Documente Academic
Documente Profesional
Documente Cultură
The VLANs and trunks module provides you with the instructions and Cisco hardware to develop
your hands on skills in the configuring VLANs, trunks and VTP on Cisco switches. This module
includes the following exercises:
1) Configuring VLANs
3) Configuring VTP
Lab Diagram
During your session you will have access to the following lab configuration. Depending on the
exercises you may or may not use all of the devices, but they are shown here in the layout to get an
overall understanding of the topology of the lab.
Internet
ISP1 ISP2
172.14.0.3/24 172.14.0.4/24
Frame-Relay
WAN NYEDGE1 NYEDGE2
Gi0/1 Gi0/1 Cisco
Cisco
2911 Router Ser0/0/0 2911 Router
LDNWAN1
Ser0/0/0
Ser0/0/1
Ser0/0/1
Gi0/0 Ser0/0/1 Gi0/0
Ser0/1/1
Ser0/0/0 Ser0/1/0
Fas1/0/1 Fas1/0/1
Gi0/1 Gi0/0 Fas1/0/2 Fas1/0/12
172.16.16.0/24 Fas1/0/23
Fas0/24 Fas0/23
PLABCSCO01 NYACCESS1
Cisco Tools Server Lab Nic Fas0/1 Cisco 2960-24
192.168.16.10/24 Switch
Connecting to your lab
In this module you will be working on the following equipment to carry out the steps defined in each
exercise.
NYCORE1
NYCORE2
NYACCESS1
PLABCSCO01
Each exercise will detail which terminal you are required to work on to carry out the steps.
During the boot up process an activity indicator will be displayed in the device name tab:
If the remote terminal is not displayed automatically in the main window (or popup) click the
Connect icon located in the tools bar to start your session.
Copyright Notice
This document and its content is copyright of Practice-IT - Practice-IT 2014. All rights reserved.
Any redistribution or reproduction of part or all of the contents in any form is prohibited other than
the following:
1) You may print or download to a local hard disk extracts for your personal and non-commercial use
only.
2) You may copy the content to individual third parties for their personal use, but only if you
acknowledge the website as the source of the material. You may not, except with our express
written permission, distribute or commercially exploit the content. Nor may you transmit it or store
it in any other website or other form of electronic retrieval system.
Exercise 1 Configuring VLANs
In this exercise you will learn how to configure VLANs, name them and assign switch ports to be
members of the specified VLANs on a Cisco switch. Please refer to your course material or use your
preferred search engine to gain an understanding of these tasks.
Configuring VLANs
Configuring VLANs on Cisco switches is a straightforward task, however if you are working on a large
switched network then caution should always be used when created, and especially removing
VLANs.
In this exercise well create a number of VLANs, configure interface settings so that an interface is a
member of these VLANs.
Creating a VLAN
First ensure that NYCORE1, NYCORE2 and NYACCESS1 are powered on then power on the Cisco
Tools Server in the lab. Well use these switches to build our VLANs, and the Cisco tools server will
be used for testing VLAN membership.
Step 1
To create a VLAN, connect to NYCORE1 in the lab and use the following configuration commands.
These commands will give each VLAN ID a name which represents a business unit within an
organisation. You need to be in global configuration mode to create a VLAN, the commands below
will create a number of VLANs, the first command specifies the VLAN id with the second command
assigning the VLAN a name.
vlan 5
name Management
vlan 10
name InformationTech
vlan 20
name Marketing
vlan 30
name Research
vlan 40
name HumanResources
This creates us 5 VLANs with IDs 5, 10, 20, 30 and 40 respectively. You will notice that in the output
below I have used exit sometimes and not others. You do not have to type exit once you have
configured a VLANs settings, you can simply jump from one VLAN configuration to another by
simply typing vlan followed by the ID.
NYCORE1#configure terminal
NYCORE1(config)#vlan 5
NYCORE1(config-vlan)#name Management
NYCORE1(config-vlan)#exit
NYCORE1(config)#vlan 10
NYCORE1(config-vlan)#name InformationTech
NYCORE1(config-vlan)#vlan 20
NYCORE1(config-vlan)#name Marketing
NYCORE1(config-vlan)#exit
NYCORE1(config)#vlan 30
NYCORE1(config-vlan)#name Research
NYCORE1(config-vlan)#vlan 40
NYCORE1(config-vlan)#name HumanResources
NYCORE1(config-vlan)#exit
NYCORE1(config)#
Step 2
To confirm that we have configured these VLANs we can use the command:
show vlan
NYCORE1#show vlan
Gi1/0/2
5 Management active
10 InformationTech active
20 Marketing active
30 Research active
40 HumanResources active
You will notice that we have the default of VLAN 1, plus some additional VLANs at the end of the list
that which are default.
You will also notice in the output that all the interfaces are members of VLAN1 by default.
Step 3
Create an interface for VLAN5 (management) on NYCORE1 and assign it an IP address as follows:
interface vlan 5
no shutdown
NYCORE1#configure terminal
NYCORE1(config)#interface vlan 5
NYCORE1(config-if)#no shutdown
Step 4
Next we will configure some interfaces to be members of a VLAN. For this example we are going to
make interfaces 8 through 16 members of the InformationTech VLAN, use the range command you
learnt in the previous module to achieve this:
NYCORE1#configure terminal
Notice that we use the VLAN id, not the name to make an interface a member of a VLAN.
Step 5
To view the new settings, issue the show vlan command:
NYCORE1#show vlan
Gi1/0/2
5 Management active
20 Marketing active
30 Research active
40 HumanResources active
Step 6
The PLABCSCO01 server has an IP Address of 192.168.16.10. Next well see that that we are unable
to communicate to this server from a device in another VLAN. Remember that to get from one VLAN
to another, you must go through a layer 3 device.
Recall that you configured an IP Address of 192.168.16.5 on the VLAN 5 interface on the NYCORE1
switch at the start of this exercise. Do you remember what VLAN interfaces are a member of by
default? The server and switch have IP addresses in the same subnet, but can they communicate,
are they in the same VLAN and can you get from one VLAN to another?
NYCORE1#ping 192.168.16.10
.....
As we would have predicted, it appears that our icmp packets are either not getting to the server, or
replying from the server (or both).
An ARP request would have been sent out to resolve the IP address to a MAC address, but it would
have been incomplete so no data would have gone anywhere:
NYCORE1#show arp
We will resolve this problem later once we have built our network.
The show vlan id command shows us more focused information on the VLAN, this is handy for
checking which interfaces on the switch are members of the VLAN, if there are any SPANs attached
to this VLAN, the name etc:
NYCORE1#show vlan id 10
Fa1/0/22
VLAN Type SAID MTU Parent RingNo BridgeNo Stp BrdgMode Trans1 Trans2
---- ----- ---------- ----- ------ ------ -------- ---- -------- ------ ------
----------------
Disabled
A fantastic command that displays some in depth information is the show interface switchport
commands:
Output on NYCORE1:
Name: Fa1/0/1
Switchport: Enabled
Negotiation of Trunking: On
Protected: false
This shows a wealth of information on the interface, VLAN membership, Access-Lists, Native VLANs,
Voice VLANs and much more.
The next command which shows some detailed information is the show dtp interface command.
This command can be useful to see if the port is in STP, which mode the interface is in, when it last
came up, when it last went down etc.
View the output from the following two commands; observe the differences between a trunk link
and an access port:
TOS/TAS/TNS: ACCESS/OFF/ACCESS
TOT/TAT/TNT: NATIVE/NEGOTIATE/NATIVE
Neighbor address 1: 000000000000
Enabled: no
In STP: no
Statistics
----------
0 packets dropped
0 output errors
0 trunk timeouts
TOS/TAS/TNS: ACCESS/OFF/ACCESS
TOT/TAT/TNT: NATIVE/NEGOTIATE/NATIVE
Enabled: no
In STP: no
Statistics
----------
1 packets dropped
0 output errors
0 trunk timeouts
Trunk links as you will have learnt enable a number of VLANs to traverse a single link. In the previous
exercise we configured a single interface to be a member of a VLAN, imagine if you had to connect
to another switch with just a single VLAN, what if you had 100 VLANs on a switch? Well this is where
trunk links come in to play.
Almost every switch I have ever configured always has more than one VLAN on it. At a minimum you
normally have two, one for the devices attached to the switch and a separate one for the
management of the switch itself (normally not on VLAN 1). Then of course you want all this to be
redundant so you set up a second link and have all the VLANs coming out of that interface too.
Lets configure a trunk link between NYCORE1 and NYCORE2. These two switches have two
fastethernet connections between them and well trunk the VLANs previously configured on
NYCORE1 down this interface.
Step 1
Connect to NYCORE2 in the lab and confirm that there is no VLAN configuration:
NYCORE2#sho vlan
Gi1/0/2
VLAN Type SAID MTU Parent RingNo BridgeNo Stp BrdgMode Trans1 Trans2
---- ----- ---------- ----- ------ ------ -------- ---- -------- ------ ------
As we can see from the output from the show vlan command there is no other VLAN configuration
other than what is default.
We need to put a base configuration on NYCORE2, including the VLANs that we created on
NYCORE1:
vlan 5
name Management
vlan 10
name InformationTech
vlan 20
name Marketing
vlan 30
name Research
vlan 40
name HumanResources
NYCORE2#configure terminal
NYCORE2(config)#vlan 5
NYCORE2(config-vlan)#name Management
NYCORE2(config-vlan)#vlan 10
NYCORE2(config-vlan)#name InformationTech
NYCORE2(config-vlan)#vlan 20
NYCORE2(config-vlan)#name Marketing
NYCORE2(config-vlan)#vlan 30
NYCORE2(config-vlan)#name Research
NYCORE2(config-vlan)#vlan 40
NYCORE2(config-vlan)#name JumanResources
NYCORE2(config-vlan)#name HumanResources
NYCORE2(config-vlan)#exit
NYCORE2(config)#
Step 2
Next we will configure a trunk link, for this example we will configure a trunk on interface
Fastethernet 1/0/24 on both switches, we should configure the trunk link at both ends, this means
configuring both NYCORE1 and NYCORE2 with the following commands:
Note: There is no requirement for the command switchport trunk allowed vlan all.
NYCORE1#configure terminal
NYCORE2#configure terminal
Fa1/0/22 1-4094
Fa1/0/24 1-4094
Fa1/0/22 1,5,10,20,30,40
Fa1/0/24 1,5,10,20,30,40
Fa1/0/22 1,5,10,20,30,40
Fa1/0/24 1,5,10,20,30,40
Fa1/0/24 1-4094
Fa1/0/24 1,5,10,20,30,40
The output from this command on NYCORE2 (most of the output has been omitted):
Notice that VLANs Allowed on trunk is essentially all VLANs and that all VLANs that are active which
includes all the VLANs that are present on the switch. Also note the native VLAN, if the trunk fails
this VLAN will be the VLAN that is active, as an extra point which VLAN do you think you should set
this to?
Step 1
Configure interface VLAN 5 on NYCORE2 with an IP Address of 192.168.16.6 /24. Please note that
Layer 3 switching is covered in a separate module.
interface vlan 5
no shutdown
NYCORE2#configure terminal
NYCORE2(config)#interface vlan 5
NYCORE2(config-if)#no shutdown
Step 2
Now lets see if we can communicate to NYCORE1 at 192.168.16.5:
ping 192.168.16.5
Output from NYCORE2:
NYCORE2#ping 192.168.16.5
.!!!!
You may want to do this for a number of reasons, personally I prefer to nail-down the VLANs that
are allowed on trunks as this stops admins from just adding users in to VLANs that shouldnt really
be on that switch. Later you will see that VTP allows you to add VLANs all over your switched
network with the ease, and this is when things can rapidly get out of hand unless you keep a tight
leash on things.
To remove a VLAN from a trunk you can use the following commands:
NYCORE2#configure terminal
NYCORE2(config)#interface fas
Fa1/0/24 1-9,11-4094
Fa1/0/22 1,5,10,20,30,40
Fa1/0/24 1,5,20,30,40
Fa1/0/22 1,5,10,20,30,40
Fa1/0/24 1,5,20,30,40
A VLAN only has to be removed at one end for the setting to take affect (however this is NOT
recommended as packets from the removed VLANs will still traverse the link only to be dropped at
the other end, a waste of valuable bandwidth!). Observe the output from the same command on
NYCORE1.
NYCORE2#configure terminal
Confirming that the VLAN has been added using the show interface trunk command.
Name: Fa1/0/24
Switchport: Enabled
Negotiation of Trunking: On
However, if you want to set the configuration so that a trunk link is desirable or even off you can use
the following commands:
NYCORE1#configure terminal
You can view the change in trunk state using the show interface fastethernet1/ 0/24 switchport
command:
Name: Fa1/0/24
Switchport: Enabled
The show interfaces status command also shows the operational state of an interface:
As you can see in the output the fas1/0/24 interface is set to a trunk (you will also notice a number
of other interfaces are also in a trunked state, do you know why?).
Also view the output from the show dtp interface fastethernet 1/0/24 command:
TOS/TAS/TNS: TRUNK/DESIRABLE/TRUNK
TOT/TAT/TNT: 802.1Q/802.1Q/802.1Q
Step 1
On NYCORE2 we configured an address on VLAN 5. Lets set VLAN 5 as the native VLAN (this should
be set both ends otherwise CDP picks up on the problem and continually warns you, although this is
not a major issue, its not good practice).
Use the following command on Fastethernet 1/0/24 on both NYCORE1 and NYCORE2 switches:
NYCORE2#configure terminal
Notice the CDP error on NYCORE2 (you will need to leave the configuration off of NYCORE2 for a
minute for the error to occur):
NYCORE1#configure terminal
Note: This exercise assumes you are continuing on from exercise 1 and 2 in this module, if you are
not you will need to make the configuration changes to the lab that are outlined in the previous
exercises.
Step 1
On NYCORE1, check to see which VTP operating mode the switch is running in by using the following
command:
Device ID : 0024.514b.0800
Feature VLAN:
--------------
Configuration Revision : 5
MD5 digest : 0x46 0x05 0x29 0x2B 0x51 0x01 0xD6 0xB7
Use the same command on NYCORE2 and you will notice that they are both already VTP servers. As
there is no domain name, the switches wont exchange any information. Also note, which is very
important, the configuration revision that is displayed in this output (in my output the revision
number is 5).
You can also see that the VTP version running is version 1. In the next step well change this to
version 2.
Step 2
Next well change the domain name and set a password up so that we exchange information only to
authenticated peers.
Repeat these commands in global configuration mode on both NYCORE1 and NYCORE2:
vtp version 2
Script on NYCORE1:
NYCORE1#configure terminal
NYCORE1(config)#vtp version 2
You will notice that when you configure the second switch that some of the commands will report
that the domain and version has already been set!
NYCORE2#configure terminal
NYCORE2(config)#vtp version 2
Step 3
Next we will test VTP functionality by creating a new VLAN on NYCORE1 and see if this VLAN
information gets propagated to NYCORE2. First verify the VLAN database by using the show vlan
command:
NYCORE1#show vlan
5 Management active
20 Marketing active
30 Research active
40 HumanResources active
We can see that VLANs 5, 10, 20, 30 and 40 are present. Create VLAN id 50 with a name of Finance:
vlan 50
name Finance
NYCORE1#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
NYCORE1(config)#vlan 50
NYCORE1(config-vlan)#name Finance
NYCORE1(config-vlan)#exit
NYCORE2#show vlan
5 Management active
10 InformationTech active
20 Marketing active
30 Research active
40 HumanResources active
50 Finance active
Step 4
Next well add NYACCESS1 to the mix, but this time well make NYACCESS1 a client:
NYACCESS1#configure terminal
Step 5
You will find that the trunk links between all the switches have been dynamically created, which is
the default behaviour. Use the commands you learnt in the previous exercise to confirm this.
If you have completed everything correctly you should have a VLAN database on NYACCESS1 as
follows:
NYACCESS1#show vlan
Fa0/21, Fa0/22
5 Management active
10 InformationTech active
20 Marketing active
30 Research active
40 HumanResources active
50 Finance active
VTP Counters
Next well look at the VTP counters, these can be useful for troubleshooting to see if advertisements
are occurring or not. On NYACCESS1, use the command:
VTP statistics:
non-pruning-capable device
Fa0/23 1 1 0
Fa0/24 1 0 0
Now create a new VLAN on either NYCORE2 (just to prove this is also a server), use VLAN Id 60 with
a name of Sales, take a note of the new counters on NYACCESS1:
VTP statistics:
non-pruning-capable device
Fa0/23 1 1 0
Fa0/24 1 0 0
VTP Pruning
Finally well cover VTP pruning which limits the VLAN present on trunk links by working out which
VLANS are required on the Switch.
NYACCESS1 for example shows that all the VLANs are allowed and are in the spanning-tree domain
on the switch:
Fa0/23 1-4094
Fa0/24 1-4094
Fa0/23 1,5,10,20,30,40,50,60
Fa0/24 1,5,10,20,30,40,50,60
Fa0/23 1,5,10,20,30,40,50,60
Fa0/24 1,5,10,20,30,40,50,60
However this switches ports are all present in VLAN 1 so it doesnt really need all those other VLANs
on the trunk.
VTP pruning helps us in this situation. To enable pruning use the following global configuration
command on one of the VTP Servers:
vtp pruning
Script on NYCORE2:
NYCORE2#configure terminal
NYCORE2(config)#vtp pruning
Pruning switched on
Now look at the output from the command show interface trunk on NYACCESS1:
Fa0/23 1-4094
Fa0/24 1-4094
Fa0/23 1,5,10,20,30,40,50,60
Fa0/24 1,5,10,20,30,40,50,60
Fa0/23 1,5
Fa0/24 1,5,10
Now restrict the VLANs on the trunk to only allow VLANs 1, 5 and 10 using the following command
on interface fastethernet 1/0/23 and 1/0/24:
NYACCESS1#configure terminal
Fa0/23 1,5,10
Fa0/24 1,5,10
Fa0/23 1,5,10
Fa0/24 1,5,10
Fa0/23 1,5
Fa0/24 1,5,10
Step 1
First configure the servers connection to the network to be in VLAN 5. To locate the server we can
use some commands we have previously learnt:
Locate this MAC address on the network (replace the relevant address with your results from the
server):
NYCORE1#
Step 2
Confirm where the servers connection is located on NYACCESS1:
Step 3
Change the interface where the server is connected to be in VLAN 5:
NYACCESS1#configure terminal
Step 4
Finally confirm using a ping on the server that you can reach NYCORE1 and NYCORE2:
Leave the devices powered on and in their current states and continue to the next exercise.
Exercise 4 Securing Trunk Links
In this exercise you will learn how to secure trunk links from a number of attacks, namely switch
spoofing and VLAN hopping.
Switch spoofing
Switch spoofing can occur if a switch port has been left to its default configuration. Spoofing can be
attempted by sending DTP packets (dynamic trunking protocol packets) to the switch interface by a
rogue device (say a PC for example). By default, a switchport will attempt to negotiate a trunk (as
you have seen already), PCs dont normally send out these packets, but if a PC did then potentially it
could negotiate a trunk link (servers often have trunk links, especially in todays networks due to the
rapid rise of VMWare).
Name: Fa1/0/18
Switchport: Enabled
Negotiation of Trunking: On
If your real trunk between the switch that this PC is connected to, and the next in the chain also has
default configuration, then the switch will pass ALL VLANs down the trunk, which would give the
attacker access to ALL the VLANs on your network (albeit there may be other mitigating factors that
would prevent this).
Resolution
The fix for this problem is to change the default configuration of your switch interfaces. It is a very
simple fix, you can simply use the commands:
interface mod/port
Script on NYCORE1:
NYCORE1#configure terminal
NYCORE1(config-if-range)#sw
This would stop any of these interfaces from negotiating a trunk and place them in an unused VLAN
of 999 (in our lab, in your production environment VLAN 999 may be used so be careful!). Notice
that the command created VLAN 999.
Name: Fa1/0/17
Switchport: Enabled
VLAN Hopping
Consider a scenario where you have two switches, NYCORE1 and NYCORE2. There is a trunk link
between the two switches with a native VLAN configured as VLAN 100. The attacker is also on VLAN
100 as you have decided that you want your PCs to be able to communicate in the event the trunk
link fails.
The attacker crafts a frame that has a double VLAN tag in it, VLAN 100 as the outer tag and for
example VLAN 200, he sends the frame, the frame then gets received by NYCORE1 on VLAN 100,
NYCORE1 forwards the frame across the trunk link as its first tag is the same as the native VLAN.
When NYCORE2 receives the frame it inspects the tag it has which is now just VLAN 200, by which
the switch removes the tag and forwards the packet on to VLAN 200. At this point, the attacker has
successfully managed to get a frame from VLAN 100 on to VLAN 200 without the requirement of a
router or layer 3 device!
Resolution
Contrary to my previous statement about having a native VLAN of the management address, the fix
for this attack is to set the native VLAN on a trunk to a VLAN id that is not in use, 999 for example
may be a good id (or 911 if you are in the US!).
You must then also remove this VLAN from the trunk.
For example:
vlan 999
name HOPAVOID
Also Try
Using your lab infrastructure you can attempt the following topics at your own pace, these are
additional tasks that can be done building on what you have learnt in this module:
Configure the trunk between the two CORE switches to use ISL instead of 802.1Q encapsulation.
Can you change this on NYACCESS1?
Can you create a VLAN on NYACCESS1?
Change NYACCESS1 to transparent mode and try and create a VLAN (switch it back to a client
after).