Ch.8 - Subnets and VLANs
how to mitigate or reduce the rick of VLAN hopping
- Don't use the default VLAN. - Change the native VLAN to an unused VLAN ID. - Disable auto-trunking on switches that don't need to support traffic from multiple VLANs. - On switches that do carry traffic from multiple VLANs, configure all ports as access ports unless they're used as trunk ports. - Specify which VLANs are supported on each trunk instead of accepting a range of all VLANs. - Use physical security methods such as door locks to restrict access to network equipment.
how IPv6 subnetting differs from IPv4 subnetting
- IPv6 addressing uses no classes. There are no IPv6 equivalents to IPv4's Class A, Class B, or Class C networks. - Every IPv6 address is classless. - IPv6 does not use subnet masks. - A single IPv6 subnet is capable of supplying 18,446,744,073,709,551,616 IPv6 addresses.
reasons to use VLANs instead of routers to separate a large LAN into manageable smaller LANs
- Isolating connections with heavy or unpredictable traffic patterns, such as when separating heavy VoIP traffic from other network activities - Identifying groups of devices whose data should be given priority handling, such as executive client devices or an ICS (industrial control system) that manages a refrigeration system or a gas pipeline - Containing groups of devices that rely on legacy protocols incompatible with the majority of the network's traffic, such as a legacy SCADA (supervisory control and data acquisition) system monitoring an oil refinery - Separating groups of users who need special or limited security or network functions, such as when setting up a guest network - Configuring temporary networks, such as when making specific network resources available to a short-term project team - Reducing the cost of networking equipment, such as when upgrading a network design to include additional departments or new types of network traffic
how do VLAN clients get the appropriate IP address assignments from the subnet's range of addresses portioned to each VLAN?
- One way to do this is to run a DCHP server for the entire network and use a DHCP relay agent to help sort DHCP requests by subnet - If instead the router is providing DHCP services through this one interface, then the interface must be logically divided into three sub-interfaces. - Each sub-interface is then configured with its own, subnetted range of IP addresses.
benefits of subnetting
- Subnetting helps solve the fundamental problem with classful addressing: too many host addresses assigned to each classful network, resulting in available addresses being used up too quickly. - using well-chosen subnets provides the following benefits: - Network documentation is easier to manage. - Problems are easier to locate and resolve. - Routers can more easily manage IP address spaces that don't overlap. - Routing is more efficient on larger networks when IP address spaces are mathematically related at a binary level.
VLANs and switches
- a switch can support more than one VLAN. Similarly, a VLAN can include ports from more than one switch. - VLANs that are on different switches but logically connected to the same VLAN can send traffic to each other without sending it through a router (send it as local traffic) because they are in the same VLAN-defined broadcast domain - however, devices on separate VLANs—even if they're connected to the same switch—can't talk to each other without going through the router.
native VLAN
An untagged VLAN on a switch that will automatically receive all untagged frames. - Receives all untagged frames from untagged ports. - By default, this is the same as the default VLAN. - However, this configuration poses a security risk when untagged traffic is allowed to travel in a VLAN-managed network. To protect the network from unauthorized traffic, the native VLAN should be changed to an unused VLAN so that untagged traffic essentially runs into a dead-end.
IPv4 class A default subnet mask
255.0.0.0 (decimal) - 11111111 00000000 00000000 00000000 - 8 bits used for network information
IPv4 class B default subnet mask
255.255.0.0 - 11111111 11111111 00000000 00000000 - 16 bits used for network information
default subnet mask for a class C network
255.255.255.0 or 11111111 11111111 11111111 00000000 - first 24 bits indicate network information - last 8 bits indicate host information
IPv4 class C default subnet mask
255.255.255.0 - 11111111 11111111 11111111 00000000 - 24 bits used for network information
formula to calculate the number of hosts within a subnet
2^h - 2 = Z h = number of bits remaining in host portion (last octet of Class C subnet mask) Z = the number of available hosts in each subnet - The (-2) comes from removing the address with the same numbers used for network ID (all remaining bits are 0) and the address used for the broadcast address (all remaining bits are 1)
formula to determine the number of host bits that need to be borrowed to get a desired number of subnets
2^n = Y n = number of bits that must be switched from host address to network ID Y = number of resulting subnets - experiment to find at least the needed number of subnets needed - pg. 447
tag
A VLAN identifier added to a frame's header according to specifications in the 802.1Q standard. - done to identify the transmissions that belong to each VLAN on a managed switch - added to Ethernet frames that identifies the port through which they arrive at the switch.
classless addressing
An IP addressing convention that alters the rules of classful IPv4 addressing to create subnets in a network. - also known as subnetting
VLAN hopping
An attack in which the attacker generates transmissions that appear, to the switch, to belong to a protected VLAN. - VLANs to access sensitive data or inject harmful software. - There are two approaches: 1. double tagging—The hacker stacks VLAN tags in Ethernet frames. When the first, legitimate tag is removed by a switch, the second, illegitimate tag is revealed, tricking a switch into forwarding the transmission on to a restricted VLAN. 2. switch spoofing—An attacker connects to a switch and then makes the connection look to the switch as if it's a trunk line. The switch might auto-configure its port into trunk mode when it detects trunk mode on the other end of the connection. A hacker can then feed his own VLAN traffic into that port and access VLANs throughout the network.
VLANs and subnets
In most situations, each VLAN is assigned its own subnet of IP addresses. - This means that the subnet, working at Layer 3, includes the same group of hosts as the VLAN, working at Layer 2 - each VLAN and subnet combination acts as a single broadcast domain.
magic number
In the context of calculating subnets, the difference between 256 and the interesting octet (any octet in the subnet whose value is something other than 0 or 255). It can be used to calculate the network IDs in all the subnets of a larger network. - When examining the subnet mask for a network, if any octet is not 255 or 0, you know that this network is a subnet and classful addressing is not used - pg. 447
site prefix or global routing prefix
The first four blocks or 64 bits of an IPv6 address - normally identifies the network
site prefix
The first four blocks or 64 bits of an IPv6 address that normally identify the network. Also called global routing prefix.
global routing prefix
The first four blocks or 64 bits of an IPv6 address that normally identify the network. Also called site prefix.
trunk port
The interface on a switch capable of managing traffic from multiple VLANs. - Connects the switch to a router or another switch (or possibly a server). This interface manages traffic from multiple VLANs
access port
The interface on a switch used for an end node. Devices connected to access ports are unaware of VLAN information. - Connects the switch to an endpoint, such as a workstation. The computer connected to this port does not know which VLAN it belongs to, nor can it recognize other VLANs on the same switch.
interface identifier
The second half (64 bits) of an IPv6 address. - On many IPv6 networks, those 64 bits are based on the interface's EUI-64 version of each device's MAC address.)
tip to calculate magic number from host portion of subnet mask
You can also calculate the magic number by raising 2 to the power of the number of bits in the host portion of the subnet mask. Use this formula: 2^h = magic number
why network admins segment networks (subnet)
- enhance security: Transmissions in broadcast domains are limited to each network so there's less possibility of hackers or malware reaching remote, protected networks in the enterprise domain. At the same time, other devices, such as a web server, can be made more accessible to the open Internet than the rest of the network. - improve performance: Segmenting limits broadcast traffic by decreasing the size of each broadcast domain. The more efficient use of bandwidth results in better overall network performance. - simplify troubleshooting: rather than examining the whole network for errors or bottlenecks, the network administrator can narrow down the problem area to a particular, smaller network.
common ways networks are segmented
- geographic locations: For example, the floors of a building connected by a LAN - departmental boundaries: For example, the Accounting, Human Resources, and Sales departments - device types: For example, printers, desktops, and IP phones
VLAN and subnet rule
1 broadcast domain = 1 VLAN = 1 subnet
how a DHCP server and DHCP relay agent work together
1. A router, firewall, or Layer 3 switch programmed to support relay agent software receives the DHCP request from a client in one of its local broadcast domains. 2. The Layer 3 device creates a message of its own and routes this transmission to the specified DHCP server in a different broadcast domain. 3. The DHCP server notes the relay agent's IP address and assigns the DHCP client an IP address on the same subnet.
native VLAN mismatch
A configuration error where switch ports on each end of a trunk are configured with different native VLAN assignments. Also called a VLAN mismatch. - will result in a configuration error
VLAN mismatch
A configuration error where switch ports on each end of a trunk are configured with different native VLAN assignments. Also called a native VLAN mismatch.
ANDing
A logical process of combining bits. - a bit with a value of 1 combined, or anded, with another bit with a value of 1 results in a 1. A bit with a value of 0 anded with any other bit results in a 0. If you think of 1 as "true" and 0 as "false," the logic of ANDing makes sense: ANDing a true statement to a true statement still results in a true statement. But ANDing a true statement to a false statement results in a false statement. - if IP address bit AND subnet mask bit =1, then resulting bit is 1 - both IP address AND subnet mask bit must be 1 for resulting bit to be 1
VLAN (virtual local area network or virtual LAN)
A network within a network that is logically defined by grouping ports on a switch so that some of the local traffic on the switch is forced to go through a router, thereby limiting the traffic to a smaller broadcast domain. - groups ports on a LAYER 2 SWITCH so that some of the local traffic on the switch is forced to go through a router - abstract the broadcast domain from the networking hardware - the boundaries of the broadcast domain can be virtually defined anywhere within a single physical LAN.
default VLAN
A preconfigured VLAN on a switch that includes all the switch's ports and cannot be renamed or deleted. - however, ports in it can be reassigned to other VLANs.
ip helper-address
A robust Cisco command that can be configured to create and send helper messages that support several types of UDP traffic, including DHCP, TFTP, DNS, and TACACS+.
CIDR notation
A shorthand method for denoting the distinction between network and host bits in an IP address. - takes the network ID or a host's IP address and follows it with a forward slash (/), which is then followed by the number of bits that are used for the network ID. For example, this private IP address could be written as 192.168.89.127/24, where 24 represents the number of 1s in the subnet mask and therefore the number of bits in the network ID
CIDR (Classless Interdomain Routing)
A shorthand method for identifying network and host bits in an IP address.
DHCP relay agent
A small application that works with a centrally managed DHCP server to provide DHCP assignments to multiple subnets and VLANs. - For dynamic IP addressing, the administrator programs each subnet's DHCP server with the network ID, subnet mask, range of IP addresses, and default gateway for the subnet. In many cases, however, it's cost prohibitive to create a separate DHCP server for each subnet. As we see here, some types of broadcast traffic, such as DHCP messages, need to travel beyond the subnet's broadcast domain in order to access centralized network services. A centrally managed DHCP server can provide DHCP assignments to multiple subnets (and VLANs)
VLSM (Variable Length Subnet Mask)
A subnetting method that allows subnets to be further subdivided into smaller and smaller groupings until each subnet is about the same size as the needed IP address space. - Traditional subnetting reduces the waste of IP addresses, but results in multiple subnets that are all the same size. This uniformity in subnet size can be inefficient in complex networks. - often referred to as "subnetting a subnet."
managed switch
A switch that can be configured via a command-line interface or a web-based management GUI, and sometimes can be configured in groups. - Usually, they are also assigned IP addresses for the purpose of continued management. - VLANs can only be implemented through this, whose ports can be partitioned into groups
unmanaged switch
A switch that provides plug-and-play simplicity with minimal configuration options and has no IP address assigned to it. - their capabilities are limited and they cannot support VLANs.
routers as broadcast boundaries in network segmentation
As you know, routers don't forward broadcast traffic. You can think of a router as a broadcast boundary, and fundamentally, routers are tools you can use to divide and conquer network traffic. However, you also need to manage the IP address space at a logical layer. To do this, you need to configure (either manually or through the DHCP server) the clients on each subnet so they know which devices are on their own subnet and which devices are not. And you need to configure each router to ensure that it serves as the default gateway for its LAN and forwards traffic to the other two LANs as necessary.
VLAN isolation (common VLAN configuration error)
By grouping certain nodes into a VLAN, you are not merely including those nodes—you are also excluding other groups of nodes. This means you can potentially cut off an entire group from the rest of the network. VLANs must be connected to and configured on a router or Layer 3 switch to allow different VLANs to exchange data outside their own broadcast domain.
VTP (VLAN Trunk Protocol)
Cisco's protocol for exchanging VLAN information over trunks. - most popular protocol for exchanging VLAN information over trunks - allows changes to a VLAN database on one switch, called the stack master, to be communicated to all other switches in the network. This provides network administrators with the ability to centrally manage all VLANs by making changes to a single switch. - Other switches besides the stack master in the same (protocol) domain can also communicate VLAN updates, such as the addition of a new VLAN.
show vlan command
Displays VLAN information
CIDR block
In CIDR notation, the forward slash plus the number of bits used for the network ID. For example, the CIDR block for 199.34.89.0/22 is /22.
subnet mask
In IPv4 addressing, a 32-bit number that, when combined with a device's IP address, indicates what kind of subnet (or network) the device belongs to. - two portions: 1. network ID: identifies the network 2. host ID: identifies the host device - the number of 1s in it determines the number of bits in the IP address that belongs to the network. - the number of 0s in it determines the number of bits in the IP address that belong to the host portion
SAID (security association identifier)
Part of a VLAN configuration that indicates to other connectivity devices which VLAN a transmission belongs to. By default, Cisco switches assign a VLAN the SAID of 100,000 plus the VLAN number (such as 100,000+12 = 100,012).
incorrect port mode (common VLAN configuration error)
Switch ports connected to endpoints, such as workstations and servers, should nearly always use access mode. Switch ports connected to other network devices should be configured in trunk mode only if that connection must support multiple VLANs.
incorrect VLAN assignment (common VLAN configuration error)
Symptoms: No connectivity between devices Causes: Devices are configured to use different VLANs Resolution: Reconfigure devices to use the same VLANs
802.1Q
The IEEE standard that specifies how VLAN and trunking information appears in frames and how switches and bridges interpret that information. - sometimes referred to as dot1q
trunking
The aggregation of multiple logical connections in one physical connection between connectivity devices. In the case of VLANs, a trunk allows two switches to manage and exchange data between multiple VLANs. - allows a single switch to support traffic belonging to several VLANs across the network - protocols assign and interpret the VLAN tags in Ethernet frames, thereby managing the distribution of frames through a trunk.
how a normal layer 2 switch operates
This switch manages all network traffic on the LAN unless a host on the network wants to communicate with a host on another network, and then that traffic goes through the router. - what happens when ports on a managed switch are partitioned into two VLANs: Traffic within each VLAN still goes through the switch as normal to reach other devices on the same VLAN. Traffic to hosts on other networks still goes through the router. - However, traffic between hosts on VLAN 1 and VLAN 2 must now also go through the router, which is called inter-VLAN routing.
how to divide VLSM (variable length subnet mask) subnets
To create VLSM subnets, you create the largest subnet first. Then you create the next largest subnet, and the next one and so on, until you have divided up all the remaining space. In this way, you ensure that the largest subnets get the space they need, and the smallest subnets are also sized appropriately.
to create a subnet
To create a subnet, you borrow bits that would represent host information in classful addressing and use those bits instead to represent network information. - By doing so, you increase the number of bits available for the network ID, and you also reduce the number of bits available for identifying hosts. - Consequently, you increase the number of networks and reduce the number of usable host addresses in each network or subnet. - The more bits you borrow for network information, the more subnets you can have, but the fewer hosts each subnet can have.
voice VLAN
VLAN that Supports VoIP traffic, which requires high bandwidths, priority over other traffic, flexible routing, and minimized latency.
management VLAN
VLAN that can be used to provide administrative access to a switch. By default, this might be the same as the default VLAN; however, this poses a security risk and should be changed.
data VLAN (user VLAN)
VLAN that carries user-generated traffic, such as email, web browsing, or database updates.
what network segmentation happens at the data link layer (layer 2)?
VLANs (virtual LANs)
how a subnet mask works
When a computer is ready to send a transmission to another host, it first compares the bits in its own network ID to the bits in the network ID of the destination host. - If the bits match, the remote host is on the sending computer's own network, and it sends the transmission directly to that host. - If the bits don't match, the destination host is on another network, and the computer sends the transmission to the default gateway on its network. - The gateway is responsible for sending the transmission toward the correct network.
subnet
a group of IP addresses
VLAN
a group of ports on a switch
trunk line
a link between two trunk ports.
each port on a switch that supports VLANs is configured as one of what type types of VLAN ports?
access port or trunk port
where is the 801.1Q VLAN tag inserted in an Ethernet frame?
after the source address field and before the Ethernet type field
Unicast IPv6 Addresses
an address assigned to a single interface on the network. - can be represented in binary form, but is more commonly written as eight blocks of four hexadecimal characters separated by colons. For example, 2608:FE10:1:AA:002:50FF:FE2B:E708
common cause of VLAN problems
configuration errors
classful IPv4 addressing
every IPv4 address can be associated with a network class—A, B, C, D, or E (though Class D and E addresses are reserved for special purposes). Classful addressing is the simplest type of IPv4 addressing and uses only whole octets for the network ID and host portions. - When using classful IPv4 addressing, the last octet of a network ID is always equal to 0 (and may have additional, preceding octets equal to 0) - a workstation cannot be assigned the same address as the network ID, which explains why the last octet of a host's IP address is almost never 0.
second part of a subnet mask
host ID (host portion) - the 0s
trunk
is a single physical connection between networking devices through which many logical VLANs can transmit and receive data
how an 802.1Q tag works
is inserted in the Ethernet frame's header. The tag travels with the transmission until it reaches a router or the switch port connected to the destination device, whichever comes first. At that point, the tag is stripped from the frame. If the frame is being routed to a new VLAN, the router adds a new tag at this point, which is then removed once the frame reaches its final switch port. In most cases, neither the sending device nor the receiving device is aware of the VLAN infrastructure.
at what layer of OSI model do switches normally operate at?
layer 2 (data link layer) - (There are, of course, Layer 3 switches. However, these devices function as routers at Layer 3, not as switches.) - By sorting traffic based on Layer 2 information, VLANs create two or more broadcast domains from a single broadcast domain, which is also a Layer 2 construct
tip to find the broadcast address for a subnet
look at the network ID of the next subnet and drop back one address. For example, the network ID for subnet 6 is 192.168.89.160. One address below that address is 192.168.89.159, which is the broadcast address for subnet 5. Notice that in binary, this last octet 159 ends with five 1s in the host portion of the IP address: 10011111. - pg. 449
first part of a subnet mask
network ID - the 1s
IPv4 class A division of bits
nnnnnnnn.hhhhhhhh.hhhhhhhh.hhhhhhhh - 8 bits for network ID - 24 bits for host ID
IPv4 class B division of bits
nnnnnnnn.nnnnnnnn.hhhhhhhh.hhhhhhhh. - 16 bits in network ID - 16 bits in host ID
IPv4 class C division of bits
nnnnnnnn.nnnnnnnn.nnnnnnnn.hhhhhhhh - 24 bits in network ID - 8 bits in host ID
commands to change native VLAN to unused VLAN so untagged traffic turns into a dead-end
on a Cisco switch, for example, use the command switchport trunk native vlan. On a Juniper switch, the native VLAN is configured with the command set port-mode trunk followed by set native-vlan-id. Each switch port can be configured for a different native VLAN using these commands.
how routers and subnets work to divide networks
routers connect different networks via their physical interfaces. In the case of subnetting, each subnet corresponds to a different network interface, or port, on the router. - The administrator must program each interface on the router with the network ID and subnet mask for its subnet or LAN. Though tedious on larger networks, static IP addressing can also be used on network hosts - the first IP address in the range of host addresses for the subnet is assigned to the router's interface on the subnet, which serves the subnet as its default gateway. This convention varies between organizations, though. Some network admins prefer to use the last available host address in a range for the default gateway. - For dynamic IP addressing, the administrator programs each subnet's DHCP server with the network ID, subnet mask, range of IP addresses, and default gateway for the subnet. In many cases, however, it's cost prohibitive to create a separate DHCP server for each subnet. As we see here, some types of broadcast traffic, such as DHCP messages, need to travel beyond the subnet's broadcast domain in order to access centralized network services. - a subnet groups IP addresses so that clients on a large network can be logically organized into smaller networks. As you've also seen, this is often accomplished by adding routers (or Layer 3 switches) to the network or by using multiple ports on a single router (or Layer 3 switch). This creates multiple LANs within the larger network, with subnets organizing the available IP address space.
what do you need to find the network ID and host ID from an IPv4 address?
subnet mask
how does subnetting help network administrators when using IPv6 addresses?
subnetting helps network administrators manage the enormous volume of IPv6 addresses.
which block in an IPv6 address is used to create subsets within a site?
the fourth hexadecimal block - (16 bit section, 4 hexadecimal characters)
Subnet ID in IPv6 addressing
the fourth hexadecimal block in the address - one block long, which is four hexadecimal characters, or 16 bits in binary. - Sometimes organizations further subdivide this block into site, sub-site, and subnet IDs, where the Subnet ID block is managed at two different levels: the first half for sub-sites, and the second half for subnets within each site
what happens when a network is segmented into multiple networks?
traffic on one network is separated from another network's traffic and each network is its own broadcast domain. - larger broadcast domain broken down into smaller broadcast domains