When first learning about switches, students have trouble knowing where to start troubleshooting. Pay particular attention to the show commands in this section to verify your configurations using the described techniques instead of simply using the show running-configuration command. Show
IP Addressing Issues with VLAN (3.2.4.1)Each VLAN must correspond to a unique IP subnet. If two devices in the same VLAN have different subnet addresses, they cannot communicate. This is a common problem, and it is easy to solve by identifying the incorrect configuration and changing the subnet address to the correct one. In Figure 3-22, PC1 cannot connect to the web/TFTP server shown.
 Figure 3-22 IP Issue Within a VLAN A check of the IP configuration settings of PC1 shown in Figure 3-23 reveals the most common error in configuring VLANs: an incorrectly configured IP address. PC1 is configured with an IP address of 172.172.10.21, but it should have been configured with 172.17.10.21.
Figure 3-23 Incorrect IP Address Problem The PC1 Fast Ethernet configuration dialog box shows the updated IP address of 172.17.10.21. In Figure 3-24, the output on the bottom reveals that PC1 has regained connectivity to the web/TFTP server found at IP address 172.17.10.30.
Figure 3-24 Change PC IP Address Missing VLANs (3.2.4.2)If there is still no connection between devices in a VLAN, but IP addressing issues have been ruled out, see the flowchart in Figure 3-25 to troubleshoot.
Figure 3-25 Missing VLAN Flowchart
In the previous example of a MAC address table, the output shows the MAC addresses that were learned on the F0/1 interface. It can be seen that MAC address 000c.296a.a21c was learned on interface F0/1 in VLAN 10. If this number is not the expected VLAN number, change the port VLAN membership using the switchport access vlan command. Introduction to Troubleshooting Trunks (3.2.4.3)A common task of a network administrator is to troubleshoot trunk link formation or links incorrectly behaving as trunk links. Sometimes a switch port may behave like a trunk port even if it is not configured as a trunk port. For example, an access port might accept frames from VLANs different from the VLAN to which it is assigned. This is called VLAN leaking, which is caused by a mismatched native VLAN or misconfigured trunk. Figure 3-26 displays a flowchart of general trunk troubleshooting guidelines.
Figure 3-26 Trunk Troubleshooting Flowchart To troubleshoot issues when a trunk is not forming or when VLAN leaking is occurring, proceed as follows:
To display the status of the trunk, determine the native VLAN used on that trunk link and verify trunk establishment using the show interfaces trunk command. The following output shows that the native VLAN on one side of the trunk link was changed to VLAN 2. If one end of the trunk is configured as native VLAN 99 and the other end is configured as native VLAN 2, a frame sent from VLAN 99 on one side is received on VLAN 2 on the other side. VLAN 99 leaks into the VLAN 2 segment. SW1# show interfaces f0/1 trunk Port Mode Encapsulation Status Native vlan Fa0/1 auto 802.1q trunking 2 <output omitted>CDP displays a notification of a native VLAN mismatch on a trunk link with this message: *Mar 1 06:45:26.232: %CDP-4-NATIVE_VLAN_MISMATCH: Native VLAN mismatch discovered on FastEthernet0/1 (2), with S2 FastEthernet0/1 (99).Connectivity issues occur in the network if a native VLAN mismatch exists. Data traffic for VLANs, other than the two native VLANs configured, successfully propagates across the trunk link, but data associated with either of the native VLANs does not successfully propagate across the trunk link. Common Problems with Trunks (3.2.4.4)Trunking issues are usually associated with incorrect configurations, shown in Table 3-9. Table 3-9 Common Problems with Trunks
When configuring VLANs and trunks on a switched infrastructure, the following types of configuration errors are the most common:
If an issue with a trunk is discovered and if the cause is unknown, start troubleshooting by examining the trunks for a native VLAN mismatch. If that is not the cause, check for trunk mode mismatches, and finally check for the allowed VLAN list on the trunk. The next two sections examine how to fix the common problems with trunks. Trunk Mode Mismatches (3.2.4.5)Trunk links are normally configured statically with the switchport mode trunk command. Cisco Catalyst switch trunk ports use DTP to negotiate the state of the link. When a port on a trunk link is configured with a trunk mode that is incompatible with the neighboring trunk port, a trunk link fails to form between the two switches. In Figure 3-27, PC4 cannot connect to the internal web server. The topology indicates a valid configuration. Why is there a problem?
Figure 3-27 Trunk Scenario Topology Check the status of the trunk ports on switch S1 using the show interfaces trunk command. The following output reveals that interface Fa0/3 on switch S1 is not currently a trunk link. Examining the F0/3 interface reveals that the switch port is actually in dynamic auto mode. Output from Switch S1: S1# show interfaces trunk Port Mode Encapsulation Status Native vlan Fa0/1 on 802.1q trunking 99 Port Vlans allowed on trunk Fa0/1 10,99 Port Vlans allowed and active in management domain Fa0/1 10,99 Port Vlans in spanning tree forwarding state and not pruned Fa0/1 10,99 S1# show interfaces f0/3 switchport Name: Fa0/3 Switchport: Enabled Administrative Mode: dynamic auto <output omitted>An examination of the trunks on switch S3 reveals that there are no active trunk ports. Further checking reveals that the Fa0/3 interface is also in dynamic auto mode. This explains why the trunk is down as shown in the output. Output from Switch S3: S3# show interfaces trunk S3# S3# show interfaces f0/3 switchport Name: Fa0/3 Switchport: Enabled Administrative Mode: dynamic auto <output omitted>To resolve the issue, reconfigure the trunk mode of the F0/3 ports on switches S1 and S3, as shown in the following output. After the configuration change, the output of the show interfaces command indicates that the port on switch S1 is now in trunking mode. The output from PC4 indicates that it has regained connectivity to the Web/TFTP server found at IP address 172.17.10.30. Output from Switch S1: S1# config terminal S1(config)# interface fastethernet0/3 S1(config-if)# switchport mode trunk S1(config-if)# end S1# show interfaces fa0/3 switchport Name: Fa0/3 Switchport: Enabled Administrative Mode: trunk <output omitted>Output from Switch S3: S3# config terminal S3(config)# interface fastethernet0/3 S3(config-if)# switchport mode trunk S3(config-if)# end S3# show interfaces fa0/3 switchport Name: Fa0/3 Switchport: Enabled Administrative Mode: trunk <output omitted> S3# show interfaces trunk Port Mode Encapsulation Status Native vlan Fa0/3 on 802.1q trunking 99 Port Vlans allowed on trunk Fa0/3 10,99 Port Vlans allowed and active in management domain Fa0/3 10,99 Port Vlans in spanning tree forwarding state and not pruned Fa0/3 10,99Output from Computer PC4: Pc4> ping 172.17.10.30 Pinging 172.17.10.30 with 32 bytes of data: Reply from 172.17.10.30: bytes=32 time=147ms TTL=128 <output omitted>Incorrect VLAN List (3.2.4.6)For traffic from a VLAN to be transmitted across a trunk, it must be allowed on the trunk. To do so, use the switchport trunk allowed vlan vlan-id command. In Figure 3-28, VLAN 20 (Student) and PC5 have been added to the network. The documentation has been updated to show that the VLANs allowed on the trunk are 10, 20, and 99. In this scenario, PC5 cannot connect to the student email server.
Figure 3-28 Incorrect VLAN List Scenario Topology Check the trunk ports on switch S3 using the show interfaces trunk command as shown in the output that follows. Output from Switch S3: S3# show interfaces trunk Port Mode Encapsulation Status Native vlan Fa0/3 on 802.1q trunking 99 Port Vlans allowed on trunk Fa0/3 10,20,99 Port Vlans allowed and active in management domain Fa0/3 10,20,99 Port Vlans in spanning tree forwarding state and not pruned Fa0/3 10,20,99The command reveals that the interface F0/3 on switch S3 is correctly configured to allow VLANs 10, 20, and 99 as shown in the output. An examination of the F0/3 interface on switch S1 reveals that interfaces F0/1 and F0/3 allow only VLANs 10 and 99. Someone updated the documentation but forgot to reconfigure the ports on the S1 switch, as shown in the output. Output from Switch S1: S1# show interfaces trunk Port Mode Encapsulation Status Native vlan Fa0/1 on 802.1q Fa0/3 on 802.1q trunking 99 Port Vlans allowed on trunk Fa0/1 10,99 Fa0/3 10,99 <output omitted>Reconfigure F0/1 and F0/3 on switch S1 using the switchport trunk allowed vlan 10,20,99 command as shown in the following output. The output shows that VLANs 10, 20, and 99 are now added to the F0/1 and F0/3 ports on switch S1. The show interfaces trunk command is an excellent tool for revealing common trunking problems. Output from Switch S1: S1# config terminal S1(config)# interface f0/1 S1(config-if)# switchport trunk allowed vlan 10,20,99 S1(config-if)# interface f0/3 S1(config-if)# switchport trunk allowed vlan 10,20,99 S1# show interface trunk Port Mode Encapsulation Status Native vlan Fa0/1 on 802.1q Fa0/3 on 802.1q trunking 99 Port Vlans allowed on trunk Fa0/1 10,20,99 Fa0/3 10,20,99 <output omitted>PC5 has regained connectivity to the student email server found at IP address 172.17.20.10. Output from Computer PC5: PC5> ping 172.17.20.10 Pinging 172.17.20.10 with 32 bytes of data: Reply from 172.17.20.10: bytes=32 time=147ms TTL=128 <output omitted>Page 2
Learning what attacks can occur and how to design the switch network to mitigate these attacks is important to a network technician. Because VLANs are commonly configured in a business environment, VLANs are a common security target. Switch Spoofing Attack (3.3.1.1)There are a number of different types of VLAN attacks in modern switched networks. The VLAN architecture simplifies network maintenance and improves performance, but it also opens the door to abuse. It is important to understand the general methodology behind these attacks and the primary approaches to mitigate them. VLAN hopping enables traffic from one VLAN to be seen by another VLAN. Switch spoofing is a type of VLAN hopping attack that works by taking advantage of an incorrectly configured trunk port. By default, trunk ports have access to all VLANs and pass traffic for multiple VLANs across the same physical link, generally between switches. In a basic switch spoofing attack, the attacker takes advantage of the fact that the default configuration of the switch port is dynamic auto. The network attacker configures a system to spoof itself as a switch. This spoofing requires that the network attacker be capable of emulating 802.1Q and DTP messages. By tricking a switch into thinking that another switch is attempting to form a trunk, an attacker can gain access to all the VLANs allowed on the trunk port. The best way to prevent a basic switch spoofing attack is to turn off trunking on all ports, except the ones that specifically require trunking. On the required trunking ports, disable DTP, and manually enable trunking. Double-Tagging Attack (3.3.1.2)Another type of VLAN attack is a double-tagging(or double-encapsulated) VLAN hopping attack. This type of attack takes advantage of the way that hardware on most switches operates. Most switches perform only one level of 802.1Q de-encapsulation, which allows an attacker to embed a hidden 802.1Q tag inside the frame. This tag allows the frame to be forwarded to a VLAN that the original 802.1Q tag did not specify as shown in Figure 3-29. An important characteristic of the double-encapsulated VLAN hopping attack is that it works even if trunk ports are disabled, because a host typically sends a frame on a segment that is not a trunk link.
Figure 3-29 Double-Tagging Attack A double-tagging VLAN hopping attack follows three steps:
Step 1. The attacker sends a double-tagged 802.1Q frame to the switch. The outer header has the VLAN tag of the attacker, which is the same as the native VLAN of the trunk port. The assumption is that the switch processes the frame received from the attacker as if it were on a trunk port or a port with a voice VLAN. (A switch should not receive a tagged Ethernet frame on an access port.) For the purposes of this example, assume that the native VLAN is VLAN 10. The inner tag is the victim VLAN; in this case, it is VLAN 20. Step 2. The frame arrives on the switch, which looks at the first 4-byte 802.1Q tag. The switch sees that the frame is destined for VLAN 10, which is the native VLAN. The switch forwards the packet out on all VLAN 10 ports after stripping the VLAN 10 tag. On the trunk port, the VLAN 10 tag is stripped, and the packet is not retagged because it is part of the native VLAN. At this point, the VLAN 20 tag is still intact and has not been inspected by the first switch. Step 3. The second switch looks only at the inner 802.1Q tag that the attacker sent and sees that the frame is destined for VLAN 20, the target VLAN. The second switch sends the frame on to the victim port or floods it, depending on whether there is an existing MAC address table entry for the victim host. This type of attack is unidirectional and works only when the attacker is connected to a port residing in the same VLAN as the native VLAN of the trunk port. Thwarting this type of attack is not as easy as stopping basic VLAN hopping attacks. The best approach to mitigating double-tagging attacks is to ensure that the native VLAN of the trunk ports is different from the VLAN of any user ports. In fact, it is considered a security best practice to use a fixed VLAN that is distinct from all user VLANs in the switched network as the native VLAN for all 802.1Q trunks. PVLAN Edge (3.3.1.3)Some applications require that no traffic be forwarded at Layer 2 between ports on the same switch so that one neighbor does not see the traffic generated by another neighbor. In such an environment, the use of the Private VLAN (PVLAN) Edge feature, also known as protected ports, ensures that there is no exchange of unicast, broadcast, or multicast traffic between these ports on the switch, as shown in Figure 3-30.
Figure 3-30 PVLAN Edge The PVLAN Edge feature has the following characteristics:
To configure the PVLAN Edge feature, enter the switchport protected command in interface configuration mode as shown in the output that follows. S1(config)# interface g0/1 S1(config-if)# switchport protected S1(config-if)# end S1# show interfaces g0/1 switchport Name: G0/1 Switchport: Enabled Administrative Mode: dynamic auto Operational Mode: down Administrative Trunking Encapsulation: dot1q Negotiation of Trunking: On Access Mode VLAN: 1 (default) Trunking Native Mode VLAN: 1 (default) Administrative Native VLAN tagging: enabled Voice VLAN: none <output omitted> Protected: true Unknown unicast blocked: disabled Unknown multicast blocked: disabled Appliance trust: noneTo disable protected port, use the no switchport protected interface configuration mode command. To verify the configuration of the PVLAN Edge feature, use the show interfaces interface-id switchport global configuration mode command. Page 3
Because VLANs are a common security target, designing VLANs with security in mind is being proactive. Here are some best practices to use before you create the first VLAN on a switch. VLAN Design Guidelines (3.3.2.1)Cisco switches have a factory configuration in which default VLANs are preconfigured to support various media and protocol types. The default Ethernet VLAN is VLAN 1. It is a security best practice to configure all the ports on all switches to be associated with VLANs other than VLAN 1. This is usually done by configuring all unused ports to a black hole VLAN that is not used for anything on the network. All used ports are associated with VLANs distinct from VLAN 1 and distinct from the black hole VLAN. It is also a good practice to shut down unused switch ports to prevent unauthorized access. A good security practice is to separate management and user data traffic. The management VLAN, which is VLAN 1 by default, should be changed to a separate, distinct VLAN. To communicate remotely with a Cisco switch for management purposes, the switch must have an IP address configured on the management VLAN. Users in other VLANs would not be able to establish remote access sessions to the switch unless they were routed into the management VLAN, providing an additional layer of security. Also, the switch should be configured to accept only encrypted SSH sessions for remote management. All control traffic is sent on VLAN 1. Therefore, when the native VLAN is changed to something other than VLAN 1, all control traffic is tagged on IEEE 802.1Q VLAN trunks (tagged with VLAN ID 1). A recommended security practice is to change the native VLAN to a different VLAN than VLAN 1. The native VLAN should also be distinct from all user VLANs. Ensure that the native VLAN for an 802.1Q trunk is the same on both ends of the trunk link. DTP offers four switch port modes: access, trunk, dynamic auto, and dynamic desirable. A general guideline is to disable autonegotiation. As a port security best practice, do not use the dynamic auto or dynamic desirable switch port modes. Finally, voice traffic has stringent QoS requirements. If user PCs and IP phones are on the same VLAN, each tries to use the available bandwidth without considering the other device. To avoid this conflict, it is good practice to use separate VLANs for IP telephony and data traffic. Page 4
This chapter thoroughly covered VLANs: how to design and create VLANs and how to transmit those VLANs to other network devices such as other switches using a trunk link. Security risks associated with VLANs and how to mitigate those risks with some proactive designs and configurations were also covered. This section helps you to determine if you learned the main points as well as the finer details of the chapter. This chapter introduced VLANs. VLANs are based on logical connections, instead of physical connections. VLANs are a mechanism to allow network administrators to create logical broadcast domains that can span across a single switch or multiple switches, regardless of physical proximity. This function is useful to reduce the size of broadcast domains or to allow groups or users to be logically grouped without the need to be physically located in the same place. There are several types of VLANs:
On a Cisco switch, VLAN 1 is the default Ethernet VLAN, the default native VLAN, and the default management VLAN. Best practices suggest that the native and management VLANs be moved to another distinct VLAN and that unused switch ports be moved to a “black hole” VLAN for increased security. The switchport access vlan command is used to create a VLAN on a switch. After creating a VLAN, the next step is to assign ports to the VLAN. The show vlan brief command displays the VLAN assignment and membership type for all switch ports. Each VLAN must correspond to a unique IP subnet. Use the show vlan command to check whether the port belongs to the expected VLAN. If the port is assigned to the wrong VLAN, use the switchport access vlan command to correct the VLAN membership. Use the show mac address-table command to check which addresses were learned on a particular port of the switch and to which VLAN that port is assigned. A port on a switch is either an access port or a trunk port. Access ports carry traffic from a specific VLAN assigned to the port. A trunk port by default is a member of all VLANs; therefore, it carries traffic for all VLANs. VLAN trunks facilitate inter-switch communication by carrying traffic associated with multiple VLANs. IEEE 802.1Q frame tagging differentiates between Ethernet frames associated with distinct VLANs as they traverse common trunk links. To enable trunk links, use the switchport mode trunk command. Use the show interfaces trunk command to check whether a trunk has been established between switches. Trunk negotiation is managed by the Dynamic Trunking Protocol (DTP), which operates on a point-to-point basis only, between network devices. DTP is a Cisco proprietary protocol that is automatically enabled on Catalyst 2960 and Catalyst 3560 Series switches. To place a switch into its factory default condition with 1 default VLAN, use the command delete flash:vlan.dat and erase startup-config. This chapter also examined the configuration, verification, and troubleshooting of VLANs and trunks using the Cisco IOS CLI and explored basic security and design considerations in the context of VLANs. Page 5
The following activities provide practice with the topics introduced in this chapter. The Labs and Class Activities are available in the companion Introduction to Routing and Switching Essentials Lab Manual (978-1-58713-320-6). You can find the Packet Tracer Activities PKA files in the online course. 14. Class Activities | Next Section Previous Section |
For what reason would a network administrator use the show interfaces trunk command on a switch?
Postagens relacionadas
direito autoral © 2024 ifazerum Inc.
