05/2007

Crash Course Switch Referncia bsica sobre configurao de Switches gerenciveis

1.

2. 3.
4.

5.

6.

7.

8.

9.

10.

11.

12.

Estrutura tem que ser bem simples a maior parte das SMB funcionaro bem com 2 camadas (acesso / distribuio) no mximo 3, se for preciso importante definir o padro antes de se comear a configurar. As Vlans de gerncia devem ter sua numerao especfica, assim como as Vlans de usurio. E, levando em considerao os diversos locais remotos Switches de distribuio tm menos portas e uma grande capacidade no backplane os switches de acesso possuem mais portas (16, 24, 48) Os parmetros do Switch devem ser conhecidos a velocidade do Backplane e das portas- e lembrando sempre que um Switch um domnio de broadcast (da a importncia das Vlans) Switches vm com uma VLAN nativa, em geral a VLAN1. Todas as portas fazem parte desta Vlan, at que sejam configuradas e recebam uma outra Vlan, mais especfica, de usurio. Cada porta s pertence a uma Vlan. Como padro de alta segurana, recomenda-se separar a rede nativa da rede de management e as Vlans de usurio simplificaes podem ser feitas de acordo com o nvel de segurana desejado e os demais requisitos de segurana que o Switch oferece, tais como protees para ataques de camada 2. A mais comum deixar a Vlan de gerncia na prpria Vlan nativa (vide abaixo). Rede de Management no modelo de segurana normal, em geral ser a prpria VLAN1, a nativa, que contm todas as portas at que elas sejam alocadas a uma outra VLAN especfica O management tambm pode ser feito out-of-the-band, atravs da porta console. Existem prs e contras com relao a este enfoque. Para sistemas remotos, o velho remdio: um computador com modem e terminal server pode ser o veculo para o suporte remoto. Rede Nativa pode ser vista como a rede default- uma propriedade importante que os tags de Vlan no sero inseridos nos pacotes da rede Nativa, o que um ganho de performance. Por default a Vlan1, mas pode ser alocada a outra Vlan. Se ela for alocada a uma Vlan de usurio, dever ser a rede que tenda a ter o maior volume de trfego. As portas podem fazer parte de uma nica VLAN e cada VLAN ter um endereo de rede diferente, necessitando de roteamento para passar de uma para outra A definio do Papel da Porta importante, e, nas interfaces Web de configurao atuais, muita coisa derivada destas definies: QoS, Velocidade, Full-Half-Duplex, Spanning Tree Spanning Tree Protocolo utilizado para evitar loops em redes que tm redundncia. Loops podem at paralizar uma rede. O STP pode lidar com at 7 switches entre os dispositivos finais (hosts). Portas que no so sujeitas ao loop no precisam ter o STP ativado, por exemplo:

portas de servidores. Este protocolos tem um upgrade atravs do Rapid STP, que permite uma reconfigurao de rede mais rpida (10s) quando da queda de link entre alguns switches (ao invs dos 30-60s originais). Existem algumas variantes do STP tais como IEEE (o normal) ou DEC. A determinao do caminho na base do menor melhor. A cada switch se associa uma proridade (um custo) e o respectivo Mac Add da porta. O menor custo ou menor mac ser escolhido. H o conceito do Switch root e a partir dele se monta um nico caminho para cada outro switch. Ligaes redundantes ficaro Blocked, s entrando em ao (Listening) se a ligao antes principal ficar indisponvel. 13. Trunking uma opo eficaz, para se usar uma nica porta para ligar Switches e ainda assim conduzir trfego de todas as Vlans o protocolo padro o do IEEE, mas a Cisco (que sempre comea na frente) tem o ISL, que funciona em equipamentos mais antigos. Para permitir trfego entre as Vlans (havendo filtro ou no) ser necessrio usar um roteador. E a ligao entre o Switch e o roteador feita atrav do trunking, que economiza, usando apenas uma porta. 14. Quando necessrio, mais de uma porta pode ser usada para o Trunking para satisfazer a vazo e/ou por questo de redundncia. Nestes casos o Spanning Tree deve ser feito com maior cuidado. Um caminho deve estar livre e os demais bloqueados, s funcionando caso o principal esteja indisponvel 15. Os trunks podem ser agregados para permitir um volume de trfego maior. Quando o switch tiver esta capacidade, possvel se juntar duas ou mais portas atravs da facilidade de Aggregation. 16. Para o roteador, como foi dito, a ligao trunking e no roteador, uma nica interface receber todas as Vlans, usando o conceito de subinterfaces

Anexo Texto sobre configurao de Trunking

An introduction to VLAN Trunking

George Ou Network Systems Architect May 2003 Contents

Introduction Applications of VLAN Trunking VLAN encapsulation types Trunking requirements

Introduction: There are many Network Devices in the Data Center that require multi-homing (multiple network adapters) to tie in to multiple network segments. As the number of those systems increase, it becomes more and more difficult to provide the network infrastructure (due to the sheer number of Ethernet connections that need to be provided) from the perspective of cost, space, and wire management. A technology called VLAN (Virtual LAN broadcast domains logically segmented on an Ethernet switch) trunking that was once primarily the domain of network switches has now trickled down to the rest of the Data Center to address these issues. Now it is possible for these multi-homing devices to be multi-homing in function without the need for multiple physical network adapters and the additional infrastructure associated with them. VLAN trunking allows a single network adapter to behave as n number of virtual network adapters, where n has a theoretical upper limit of 4096 but is typically limited to 1000 VLAN network segments. In the case where a single gigabit Ethernet adapter is trunked in place of using multiple FastEthernet adapters, higher performance at a lower cost while increasing flexibility can be achieved. This really is the best of all worlds. In this article, I will give you an overview of VLAN trunking, how it works what it is used for. Applications of VLAN Trunking: Here are some common examples of Network Devices that benefit from VLAN trunking:

Routers Firewalls (software or hardware) Transparent proxy servers VMWare hosts Wireless Access Points

Routers can become infinitely more useful once they are trunked in to the enterprise switch

infrastructure. Once trunked, they become omnipresent and can provide routing services to any subnet in any corner of the enterprise network. This is in essence what a routing module in a high-end core or distribution L3 (Layer 3) switch provides. This technique can be a poor mans substitute for a high-end routing module on a switch, or it can complement the high-end L3 switch by providing additional isolated routed zones for test labs, guest networks, and any other network segment that requires isolation. Firewalls are another device that can greatly benefit from VLAN trunking now that all the big players like Cisco, Nokia/CheckPoint, and NetScreen support it. In todays high stakes environment where security concerns are ever increasing, the more firewall zones (subnets connected by separate virtual or physical network adapters) a firewall provides the better. With the exception of NetScreen firewalls, firewalls can only block potentially hazardous traffic between zones and not traffic within the same zone. Therefore, the more you separate devices like routers and servers by logical function and security level, the better off you are since you can limit unnecessary traffic and mitigate many security threats. Since VLAN trunking provides a nearly unlimited number of virtual network connections at a lower cost and higher performance, it is the perfect addition to firewalls. You can read more on this in: Understand how to design a secure firewall policy Increase firewall protection with a better network topology Transparent proxy servers such as a Windows server running Microsoft ISA or a Linux server running Squid can now be built with a single gigabit Ethernet adapter costing as little as $40. A traditional proxy server can be built with a single network connection, but a transparent proxy server usually cannot. Since transparent proxy servers can be implemented with zero client deployment or SOCKS compliance; they are an extremely attractive new technology. Trunking just makes it that much simpler and cheaper to implement. VMWare hosts are servers that host multiple virtual servers for the purpose of server virtualization or system modeling for laboratory testing and research. Although VMWare already provides the ability to have multiple VLANs within the VMWare host, its ability to connect those VLANs to physical VLANs is limited to the number of network adapters on the VMWare host. A VMWare host can provide up to 3 network connections to each virtual machine. Since applications cannot tell the difference between a virtual adapter and a physical one, a VMWare host armed with a trunked interface is significantly more flexible and simpler to manage. One of the hottest new applications of VLAN trunking is wireless networking. The new Cisco AP 1200 for example can behave as 16 virtual Wireless LAN infrastructures. Some VLANs can be used for low security guest Internet access, others for minimum security enterprise users, and administrators can be put on a high security VLAN with enhanced firewall permissions. All this can be achieved using a single Wi-Fi infrastructure to emulate up to 16 Wi-Fi infrastructures. The Cisco AP 1200 does this by assigning each of the 16 VLANs its own Wi-Fi SSID, so when you look at it from NetSumbler (free wireless sniffer), you will think you are looking at up to 16 different wireless networks. Those 16 VLANs are then trunked over the AP 1200s FastEthernet port. This offers wireless
4

nirvana in Wireless LAN capabilities. VLAN encapsulation types: There are several types of VLAN encapsulation. The two most common types are Ciscos proprietary ISL (Inter Switch Link) and the IEEE 802.1q specification. ISL is an older standard that Cisco was using to connect its switches and routers, but now that 802.1q is ratified, all of the newer Cisco gear either support both ISL and 802.1q or only 802.1q. Older Cisco equipment may only support ISL trunking, so you must look up the individual specifications of your gear before attempting to connect them. The 802.1q standard works by injecting a 32 bit VLAN tag into the Ethernet frame of all network traffic in which 12 of those bits define the VLAN ID. The VLAN ID simply declares what VLAN the Ethernet frame belongs to, and the switch uses that ID to sort out and place the frames in their proper VLANs. Once a frame reaches the end of the line or hits a non-trunked port, the VLAN tag is stripped from the frame because it no longer needs it. This also means that if you attempt to trunk a host to a non-trunked port, it obviously will not work because that non-trunked port will strip the VLAN tags upon entry. Note that there are very serious security implications of using VLAN technology; I will elaborate on that in a future article on VLAN Layer 2 security. Given that a VLAN tag must be inserted into each and every Ethernet frame, it does mean that there is a little overhead in terms of slightly increased frame sizes and some CPU over head required to inject the tags. Because of this, separate physical network adapters will always perform better than virtual network adapters on a single adapter of the same speed. But remember, this performance deficiency is quickly reversed if a single gigabit Ethernet adapter is used in place of multiple FastEthernet adapters. Given all the rewards of VLAN trunking, the small overhead is more than justified. Trunking requirements: VLAN Trunking requires that the network switch, the network adapter, and the drivers for the operating system all support VLAN tagging in order for them to trunk. Almost any enterprise grade switch made by Cisco, Extreme, Foundry, and others support 802.1q. A few examples of this on the smaller scale are the Ciscos 2950 series and Netgears FSM726. Most high end client adapters support VLAN trunking, but one of the most common ones you will find is the Intel Pro/100 and Pro/1000 adapters because it is included on almost every server manufactures motherboard. For those without an integrated Intel adapter, a separate Pro/1000 PCI card can be bought for as little $40. Drivers support on the Intel adapters are excellent and covers almost everything from BSD to Linux to Windows client and server operating systems. My follow up article on how to actually implement VLAN trunking will focus on Cisco and Intel equipment. Stay tuned

Implementing VLAN trunking

George Ou Network Systems Architect June 2003

Contents

Introduction Cisco switch configurations Cisco router configurations Windows configuration with Intel Pro Series adapters

Introduction
In my last article Introduction to VLAN trunking, I wetted your appetite for a hot new technology that is revolutionizing the way network topology are being designed and interconnected. In this piece, I will show you how to actually implement this new technology in the three most common types of equipment you will come across. The three types of equipment are Cisco switches, routers, and Servers or Workstations running the Windows operating system. The only prerequisite for this article is a basic working knowledge of Switches, Routers, and PCs running Windows for their respective sections. Click here for a network diagram of the lab environment created in this article. Note that the examples I use are on based on the 802.1q standard.

Cisco switch configurations

Cisco switches primarily come in two flavors, CatOS (Catalyst OS) and IOS (Internetworking OS). Although Cisco is trying to migrate almost everything to the IOS type operating system on their equipment, there is still a large install base for CatOS switches. Ciscos flag ship 6500 series switch can actually run CatOS or IOS, but most people I know run CatOS on the 6500s. Smaller switches like the 2950 and the 3550 all run IOS. Then there is the odd ball 2948g-L3 that really is more of a router than a switch (2948 without the L3 is a normal IOS switch) and you should refer to the next section on routers for its configuration. Note: In many ways, I personally love the CatOS over IOS for its UIs (User Interface) superior method of entering system configuration. For example, if you ever need to apply a common configuration to 48 Ethernet ports on module 4, you simply need to apply a command to 4/1-48. On the IOS UI, you would need to enter each interface for all 48 ports and apply 96 individual commands vs. one command on the CatOS! Viewing the configuration on IOS is equally bloated. Here is a breakdown of trunking support for the various Cisco switches

IOS 2900 Series (on some IOS versions) 2948 (Non L3) 2950 Series 3548 3550 Series 6500 running IOS

CatOS 2980 (Same IOS image as the 4000) 4000 Series 5000 and 5500 Series 6000 and 6500 Series

To set up the CatOS or IOS on Cisco Switches, the port that needs to trunked must be configured for the right kind of VLAN trunking (Note that not every module and interface on a switch support trunking and will give you an error message if you try to set it for trunking, this may require you look up the port capabilities for each port). Here is the configuration guide for both IOS and CatOS. Configuring and locking down IOS switches: IOS Command Enable Configure Terminal Interface FastEthernet0/1 Description Switch to enable mode Enter global configuration mode Entering interface configuration for port 0/1. This is where you pick the port you want to trunk. Set port to trunking mode. Set trunk type to 802.1q. If your switch only supports either ISL or 802.1q, this command does not exist because there is nothing to specify. This command only works when you can choose between the two. Allow only VLANs 10 through 15 and VLAN 20. It is important that you restrict the VLANs to only the ones you need for security best practices. Exit interface Exit global configuration Commit changes to NVRAM

Switchport mode trunk Switchport trunk encapsulation dot1q

Switchport trunk allow vlan 10-15,20

Exit Exit Write memory Locking down CatOS for security: CatOS Command Enable Clear trunk 1/1-2 1-1005

Description Switch to enable mode This is an example of how to lock down a Cisco 6500

Clear trunk 2/1-2 1-1005 Clear trunk 3/1-24 1-1005 fill in the pieces Clear trunk 12/1-24 1-1005 Set trunk 1/1-2 off Set trunk 2/1-2 off Set trunk 3/1-24 off Set trunk 4/1-24 off fill in the pieces Set trunk 9/1-24 off

switch. First it clears VLANs from all ports on a 6500 switch, and then it explicitly disables trunking from every single port. Whether you intend to use trunking on your CatOS switch or not, you would be very wise to implement this lock down on all of your CatOS switches. Otherwise, a hacker can bypass all Layer 3 (firewall) security by simply hopping VLANs. I included this section before the Configuring CatOS section because the lockdown needs to be done before any custom configuration is entered.

Although this section is not really mandatory for trunking to function, I felt irresponsible not to include this layer 2 security lockdown procedure. Although the CatOS switch has a far more streamlined UI compared to the IOS switches, it is notoriously promiscuous with its default settings on VLAN trunking. The trunking auto-negotiation is equally alarming on both the IOS and CatOS switches, which if left default will automatically connect switches as fully enabled and wide open. You would be shocked to see the sloppy Layer 2 security on most networks. If left unchecked, you are not only opened to malicious hacks, but someone could accidentally plug in a Cisco switch with a VTP engine and accidentally nuke your network by changing your VLAN configuration. Configuring CatOS switches: CatOS Command Enable Set trunk 1/1 on dot1q 10-15,20 Description Switch to enable mode The on switch enables trunking on this port. Dot1q sets the port to 802.1q mode. 10-15,20 enables VLAN 10-15 and 20 to be supported on this trunking interface.

You may find it funny that it was so much work to lock down your switch while it only took one command to enable trunking. If you didnt bother to follow the lockdown procedure shown above, specifying the 10-15, 20 VLAN IDs are useless because it simply adds them to the existing 1-1005 pool which remains wide open. This behavior of the CatOS is very annoying and insecure by default. The IOS switches on the other hand only permit the VLANs you enter last, which also has its user friendliness downside. On an IOS switch, if you enter 10-15,20 with your allow VLAN statement, it nullifies any other allowed VLAN out side of 10-15 and 20. The big plus to this is default security.

Cisco router configurations

Cisco router configuration for trunking is fundamentally different from Cisco Switch configuration. A router encapsulates traffic to be carried on the switch infrastructure and behaves as a multi-home node on the network just like a Server, Workstation, or Firewall. A switch performs as the infrastructure to carry traffic for VLANs (for those that are

allowed) on the Layer 2 infrastructure as the VLAN traffic director where as the router performs a higher layer function as a network gateway that can route Layer 3 traffic. You can basically configure a router with number of desired virtual interfaces (AKA subinterface) from a single interface and designate the VLAN you want those interfaces to be switched to. The switch determines where the traffic from that routers virtual interface will wind up based on the VLAN ID portion of the 802.1q tag that was inserted in to the Ethernet frame header by the router. Configuring Cisco Routers: IOS Command Enable Configure terminal Interface FastEthernet0/0.1 Encapsulation dot1q 10 IP address 10.1.1.1 255.255.255.0 Exit Interface FastEthernet0/0.2 Encapsulation dot1q 11 IP address 10.1.2.1 255.255.255.0 Exit Exit Write memory Description Switch to enable mode Switch to global configuration mode Creates first sub-interface for FastEthernet0/0 Injects 802.1q tag with VLAN ID 10 into every frame coming from first sub-interface. Defines IP/mask for this first sub-interface Exits first sub-interface Creates second sub-interface for FastEthernet0/0 Injects 802.1q tag with VLAN ID 11 into every frame coming from second sub-interface. Defines IP/mask for this second sub-interface Exits second sub-interface Exit global config Commits changes to NVRAM

You can continue to add any number of sub-interfaces you need. Once FastEthernet0/0 is connected to a switched port configured for 802.1q trunking as shown in the above switch examples, all the sub-interfaces of FastEthernet0/0 becomes a routable node (can be default gateway) on the subnets that correspond to their VLAN.