IS 460 Chapter 8
trunk
originated in the telephony field, where it refers to an aggregation of logical connections over one physical connection in the context of switching, a trunk is a single physical connection between networking devices through which many logical VLANs can transmit and receive data
native VLAN mismatch (or just VLAN mismatch)
A configuration error where switch ports on each end of a trunk are configured with different native VLAN assignments.
Class A default subnet mask
In binary: 11111111.00000000.00000000.00000000 Decimal: 255.0.0.0 8 bits used for network portion 24 bits used for host portion 2^24 - 2 = 16777214 usable host IPs
Class B default subnet mask
In binary: 11111111.11111111.00000000.00000000 Decimal: 255.255.0.0 16 bits used for network portion 16 bits used for host portion 2^16 - 2 = 65,534 usable host IPs
Class C default subnet mask
In binary: 11111111.11111111.11111111.00000000 Decimal: 255.255.255.0 24 bits used for network portion 8 bits used for host portion 2^8 - 2 = 254 usable host IPs
subnet of IP addresses
In most situations, each VLAN is assigned its own what?
magic number
In the context of calculating subnets, the difference between 256 and the interesting octet (any octet in the subnet whose value is something other than 0 or 255). It can be used to calculate the network IDs in all the subnets of a larger network.
default VLAN
Typically preconfigured on a switch and initially includes all the switch's ports. Other VLANs might be preconfigured as well, depending on the device and manufacturer. The default VLAN cannot be renamed or deleted; however, ports in the default VLAN can be reassigned to other VLANs.
IPv6 addresses are composed of 128 bits which means 2^128 addresses are available in IPv6, so an ISP can offer each of its customers an entire IPv6 subnet, or thousands of addresses. IPv6 addressing uses no classes. There are no IPv6 equivalents to IPv4's Class A, Class B, or Class C networks. Every IPv6 address is classless. IPv6 does not use subnet masks. A single IPv6 subnet is capable of supplying 18,446,744,073,709,551,616 IPv6 addresses.
Why is IPv6 better than IPv4 for subnetting?
It is inserted between the source address and the Ethernet type field.
When an 802.1Q tag is added to an Ethernet frame, where is it placed?
VLAN 1001
When dealing with a Cisco switch, what is NOT one of the pre-established VLANs?
A smaller organization or business.
When using IPv6, what would a /64 network likely be assigned to?
The largest IPv6 subnet capable of being created is a /64.
Which of the following statements regarding IPv6 subnetting is NOT accurate?
Disable auto trunking and move native VLANs to unused VLANs.
Which of the following suggestions can help prevent VLAN hopping attacks on a network?
show vlan
command on a Cisco switch, used to list the current VLANs recognized by a switch can help with identifying misconfigurations
Subnetting
dividing the pool of IP addresses into groups, or subnets, one for each LAN or floor of a building
network segmentation
takes the divide-and-conquer approach to network management, and when done well, it increases both performance and security on a network a network can be segmented physically by creating multiple LANs or logically through the use of VLANs (virtual LANs). Either way, the larger broadcast domain is divided into smaller segments, and the IP address space is subdivided as well
tag
A VLAN identifier added to a frame's header according to specifications in the 802.1Q standard. the tag travels with the transmission until it reaches a router or the switch port connected to the destination device, whichever comes first. At that point, the tag is stripped from the frame. If the frame is being routed to a new VLAN, the router adds a new tag at this point, which is then removed once the frame reaches its final switch port.1
ANDing
A logical process of combining bits.
enhance security—Transmissions in broadcast domains are limited to each network so there's less possibility of hackers or malware reaching remote, protected networks in the enterprise domain. At the same time, other devices, such as a web server, can be made more accessible to the open Internet than the rest of the network. For example, a DMZ (demilitarized zone) can provide an area of the network with less stringent security for these purposes. improve performance—Segmenting limits broadcast traffic by decreasing the size of each broadcast domain. The more efficient use of bandwidth results in better overall network performance. The On the Job story at the beginning of this chapter gave an excellent example of how this applies in a real-world situation. simplify troubleshooting—When troubleshooting, rather than examining the whole network for errors or bottlenecks, the network administrator can narrow down the problem area to a particular, smaller network. For example, suppose a network is subdivided with separate smaller networks for Accounting, Human Resources, and IT. One day there's trouble transmitting data only to a certain group of users—those on the Accounting network. This fact gives the network administrator some significant insight into the nature of the problem.
A network administrator might separate a network's traffic into smaller portions to accomplish the following:
1022
A network with 10 bits remaining for the host portion will have how many usable host addresses?
VLAN (virtual local area network or virtual LAN)
A network within a network that is logically defined by grouping ports on a layer 2 switch so that some of the local traffic on the switch is forced to go through a router, thereby limiting the traffic to a smaller broadcast domain. layer 2 (data link)
ip helper-address
A robust Cisco command that can be configured to create and send helper messages that support several types of UDP traffic, including DHCP, TFTP, DNS, and TACACS+.
CIDR notation or slash notation
A shorthand method for denoting the distinction between network and host bits in an IP address.
CIDR (Classless Interdomain Routing) pronounced cider
A shorthand method for identifying network and host bits in an IP address. devised by the IETF in 1993
DHCP relay agent
A small application that works with a centrally managed DHCP server to provide DHCP assignments to multiple subnets and VLANs.
The 1s mark the network portion of an IP address and the 0s mark the host portion
A subnet mask is always a series of 1s followed by a series of 0s. What do the 1s and 0s mean?
/21 0 = 0 255 = 8 248 = 5 How? 256 - 248 = 8; 2^x = 8 x=3 8 - 3 = 5 8 + 8 + 5 + 0 = 21
A subnet of 255.255.248.0 can be represented by what CIDR notation?
VLSM (Variable Length Subnet Mask)
A subnetting method that allows subnets to be further subdivided into smaller and smaller groupings until each subnet is about the same size as the needed IP address space. often referred to as "subnetting a subnet"
Managed switches
A switch that can be configured via a command-line interface or a web-based management GUI, and sometimes can be configured in groups.
unmanaged switch
A switch that provides plug-and-play simplicity with minimal configuration options and has no IP address assigned to it.
Isolating connections with heavy or unpredictable traffic patterns, such as when separating heavy VoIP traffic from other network activities Identifying groups of devices whose data should be given priority handling, such as executive client devices or an ICS (industrial control system) that manages a refrigeration system or a gas pipeline Containing groups of devices that rely on legacy protocols incompatible with the majority of the network's traffic, such as a legacy SCADA (supervisory control and data acquisition) system monitoring an oil refinery Separating groups of users who need special or limited security or network functions, such as when setting up a guest network Configuring temporary networks, such as when making specific network resources available to a short-term project team Reducing the cost of networking equipment, such as when upgrading a network design to include additional departments or new types of network traffic
Although you can add routers to separate a large LAN into manageable smaller LANs, reasons for using VLANs to do the job instead include:
192.168.18.64
An IP address of 192.168.18.73/28 has what network ID?
Classless addressing
An IP addressing convention that alters the rules of classful IPv4 addressing to create subnets in a network.
VLAN hopping
An attack in which the attacker generates transmissions that appear, to the switch, to belong to a protected VLAN.
Network documentation is easier to manage. Problems are easier to locate and resolve. Routers can more easily manage IP address spaces that don't overlap. Routing is more efficient on larger networks when IP address spaces are mathematically related at a binary level.
Benefits of subnetting:
VLAN isolation
By grouping certain nodes into a VLAN, you are not merely including those nodes—you are also excluding other groups of nodes. This means you can potentially cut off an entire group from the rest of the network. VLANs must be connected to and configured on a router or Layer 3 switch to allow different VLANs to exchange data outside their own broadcast domain.
management VLAN
Can be used to provide administrative access to a switch. By default, this might be the same as the default VLAN; however, this poses a security risk and should be changed.
Yes, though it is tedious
Can static IP addressing be used on network hosts?
data VLAN (or user VLAN)
Carries user-generated traffic, such as email, web browsing, or database updates.
VTP (VLAN Trunk Protocol)
Cisco's protocol for exchanging VLAN information over trunks. allows changes to VLAN database on one switch, called the stack master, to be communicated to all other switches in the network. This provides network administrators with the ability to centrally manage all VLANs by making changes to a single switch. Other switches besides the stack master in the same VTP domain can also communicate VLAN updates, such as the addition of a new VLAN
aggregation port (trunk port)
Connects the switch to a router or another switch (or possibly a server). This interface manages traffic from multiple VLANs A trunk line (or just "trunk") is a link between two trunk ports.
access port
Connects the switch to an endpoint, such as a workstation. The computer connected to an access port does not know which VLAN it belongs to, nor can it recognize other VLANs on the same switch.
a single broadcast domain 1 broadcast domain = 1 VLAN = 1 subnet
Each VLAN and subnet combination acts as what?
172.16.0.0
Given a host IP address of 172.16.1.154 and a subnet mask of 255.255.254.0, what is the network ID for this host?
One way to do this is to run a DCHP server for the entire network and use a DHCP relay agent to help sort DHCP requests by subnet, as described earlier in this chapter. If instead the router is providing DHCP services through this one interface, then the interface must be logically divided into three sub-interfaces. Each sub-interface is then configured with its own, subnetted range of IP addresses.
How do VLAN clients get the appropriate IP address assignments from the subnet's range of addresses portioned to each VLAN?
create the largest subnet first, then create the next largest, and the next one and so on, until you have divided up all the remaining space
How do you create VLSM subnets?
The number of 1s in the subnet mask determines the number of bits in the IP address that belong to the Network ID Ex: IP address 192.168.123.132 In binary: 11000000.10101000.01111011.10000100 Subnet mask: 255.255.255.0 In binary: 11111111.11111111.11111111.00000000 Network ID is the first 24 bits of the address aka the 11000000.10101000.01111011 part of the address which in decimal is 192.168.123 the host is the last 8 bits of the address aka the 10000100 which in decimal is 132 so the Network ID is: 192.168.123.0 and the host ID is: 0.0.0.132
How does a computer know how many bits of its IP address is the network ID?
the administrator programs each subnet's DHCP server with the network ID, subnet mask, range of IP addresses, and default gateway for the subnet.
How does a network administrator set up subnets for dynamic IP addressing?
the switch adds a tag to Ethernet frames that identifies the port through which they arrive at the switch
How does a switch identify the transmissions that belong to each VLAN?
You can use physical devices at layer 1 to create separate LANs
How does layer 1 play a part in network segmentation?
you can create virtual LANs at layer 2
How does layer 2 play a part in network segmentation?
At layer 3, you can use subnetting to organize devices within the available IP address space, whether the LANs are defined physically or virtually
How does layer 3 play a part in network segmentation?
4 bytes
How large is the 802.1Q tag that is added to Ethernet frames when using VLANs
The subnet ID is one block long and is the fourth block, which is four hexadecimal characters, or 16 bits in binary. An organization with a /48 site prefix can use all 16 bits to create up to 65,536 subnets. A /56 site prefix can create up to 256 subnets, and a /64 site prefix has only the single subnet, which contains over 18 quintillion possible host addresses, which is more than twice the estimated number of grains of sand in all the beaches and deserts of the earth. As you can see, IPv6 allows for a huge number of potential hosts on a single network.
How long is a subnet ID for IPv6?
256
How many /64 subnets can be created within a /56 prefix?
AND the network ID and the subnet mask
How to calculate a host's network ID given its IPv4 address and subnet mask?
Network ID (network number or network prefix) Host ID
IPv4 address has 32 bits and is divided into what two parts?
Its default gateway
If a computer needs to communicate with a host that is not on its network where does it send the transmission?
The last four blocks of the address.
If the EUI-64 standard is used, what part of an IPv6 address is affected?
CIDR block
In CIDR notation, the forward slash plus the number of bits used for the network ID. For example, the CIDR block for 199.34.89.0/22 is /22. EX: 192.168.89.127/24 where 24 represents the number of 1s in the subnet mask and therefore the number of bits in the network ID and since its 24 that means its Class C
The last four blocks, which equate to the last 64 bits, identify the interface. (On many IPv6 networks, those 64 bits are based on the interface's EUI-64 version of each device's MAC address.) The first four blocks or 64 bits normally identify the network and serve as the network prefix, also called the site prefix or global routing prefix, as shown in Figure 8-12. In the IPv6 address 2608:FE10:1:AA:002:50FF:FE2B:E708, the site prefix is 2608:FE10:1:AA and the interface ID is 002:50FF:FE2B:E708. You might see site prefixes represented as, for example, 2608:FE10:1:AA::/64, where the number of bits that identify the network follow a slash. The fourth hexadecimal block in the site prefix can be altered to create subnets within a site. Let's take a closer look at how that block fits into the big picture.
Let's see how these numbers pan out. Recall that a unicast address is an address assigned to a single interface on the network. Also recall that every unicast address can be represented in binary form, but is more commonly written as eight blocks of four hexadecimal characters separated by colons. For example, 2608:FE10:1:AA:002:50FF:FE2B:E708 is a valid IPv6 address. Now let's divide that address into parts:
geographic locations—For example, the floors of a building connected by a LAN, or the buildings connected by a WAN departmental boundaries—For example, the Accounting, Human Resources, and Sales departments device types—For example, printers, desktops, and IP phones
Networks are commonly segmented according to one of the following groupings:
1.Decide how many bits to borrow—How many bits must you borrow from the host portion of the IP addresses in order to get six subnets? Use this formula to determine the number of bits: 2^n = Y n equals the number of bits that must be switched from the host address to the network ID. Y equals the number of subnets that result. Because you want six separate subnets (meaning that Y, in this case, is 6), the equation becomes 2^n = 6 Experiment with different values for n until you find a value large enough to give you at least the number of subnets you need. For example, you know that 2^2 = 4; however, 4 is not high enough. Instead consider that 2^3 = 8; this will give you enough subnets to meet your current needs and allow room for future growth. Now that n equals 3, you know that three bits in the host addresses of your Class C network must change to network ID bits. You also know that three bits in your subnet mask must change from 0 to 1. 2. Determine the subnet mask—As you know, the default subnet mask for a Class C network is 255.255.255.0, or 11111111 11111111 11111111 00000000. In this default subnet mask, the first 24 bits indicate the position of network information. Changing three of the default subnet mask's bits from host to network information gives you the subnet mask 11111111 11111111 11111111 11100000. In this modified subnet mask, the first 27 bits indicate the bits for the network ID. Note that for this Class C network whose network ID is 192.168.89.0, the slash notation would now be 192.168.89.0/27 because 27 bits of the subnets' addresses are used to provide network information. Converting from binary to the more familiar dotted decimal notation, this subnet mask becomes 255.255.255.224. 3. Calculate the network ID for each subnet—The first three octets of the network ID for the Class C network 192.168.89.0 is the same for all eight possible subnets. The network IDs differ in the last octet. Use the magic number to calculate them as follows: Subnet 1 Network ID: 192.168.89.0 Subnet 2 Network ID: 192.168.89.0 + 32 yields 192.168.89.32 Subnet 3 Network ID: 192.168.89.32 + 32 yields 192.168.89.64 Subnet 4 Network ID: 192.168.89.64 + 32 yields 192.168.89.96 Subnet 5 Network ID: 192.168.89.96 + 32 yields 192.168.89.128 Subnet 6 Network ID: 192.168.89.128 + 32 yields 192.168.89.160 Subnet 7 Network ID: 192.168.89.160 + 32 yields 192.168.89.192 Subnet 8 Network ID: 192.168.89.192 + 32 yields 192.168.89.224 This method of adding on the same number over and over is called skip-counting. 4. Determine the IP address range for each subnet—Recall that you have borrowed 3 bits from what used to be host information in the IP address. That leaves 5 bits instead of 8 available in the last octet of your Class C addresses to identify hosts. To calculate the number of possible hosts, keep in mind that each of the 5 bits has two possibilities, a 1 or a 0. Therefore, the number of host addresses is 2 x 2 x 2 x 2 x 2, or 32 host addresses. But you can't use two of these addresses for hosts because one is used for the network ID (the one where all five bits are 0 in binary) and one for the broadcast address (the one where all five bits are 1 in binary). That leaves you 30 host addresses in each subnet. As a shortcut to calculating the number of hosts, you can use the formula: 2^h - 2 = Z h equals the number of bits remaining in the host portion. Z equals the number of hosts available in each subnet. So, 2^5 - 2 yields 30 possible hosts per subnet Once you know the network ID of the subnets, calculating the address range of hosts in a subnet is easy. For example, take subnet 5. The network ID is 192.168.89.128. Because you won't use the network ID for a host address, you start with the next value and keep going until you reach the broadcast address for the subnet, yielding for this particular subnet a total of 30 addresses. Therefore, the address range for subnet 5 is 192.168.89.129 through 192.168.89.158. (The last value 158 is 128 + 30.)
Now you're ready to move on to a more complicated example, performing calculations using formulas, without so much binary involved. Suppose you want to divide your local network, which has a network ID of 192.168.89.0, into six subnets to correspond to your building's six floors. The following steps walk you through the process:
100013
On a Cisco switch, what would the security association identifier be for VLAN 13?
native VLAN
Receives all untagged frames from untagged ports. By default, this is the same as the default VLAN. However, this configuration poses a security risk when untagged traffic is allowed to travel in a VLAN-managed network. To protect the network from unauthorized traffic, the native VLAN should be changed to an unused VLAN so that untagged traffic essentially runs into a dead-end. To do this on a Cisco switch, for example, use the command switchport trunk native vlan. On a Juniper switch, the native VLAN is configured with the command set port-mode trunk followed by set native-vlan-id. Each switch port can be configured for a different native VLAN using these commands. However, switch ports on each end of a trunk should agree on the native VLAN assignment. If the ports don't agree, this is called a native VLAN mismatch, or just VLAN mismatch, and will result in a configuration error.
last available host address
Some network admins prefer to use which available host address in a range for the default gateway?
unmanaged switches
What switch is not very expensive, but their capabilities are limited and they cannot support VLANs
1. A router, firewall, or Layer 3 switch programmed to support relay agent software receives the DHCP request from a client in one of its local broadcast domains. 2. The Layer 3 device creates a message of its own and routes this transmission to the specified DHCP server in a different broadcast domain. 3. The DHCP server notes the relay agent's IP address and assigns the DHCP client an IP address on the same subnet.
Steps for a centrally managed DHCP server providing DHCP assignments to multiple subnets (and VLANs) with the help of a DHCP relay agent
magic number
Subtracting an interesting octet value from 256 yields what number?
voice VLAN
Supports VoIP traffic, which requires high bandwidths, priority over other traffic, flexible routing, and minimized latency.
1. Borrow from host bits—Currently, the network ID is 24 bits. First convert it to binary: Network ID 192.168.89.0 in binary: 11000000.10101000.01011001.00000000 Borrow one bit from the host portion to give to the network ID, which will then have 25 bits (notice one additional red bit). Here, the borrowed bit is formatted in has an underscore after it: 11000000.10101000.01011001.0_0000000 How many subnets can you now have? The "underlined" bit can be a 0 or a 1, which gives you the possibility of two subnets. 2. Determine the subnet mask—Recall that the subnet mask marks the bits in an IP address that belong to the network ID. Therefore, the subnet mask for both subnets is: 11111111.11111111.11111111.10000000 or decimal 255.255.255.128 3. Determine the network IDs—Recall that in the network ID, the underlined bit can be a 1 or 0. Therefore, the network ID for each subnet is: Subnet 1: 11000000.10101000.01011001.00000000 or decimal 192.168.89.0 Subnet 2: 11000000.10101000.01011001.10000000 or decimal 192.168.89.128 In CIDR notation, the network ID for each subnet is: Subnet 1: 192.168.89.0/25 Subnet 2: 192.168.89.128/25 4. Determine the ranges of IP addresses—Start with the range of IP addresses for subnet A. For host addresses, use the 7 bits in the last octet. (The first bit for this octet is always 0 and belongs to the network ID.) Start counting in binary and converting to decimal: 00000000 is not used because it's the network ID for this subnet 00000001 or decimal 1 00000010 or decimal 2 00000011 or decimal 3 ... 01111110 or decimal 126 01111111 or decimal 127, which is used for broadcasting rather than as a host address Therefore, the range of host IP addresses for subnet A is 192.168.89.1 through 192.168.89.126. For subnet B, the first bit of the last octet is 1 and the range of host addresses is as follows: 10000000 is not used because it's the network ID for this subnet 10000001 in decimal: 129 10000010 in decimal: 130 10000011 in decimal: 131 ... 11111110 in decimal: 254 11111111 in decimal: 255 is not used because it's used for broadcasting Therefore, the range of host IP addresses for subnet B is 192.168.89.129 through 192.168.89.254.
Suppose you have a network with one router, and then you add a second router to divide your local network into two LANs. The network ID of the original network is 192.168.89.0 and its subnet mask is 255.255.255.0. Let's create two subnets of IP addresses, one for each LAN
1. Determine the appropriate subnet mask and other network information for the largest subnet. By borrowing one bit from the host bits, we get the following available subnets: Subnet 1: 192.168.10.0 /25 Subnet 2: 192.168.10.128 /25 2. We assign the first of these subnets to the Sales department. Now we can use the second subnet for further calculations. 3. Determine the appropriate subnet mask and other network information for the next largest subnet. By borrowing one more bit from the host bits, we get the following available subnets: Subnet 2: 192.168.10.128 /26 Subnet 3: 192.168.10.192 /26 4. We assign the first of these subnets to the Accounting department. Now we can use the remaining subnet for further calculations. 5. Determine the appropriate subnet mask and other network information for the next largest subnet. By borrowing one more bit from the host bits, we get the following available subnets: Subnet 3: 192.168.10.192 /27 Subnet 4: 192.168.10.224 /27 6. We assign the first of these subnets to the Human Resources department. Now we use the other subnet for further calculations. 7. The next two departments are about the same size, and will each fit within a /29 subnet. By borrowing two more bits from the host bits this time, we get the following available subnets: Subnet 4: 192.168.10.224 /29 Subnet 5: 192.168.10.232 /29 Subnet 6: 192.168.10.240 /29 Subnet 7: 192.168.10.248 /29 8. We assign the first two of these subnets to the IT department and the Executive suite. Now we use one of the other subnets for further calculations. 9. The last two required subnets only need two host addresses each, and will each fit within a /30 subnet. By borrowing one more bit from the host bits to further subdivide Subnet 6, and renumbering the remaining space to be Subnet 8 (which will be reserved for future use on our network), we get the following available subnets: Subnet 6: 192.168.10.240 /30 Subnet 7: 192.168.10.244 /30 Subnet 8: 192.168.10.248 /29 10. We assign each of these subnets to a WAN link, with the final subnet left over for future use.
Suppose you need to configure the subnets shown in Table 8-8 using the 192.168.10.0/24 IP address space. The Sales department (192.168.10.0/25) needs the most number of hosts with 120. At the other end of the spectrum, your WAN links (192.168.10.240/30 & 192.168.10.244/30) only need two hosts each. The other subnets fall somewhere in the middle.
incorrect port mode
Switch ports connected to endpoints, such as workstations and servers, should nearly always use access mode. Switch ports connected to other network devices should be configured in trunk mode only if that connection must support multiple VLANs.
802.1Q
The IEEE standard that specifies how VLAN and trunking information appears in frames and how switches and bridges interpret that information.
trunking
The aggregation of multiple logical connections in one physical connection between connectivity devices. In the case of VLANs, a trunk allows two switches to manage and exchange data between multiple VLANs.
incorrect VLAN assignment
This can happen due to a variety of situations, including misconfigurations of the client authentication process in which a VLAN is assigned to the device before the authentication process is complete.
site prefix or global routing prefix
The first four blocks or 64 bits of an IPv6 address that normally identify the network. Also called global routing prefix.
managed switches, whose ports can be partitioned into groups
VLANs can only be implemented through what kind of switches?
In some examples, there is very little room for growth, most companies should allow for significant growth, especially as technology continues to expand the need for IP addresses on a network
VLSM is an efficient way to define IP address spaces on a network, but why is it not a good idea to configure subnets so tightly in reality?
802.1Q
What IEEE standard specifies how VLAN information appears in frames and how switches interpret that information?
set native-vlan-id
What command will set the native VLAN on a Juniper switch port?
Too many host addresses being assigned to each classful network, resulting in available addresses being used up quickly Subnetting helps us manage IP address space more efficiently
What fundamental problem that classful addressing has does Subnetting help with?
65534
What is the maximum number of host IP addresses that can exist in a Class B network?
on the switch known as the stack master
With VTP, where is VLAN database stored
10.3.0.0/19
You have been tasked with the creation and design of a network that must support a minimum of 5000 hosts. Which network accomplishes this goal?
router-on-a-stick
a VLAN configuration in which one router connects to a switch that supports multiple VLANs
VLANs (virtual LANs)
a group of ports on a switch layer 2 (data link layer)
trunk line (or just "trunk")
a link between two trunk ports
layer 2 construct
by sorting traffic based on layer 2 information, VLANs create two or more broadcast domains from a single broadcast domain
centrally managed DHCP server
can provide DHCP assignments to multiple subnets (and VLANs) with the help of a DHCP relay agent
subnets
fundamentally, a group of IP addresses layer 3 (network) and layer 1 (physical)
switch spoofing
in the context of VLAN hopping, an attacker connects to a switch and then makes the connection look to the switch as if it's a trunk line. The switch might auto-configure its port into trunk mode when it detects trunk mode on the other end of the connection. A hacker can then feed his own VLAN traffic into that port and access VLANs throughout the network.
double tagging
in the context of VLAN hopping, the hacker stacks VLAN tags in Ethernet frames. When the first, legitimate tag is removed by a switch, the second, illegitimate tag is revealed, tricking a switch into forwarding the transmission on to a restricted VLAN.
Don't use the default VLAN. Change the native VLAN to an unused VLAN ID. Disable auto-trunking on switches that don't need to support traffic from multiple VLANs. On switches that do carry traffic from multiple VLANs, configure all ports as access ports unless they're used as trunk ports. Specify which VLANs are supported on each trunk instead of accepting a range of all VLANs. Specify which VLANs are supported on each trunk instead of accepting a range of all VLANs.
the following mitigation efforts will reduce the risk of VLAN hopping