Upload
tj
View
8
Download
1
Tags:
Embed Size (px)
DESCRIPTION
inter vlan routing
Citation preview
Inter-VLAN RoutingMalin Bornhager
Halmstad University
Session NumberVersion 2002-1 1© 2002, Svenska-CNAP Halmstad University
Objectives
•
•
•
•
Inter-VLAN Routing
Router-on-a-Stick
Subinterface configuration
Switch Security
Version 2002-1 2© 2002, Svenska-CNAP / Halmstad University.
VLANs
• VLANs can be used to segment the network
Reduce the size of the broadcast domain
•
–
–
Each VLAN is a unique broadcast domain
Different IP subnets
•
•
No communication between VLANs
Inter-VLAN routing is the process of forwarding network traffic from one VLANto another VLAN using a router
Version 2002-1 3© 2002, Svenska-CNAP / Halmstad University.
© 2002, Svenska-CNAP / Halmstad University.
Inter-VLAN Routing
• The router interfaces can be connected separate VLANs
One subnet on each interface
to
•
– Routing between subnetworks
Version 2002-1 4
Inter-VLAN Routing
• Traditionally, LAN routing has used routers withmultiple physical interfaces
Each interface needed to be connected to a separate network
•
– Configured for a different subnet
• Each router interface is connected to a switchport, associated with a specific VLAN
The router can accept traffic from the VLAN associated with the switch interface it is connected to, and route the traffic to other VLANs
•
Version 2002-1 5© 2002, Svenska-CNAP / Halmstad University.
Physical and Logical Interfaces
•
•
Router interfaces can be configured as trunk links
Multiple VLANs can be supported on one physicallink
Version 2002-1 6© 2002, Svenska-CNAP / Halmstad University.
Router-on-a-Stick
• A type of router configuration in which asingle router interface routes traffic between multiple VLANs
The connection between the switch and the router is a single trunk link
The router accept VLAN tagged traffic on the trunk interface
Route traffic between the different VLANs
•
•
•
Version 2002-1 7© 2002, Svenska-CNAP / Halmstad University.
© 2002, Svenska-CNAP / Halmstad University.
Router-on-a-Stick
• The physical interface is divided intosubinterfaces
multiple
• Each subinterface is associated with one VLAN andone IP subnet
Version 2002-1 8
Router-on-a-Stick
• By configuring IP addresses on the interfaces, therouter can be used as a gateway to access devices connected to the other VLANs
If the destination address is on a remote network•(another VLAN), the routing table is used to forwardthe data to the correct destination
Version 2002-1 9© 2002, Svenska-CNAP / Halmstad University.
Configuring Inter-VLAN Routing
Version 2002-1 10© 2002, Svenska-CNAP / Halmstad University.
Configuring inter-VLAN Routing (cont.)
Routing Table for this subinterface configuration
Version 2002-1 11© 2002, Svenska-CNAP / Halmstad University.
Communication between VLANs
Version 2002-1 12© 2002, Svenska-CNAP / Halmstad University.
Router interface and Subinterface Comparison
•
•
•
•
•
Port Limits
Performance
Access ports
Cost
Complexity
and Trunk ports
Version 2002-1 13© 2002, Svenska-CNAP / Halmstad University.
Switch Security
Important to secure the switchesbasic knowledge of:
and have a
•
•
•
Passwords
Common security attacks
Port security and unused ports
Version 2002-1 14© 2002, Svenska-CNAP / Halmstad University.
Passwords
• Secureaccess
the console port of unauthorized
Version 2002-1 15© 2002, Svenska-CNAP / Halmstad University.
Passwords
•
•
Secure the vty ports from unauthorized access
Make sure to secure all available vty lines
Version 2002-1 16© 2002, Svenska-CNAP / Halmstad University.
Passwords
• Configure privileged EXECpasswords
mode
• Clear text or encrypted
Version 2002-1 17© 2002, Svenska-CNAP / Halmstad University.
Passwords
• Configure allpasswords
passwords as encrypted
Version 2002-1 18© 2002, Svenska-CNAP / Halmstad University.
Common security attacks
• MAC flooding attack
– MAC table incorrect, overflow
• DHCP spoofing
– Illegal DHCP server answer on requests
DHCP
• CDP attacks
–
–
CDP information is
Information can be network
sent as
used to
broadcasts
attack your
Version 2002-1 19© 2002, Svenska-CNAP / Halmstad University.
Port Security
• Port security limits the number of valid MACaddresses on a switch port
Implement port security on all switch ports to:
•
– Specify a group of valid MAC addresses allowed ona port
Allow only one MAC address to access the port
Specify that the port automatically shuts down if unauthorized MAC addresses are detected
–
–
Version 2002-1 20© 2002, Svenska-CNAP / Halmstad University.
Unused ports
• Disable all unused switch ports
Version 2002-1 21© 2002, Svenska-CNAP / Halmstad University.