Skip to main content

VLAN Security - Making the Most of VLANs

Securing VLAN NetworksIt's easy to see why virtual LANs have become extremely popular on networks of all sizes. In practical terms, multiple VLANs are pretty much the same as having multiple separate physical networks within a single organization — without the headache of managing multiple cable plants and switches.

Because VLANs segment a network, creating multiple broadcast domains, they effectively allow traffic from the broadcast domains to remain isolated while increasing the network's bandwidth, availability and security.

Most managed switches are VLAN-capable, but this doesn't mean that they all perform the job equally well. The market has been flooded by thousands of switches that seem to do the job, but special consideration must be taken before making a purchase.

A switch in a VLAN-enabled network needs to do a lot more than just switch packets between its ports.

Core backbone switches undertake the hefty task of managing the network's VLANs to ensure everything runs smoothly. The tasks of these switches include prioritizing network packets based on their source and destination (essentially Quality of Service), ensuring all edge switches are aware of the VLANs configured in the network, continuously monitoring for possible network loops on every VLAN, switching packets between VLANs as required and ensuring network security according to their configuration .

Edge switches, also known as access switches, are dedicated to the end devices: user workstations, network peripherals and sometimes servers (most IT administrators rightly prefer to connect servers directly to the core- backbone switches). The edge switches must be compatible with the VLAN features that the core backbone switches support, otherwise unavoidable problems will arise because of incompatibilities among the switch devices.

This is one reason many organizations standardize when it comes to network equipment from companies that include Cisco Systems, HP and Juniper Networks.

When deploying VLANs, here are five key considerations to address:

1. Links on VLAN Switches

VLAN switches have two main types of links: access links and trunk links.

Access Links are the most common type of links on any VLAN capable switch. All network hosts connect to the switch's Access Links to gain access to the local network. These links are the ordinary ports found on every switch, but configured to access a particular VLAN.

Trunk Links are the links that connect two VLAN capable switches together. While an Access Link is configured to access a specific VLAN, a Trunk Link is almost always configured to carry data from all available VLANs.

2. Native VLAN, ISL and 802.1q

 When a port on a switch is configured as an access link, it has access to one specific VLAN. Any network device connecting to it will become part of that VLAN.

Ethernet frames entering or exiting the port are standard Ethernet II type frames, which are understood by the network device connected to the port. Because these frames belong only to one network, they are said to be “untagged” — meaning that they do not contain any information as to which VLAN they are assigned.

Trunk links on the other hand are a bit more complicated. Because they carry frames from all VLANs, it's necessary to somehow identify the frames as they traverse switches. This is called VLAN tagging.

Two methods known for this job are ISL (Inter-Switch Link, a proprietary Cisco protocol) and IEEE 802.1q. Of the two, 802.1q is the most popular VLAN tagging method and is compatible among all vendors supporting VLAN trunking.

What might come as a surprise is that a trunk link can also be configured to act as an access link when a device (computer or switch) that does not support VLAN trunking connects to it. This means that if you have a trunk link on a switch and connect a computer, the port will automatically provide access to a specific VLAN. The VLAN in this case is known as the native VLAN, a common term that refers to the VLAN a trunk port is configured for when acting as an access link.

3.Virtual Trunk Protocol and VTP Pruning

VTP is Cisco proprietary protocol that ensures all VLAN information held by the VTP Server, usually the core switch, is propagated to all network switches within the VTP domain.

During initial network configuration, all switches are configured members of the same VTP domain. With the use of VTP, an IT administrator can create, delete or rename VLANs on the core switch. All information is then automatically sent to all members of the VTP domain. The VTP equivalent for other vendors, such as HP and Juniper, is the Garp VLAN Registration Protocol (GVRP), which has been fine-tuned in the recent years and includes many features implemented previously only in Cisco's VTP Protocol .

VTP pruning, an extension to VTP's functionality, ensures that unnecessary network traffic is not sent over trunk links. This is done by forwarding broadcasts and unknown unicast frames on a VLAN, over trunk links, only if the receiving end of the trunk has ports assigned to that VLAN.

In practice, this means that if a network broadcast occurred on VLAN5 for instance, and a particular switch did not have any ports assigned to VLAN5, it would never receive the broadcast traffic through its trunk link. This translates to a major discount in broadcast or multicast traffic received by end switches in a VLAN network.

4. Inter-VLAN Routing

Inter-VLAN routing, as the term implies, is all about routing packets between VLANs. This is perhaps one of the most important features found on advanced switches. Because inter-VLAN routing directs packets based on their Layer 3 information (the IP address), switches that perform this function are known as Layer 3 switches and, of course, are the most expensive. The core switch is commonly a Layer 3 switch. In cases where a Layer 3 switch is not available, this function can also be performed by a server with two or more network cards or a router, a method often referred to as router on a stick.

Because this in one of the most important aspects of a VLAN network, the Layer 3 switch must have a fast switching fabric (measured in Gbps) and provide advanced capabilities such as support for routing protocols, advanced access-lists and firewall . The Layer 3 switch can offer outstanding protection for a VLAN network but can also be a network administrator ' s worst nightmare if not properly configured.

5. Securing VLAN Devices

Even though many administrators and IT managers are aware of VLAN technologies and concepts, that doesn't necessarily hold true when it comes to VLAN security.

The first principle in securing a VLAN network is physical security. If an organization does not want its devices tampered with, physical access must be strictly controlled. Core switches are usually safely located in a data center with restricted access, but edge switches are often located in exposed areas.

Just as physical security guidelines require equipment to be in a controlled space, VLAN-based security requires the use of special tools and following a few best security practices to achieve the desired result.

These best practices include:

  • Removing console-port cables and introducing password-protected console or virtual terminal access with specified timeouts and restricted access policies;
  • Applying the same commands to the virtual terminal (telnet/Secure Shell) section and creating an access-list to restrict telnet/SHH access from specific networks and hosts;
  • Avoiding use of using VLAN1 (the default VLAN) as the network data VLAN ;
  • Disabling high-risk protocols on any port that doesn't require them (e.g CDP, DTP, PAgP, UDLD);
  • Deploying VTP domain, VTP pruning and password protections;
  • Controlling inter-VLAN routing through the use of IP access lists.
For hands-on details about each of these practices, read through our Basic & Advanced Catalyst Layer3 Switch Configuration Guide.

Raising the Throttle

VLAN technology offers numerous enhancements to the network and provides paths to run multiple services in isolated environments without sacrificing speed, quality and network availability. If the necessary basic security guidelines are taken into consideration during initial implementation and then during ongoing administration, a VLAN can dramatically reduce administrative overhead.

Perhaps the most serious mistake that can be made is to underestimate the importance of the data link layer and of VLANs in particular in the architecture of switched networks.

It should not be forgotten that any network is only as robust as its weakest link, and therefore an equal amount of attention needs to be given to every layer to assure the soundness of the entire structure.

Summary

This article covered basic VLAN concepts such as Access Links, Trunk Links, Virtual Trunk Protocol (VTP), Inter-VLAN routing and more. We explained how VLAN networks operate, different methods on how VLANs communicate, and also referenced a few best VLAN security practices. This article is also available for download in pdf format here: VLAN Security - Making the Most of VLANs

For more information on VLAN Network, readers and visit our dedicated VLAN Network section.

 

VTP Pruning

vtp pruningVTP (VLAN Trunking Protocol) pruning is a feature that is used in Cisco switches to reduce unnecessary traffic in VLAN (Virtual Local Area Network) trunks. When VTP pruning is enabled on a trunk, the switch will stop forwarding broadcast, multicast, and unknown unicast traffic to VLANs that do not have any active ports.

This feature optimizes network bandwidth utilization by preventing unnecessary traffic from being sent across the network, which can help improve network performance. However, VTP pruning should only be used in situations where there are VLANs with no active ports, as enabling it on all trunks can cause connectivity issues if new ports are added to VLANs in the future.

The Broadcast And Unicast Problem In VLAN Networks

In VLAN (Virtual Local Area Network) networks, broadcast and unicast problems can occur due to the presence of multiple VLANs within a single physical network. Broadcast packets are sent to all hosts on a network, while unicast packets are sent to a specific host. When a broadcast or unicast packet is sent within a VLAN network, it is forwarded to all ports within the same VLAN. If a large number of broadcast or unicast packets are sent, it can lead to network congestion and slow down the overall network performance. To mitigate these issues, VLANs are used to logically separate network traffic, reducing the number of devices that receive unnecessary broadcast and unicast packets. However, proper configuration and management of VLANs are essential to prevent broadcast storms and ensure efficient use of network resources.

The below diagram is an example of how network broadcasts can flood the network, creating uncessary traffic through all trunk links:

vlans-pruning-1

As shown and described, a host connected to a port configured for VLAN 2 on Switch 1 (first switch on the left), generates a network broadcast. Naturally, the switch will forward the broadcast out all ports assigned to the same VLAN it was received from, that is, VLAN 2.

In addition, the Catalyst switch will forward the broadcast out its trunk link, so it may reach all ports in the network assigned to VLAN 2. The Root switch receives the broadcast through one of it's trunks and immediately forwards it to its downlink ports to Switch 2 and Switch 3.

Switch 2 is delighted to receive the broadcast as it does in fact have one port assigned to VLAN 2. Switch 3 however has no ports assigned to VLAN 2 and therefore will drop the broadcast packet received. In this example, Switch 3's uplink received broadcast traffic that was not necessary, therefore wasting valuable bandwidth.

Whie the inefficent usage of Switch 3's uplink doesn't seem like a major issue, the magnitude of this problem can be easily appreciated within a large network of switches as shown in the below diagram:

vlans-pruning-2

Here we have a medium sized network powered by Cisco Catalyst switches. The two main switches up the top are the VTP servers and also perform Inter-VLAN routing by routing packets between the different VLAN networks.

Below the core switches are the distribution-layer Catalyst switches (2950) with redundant fiber trunk links. Directly below the 2950 switches are the access-layer Catalyst switches (2948) allowing  workstations connect to the network.

In this example, a workstation connected to VLAN 2 sends a network broadcast request (lower left corner) to the network. As shown on the diagram, this broadcast will be sent out all network ports assigned to VLAN 2 on the local switch, but also out through all uplink ports to other switches. The same will occur on all other switches, causing a large amount of uncessary traffic through network uplinks:

vlans-pruning-3

We can appreciate how much uncessary traffic is generated here and how easily switch uplinks can be flooding with broadcast traffic.

Once can still argue that in today's modern multi-gigabit networks, this would be insignificant traffic, however from a design perspective, this is by far not an efficient network design.

The Solution: Enabling VTP Pruning

VTP Pruning as you might have already guessed solves the above problem by reducing the unnecessary flooded traffic described previously. This is done by forwarding broadcasts and unknown unicast frames on a VLAN over trunk links only if the switch on the other end of the link has ports configured for that VLAN.

vlans-pruning-4

Looking at the above diagram you will notice that the Root Catalyst 3550 Switch receives a broadcast from Switch 1, but only forwards it out one of it's trunks. The Root Switch knows that the broadcast belongs to VLAN 2 and furthermore it's aware no port is assigned to VLAN 2 on Switch 3, therefore it won't forward it out the trunk link connecting to that switch.

Support For VTP Pruning

The VTP Pruning service is supported by both VTP 1 and VTP 2 versions of the VTP protocol. With VTP 1, VTP pruning is possible with the use of additional VTP message types.

When a Cisco Catalyst switch has ports associated with a VLAN, it will send an advertisement to its neighboring switches informing them about the ports it has active on that VLAN. This information is then stored by the neighbors and used to decide if flooded traffic from a VLAN should be forwarded to the switch via the trunk port or not.

VTP Pruning configuration and commands are covered in section 11.4 as outlined in the VLAN Introduction page, however, we should inform you that you can actually enable pruning for specific VLANs in your network.

When you enable VTP Pruning on your network, all VLANs become eligible for pruning on all trunk links. This default list of pruning eligibility can thankfully be modified to suite your needs but you must first clear all VLANs from the list using the clear vtp prune-eligible vlan-range command and then set the VLAN range you wish to add in the prune eligible list by issuing the following command: set vtp prune-eligible vlan-range where the 'vlan-range' is the actual inclusive range of VLANs e.g '2-20'.

By default, VLANs 2–1000 are eligible for pruning. VLAN 1 has a special meaning because it is normally used as a management VLAN and is never eligible for pruning, while VLANs 1001–1005 are also never eligible for pruning. If the VLANs are configured as pruning-ineligible, the flooding continues as illustrated in our examples.

VTP Pruning is disabled by default on all Cisco Catalyst switches and can be enabled by issuing the set vtp pruning enable command on the VTP Server. This will also enable VTP pruning for the entire management domain.

Summary

VTP Pruning is a much welcomed feature within any VTP-enabled Cisco powered network, assiting in increasing bandwidth availability by restricting broadcast and unknown unicast traffic. We provided examples on how VTP can be configured and the effects it has in a small but also large network.