security on all switch ports to:

•

– Specify a group of valid MAC addresses allowed ona port

Allow only one MAC address to access the port

Specify that the port automatically shuts down if unauthorized MAC addresses are detected

–

–

Version 2002-1 20© 2002, Svenska-CNAP / Halmstad University.

Unused ports

• Disable all unused switch ports

Version 2002-1 21© 2002, Svenska-CNAP / Halmstad University.