As a reminder, a trunk is a link
intended to convey the traffic of several VLANs. Since a standard Ethernet
frame does not have information about the VLAN from which it originates, it is
necessary to add this information via a protocol.
In the case of dot1q (IEEE 802.1q
standard protocol), a tag is inserted between the source MAC address field and
the Type / Length field of the frame:
 | |
| Dot1q frame |
As the diagram shows, the dot1q tag
contains several information:
- A protocol identifier (2 bytes)
- 3 bits to indicate priority (used for QoS features at the frame level).
- CFI: 1 bit used to guarantee compatibility between ethernet and token-ring frames (this bit is always 0 for an ethernet frame).
- The identifier of the vlan, encoded on 12 bits (values ranging from 0 to 4096, some of which are not used)
When a frame is transmitted by a
trunk interface, it is marked with a tag dot1q containing the identifier of the
VLAN to which it belongs, this of course allowing the equipment that receives
it to replace it in the appropriate vlan .
Native vlan ... why?
Some frames carried on a trunk are
not marked with a dot1q tag. Then you have to be able to place them somewhere. This
is where the native vlan comes in.
The native vlan is the vlan in which
dot1q untagged frames are conveyed. So if a switch receives on a trunk
interface a standard ethernet frame, it will place it in this native vlan, in a
way, a default vlan (marking).
On Cisco devices, some protocols
such as CDP or DTP are transported in untagged frames and thus in the native
vlan.
Secure the native vlan ...
It is important to be concerned
about the native vlan for several reasons:
- It is preferable not to convey protocol frames such as CDP, DTP etc in the same vlan as data. Thus, a user is prevented from capturing traffic or, worse still, from generating false CDP or DTP messages, among other things, with the aim of diverting the operation of the network.
- The fact that a vlan vehicle of untagged frames makes it possible to put in place attacks of the "vlan-hopping" type, the purpose of which is to artificially send traffic to a vlan where the emitting machine is not located and this By adding fake dot1q tags, this is the principle of "double tagging". We generate a frame with two dot1q tags, on arrival on the port, the switch gets rid of the first, but processes the 2nd tag and places the frame in the vlan that is filled in.
To remedy this, there are two main
techniques:
- Changing the value of the native vlan (by default, on a Cisco switch, vlan 1 is the native vlan).
- Force tagging of all vlans, including the native vlan.
Topology
So here we have two switches, each
with machines connected in vlans 10 and 20. The link between them will be
configured in trunk dot1Q.
Basic
configuration of switches (vlans, trunks, ...)
About
3560-1 ...
3560-1 # configure terminal
! Creation of vlans
3560-1 (config) #vlan 10,20
3560-1 (config-vlan) #exit
! Placing interfaces in the vlan 10
3560-1 (config) #interface range fastEthernet 0 / 1-12
3560-1 (config-if-range) #switchport mode access
3560-1 (config-if-range) #switchport access vlan 10
3560-1 (config-if-range) #exit
! Placement of interfaces in the vlan 20
3560-1 (config) #interface range fastEthernet 0 / 13-24
3560-1 (config-if-range) #switchport mode access
3560-1 (config-if-range) #switchport access vlan 20
3560-1 (config-if-range) #exit
! Basic configuration of trunk to 3560-2
3560-1 (config) #interface gigabitEthernet 0/1
3560-1 (config-if) #switchport trunk encapsulation dot1q
3560-1 (config-if) #switchport mode trunk
3560-1 (config-if) #exit
3560-1 (config) #
About 3560-2 ...
3560-2 # configure terminal
! Creation of vlans
3560-2 (config) #vlan 10,20
3560-2 (config-vlan) #exit
! Placing interfaces in the vlan 10
3560-2 (config) #interface range fastEthernet 0 / 1-12
3560-2 (config-if-range) #switchport mode access
3560-2 (config-if-range) #switchport access vlan 10
3560-2 (config-if-range) #exit
! Placement of interfaces in the vlan 20
3560-2 (config) #interface range fastEthernet 0 / 13-24
3560-2 (config-if-range) #switchport mode access
3560-2 (config-if-range) #switchport access vlan 20
3560-2 (config-if-range) #exit
! Basic configuration of trunk to 3560-1
3560-2 (config) #interface gigabitEthernet 0/1
3560-2 (config-if) #switchport trunk encapsulation dot1q
3560-2 (config-if) #switchport mode trunk
3560-2 (config-if) #exit
3560-2 (config) #
Checking ...
Verifications
of vlans ...
3560-1 # show vlan brief
VLAN Name Status Ports
---- -------------------------------- --------- ----- --------------------------
1 default active Gi0 / 2
10 VLAN0010 active Fa0 / 1, Fa0 / 2, Fa0 / 3, Fa0 / 4
Fa0 / 5, Fa0 / 6, Fa0 / 7, Fa0 / 8
Fa0 / 9, Fa0 / 10, Fa0 / 11, Fa0 / 12
20 VLAN0020 active Fa0 / 13, Fa0 / 14, Fa0 / 15, Fa0 / 16
Fa0 / 17, Fa0 / 18, Fa0 / 19, Fa0 / 20
Fa0 / 21, Fa0 / 22, Fa0 / 23, Fa0 / 24
1002 fddi-default act / unsup
1003 token-ring-default act / unsup
1004 fddinet-default act / unsup
1005 trnet-default act / unsup
2960-1 #
The interfaces are in good vlans, the G0 / 1 does not appear
since it is a trunk. Only the G0 / 2 remains in the default vlan 1 (note that
this is not a good practice, it would be better to place it in a vlan dedicated
to unused interfaces).
3560-1#show interfaces trunk
Port
Mode
Encapsulation Status Native
vlan
Gi0/1
on
802.1q trunking
1
Port
Vlans allowed on trunk
Gi0/1
1-4094
Port
Vlans allowed and active in management domain
Gi0/1
1,10,20
Port
Vlans in spanning tree forwarding state and not pruned
Gi0/1
1,10,20
3560-1#
The G0 / 1 interface is in trunking mode, by default all
active vlans are conveyed on it
3560-1 # show interfaces gigabitEthernet 0/1 switchport
Name: Gi0 / 1
Switchport: Enabled
Administrative Mode: trunk
Operational Mode: trunk
Administrative Trunking Encapsulation: dot1q
Operational Trunking Encapsulation: dot1q
Negotiation of Trunking: On
Access VLAN Mode: 1 (default)
Trunking Native Mode VLAN: 1 (default)
Administrative Native VLAN tagging: disabled
Voice VLAN: none
Administrative private-vlan host-association: none
Administrative private-vlan mapping: none
Administrative private-vlan trunk native VLAN: none
Native VLAN tagging: enabled
Administrative private-vlan trunk encapsulation: dot1q
Administrative private-vlan trunk normal VLANs: none
Administrative private-vlan trunk associations: none
Administrative private-vlan trunk mappings: none
Operational private-vlan: none
Trunking VLANs Enabled: ALL
Pruning VLANs Enabled: 2-1001
Capture Mode Disabled
Capture VLANs Allowed: ALL
Protected: false
Unknown unicast blocked: disabled
Unknown multicast blocked: disabled
Appliance Trust: none
3560-1 #
The command "show interface g0 / 1 switchport"
gives us information about native vlan etc. The native vlan is the vlan 1
(default) and the native vlan tagging is not enabled.
Securing
the native vlan ...
The first good practice is therefore
to modify the value of the native vlan on the trunk. However, we must be
vigilant ...
- It is strongly advised to use an "empty" vlan as native vlan, without interface connected in etc.
- The native vlan must be identical to the two ends of the trunk, otherwise one would induce a multitude of problems ... such as the fact that frames would pass from one vlan to another, but also problems of convergence Spanning-Tree and thus formation Loop at the switching of the frames.
About
3560-1 ...
3560-1 # configure terminal
! Creating a new specific vlan
3560-1 (config) #vlan 999
3560-1 (config-vlan) #name NATIVE
3560-1 (config-vlan) #exit
! Configuring the Trunk Native Clan
3560-1 (config) #interface gigabitEthernet 0/1
3560-1 (config-if) #switchport trunk native vlan 999
3560-1 (config-if) #
! STP and CDP are not particularly content ... The first detects an inconsistency
! Between the BPDUs that exchange between the two switches ... And on its side CDP detects
! The difference of native vlan and express it ...
* Mar 1 02: 58: 07.094:% SPANTREE-2-RECV_PVID_ERR: Received BPDU with inconsistent peer vlan id 1 on GigabitEthernet0 / 1 VLAN999.
* Mar 1 02: 58: 07.094:% SPANTREE-2-BLOCK_PVID_PEER: Blocking GigabitEthernet0 / 1 on VLAN0001. Inconsistent peer vlan.
* Mar 1 02: 58: 07.094:% SPANTREE-2-BLOCK_PVID_LOCAL: Blocking GigabitEthernet0 / 1 on VLAN0999. Inconsistent local vlan.
* Mar 1 02: 58: 07.103:% LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan1, changed state to down
Native VLAN mismatch discovered on GigabitEthernet0 / 1 (999), with
3560-2 GigabitEthernet0 / 1 (1).
About 3560-2 ...
3560-2 # configure terminal
! Creation of the specific clan
3560-2 (config) #vlan 999
3560-2 (config-vlan) #name NATIVE
3560-2 (config-vlan) #exit
! Configuring the vlan 99 on trunk
3560-2 (config) #interface gigabitEthernet 0/1
3560-2 (config-if) #switchport trunk native vlan 999
3560-2 (config-if) #end
3560-2 #
! Everything goes in order for STP now that the native vlan is identical on both sides of the link
* Mar 1 03: 04: 25.236:% SPANTREE-2-UNBLOCK_CONSIST_PORT: Unblocking GigabitEthernet0 / 1 on VLAN0999. Port consistency restored.
* Mar 1 03: 04: 25.236:% SPANTREE-2-UNBLOCK_CONSIST_PORT: Unblocking GigabitEthernet0 / 1 on VLAN0001. Port consistency restored.
Forcing
the tagging of the native vlan ...
About
3560-1 ...
3560-1(config)#vlan dot1q
tag native
About
3560-2 ...
3560-2(config)#vlan dot1q
tag native
Checking
...
3560-1 # show interfaces gigabitEthernet 0/1 switchport
Name: Gi0 / 1
Switchport: Enabled
Administrative Mode: trunk
Operational Mode: trunk
Administrative Trunking Encapsulation: dot1q
Operational Trunking Encapsulation: dot1q
Negotiation of Trunking: On
Access VLAN Mode: 1 (default)
Trunking Native Mode VLAN: 999 (NATIVE)
Administrative Native VLAN tagging: enabled
Voice VLAN: none
Administrative private-vlan host-association: none
Administrative private-vlan mapping: none
Administrative private-vlan trunk native VLAN: none
Native VLAN tagging: enabled
Administrative private-vlan trunk encapsulation: dot1q
Administrative private-vlan trunk normal VLANs: none
Administrative private-vlan trunk associations: none
Administrative private-vlan trunk mappings: none
Operational private-vlan: none
Trunking VLANs Enabled: ALL
Pruning VLANs Enabled: 2-1001
Capture Mode Disabled
Capture VLANs Allowed: ALL
Protected: false
Unknown unicast blocked: disabled
Unknown multicast blocked: disabled
Appliance trust: none
3560-1 #
We can see that the native vlan is now the vlan 999 and that
in addition it is now tagged.
0 comments:
Post a Comment