You are previewing Network Warrior, 2nd Edition.

Network Warrior, 2nd Edition

Cover of Network Warrior, 2nd Edition by Gary A. Donahue Published by O'Reilly Media, Inc.
  1. Network Warrior
    1. Preface
      1. Who Should Read This Book
      2. Conventions Used in This Book
      3. Using Code Examples
      4. We’d Like to Hear from You
      5. Safari® Books Online
      6. Acknowledgments
    2. 1. What Is a Network?
    3. 2. Hubs and Switches
      1. Hubs
      2. Switches
    4. 3. Autonegotiation
      1. What Is Autonegotiation?
      2. How Autonegotiation Works
      3. When Autonegotiation Fails
      4. Autonegotiation Best Practices
      5. Configuring Autonegotiation
    5. 4. VLANs
      1. Connecting VLANs
      2. Configuring VLANs
    6. 5. Trunking
      1. How Trunks Work
      2. Configuring Trunks
    7. 6. VLAN Trunking Protocol
      1. VTP Pruning
      2. Dangers of VTP
      3. Configuring VTP
    8. 7. Link Aggregation
      1. EtherChannel
      2. Cross-Stack EtherChannel
      3. Multichassis EtherChannel (MEC)
      4. Virtual Port Channel
    9. 8. Spanning Tree
      1. Broadcast Storms
      2. MAC Address Table Instability
      3. Preventing Loops with Spanning Tree
      4. Managing Spanning Tree
      5. Additional Spanning Tree Features
      6. Common Spanning Tree Problems
      7. Designing to Prevent Spanning Tree Problems
    10. 9. Routing and Routers
      1. Routing Tables
      2. Route Types
      3. The IP Routing Table
      4. Virtual Routing and Forwarding
    11. 10. Routing Protocols
      1. Communication Between Routers
      2. Metrics and Protocol Types
      3. Administrative Distance
      4. Specific Routing Protocols
    12. 11. Redistribution
      1. Redistributing into RIP
      2. Redistributing into EIGRP
      3. Redistributing into OSPF
      4. Mutual Redistribution
      5. Redistribution Loops
      6. Limiting Redistribution
    13. 12. Tunnels
      1. GRE Tunnels
      2. GRE Tunnels and Routing Protocols
      3. GRE and Access Lists
    14. 13. First Hop Redundancy
      1. HSRP
      2. HSRP Interface Tracking
      3. When HSRP Isn’t Enough
      4. Nexus and HSRP
      5. GLBP
    15. 14. Route Maps
      1. Building a Route Map
      2. Policy Routing Example
    16. 15. Switching Algorithms in Cisco Routers
      1. Process Switching
      2. Interrupt Context Switching
      3. Configuring and Managing Switching Paths
    17. 16. Multilayer Switches
      1. Configuring SVIs
      2. Multilayer Switch Models
    18. 17. Cisco 6500 Multilayer Switches
      1. Architecture
      2. CatOS Versus IOS
      3. Installing VSS
    19. 18. Cisco Nexus
      1. Nexus Hardware
      2. NX-OS
      3. Nexus Iconography
      4. Nexus Design Features
    20. 19. Catalyst 3750 Features
      1. Stacking
      2. Interface Ranges
      3. Macros
      4. Flex Links
      5. Storm Control
      6. Port Security
      7. SPAN
      8. Voice VLAN
      9. QoS
    21. 20. Telecom Nomenclature
      1. Telecom Glossary
    22. 21. T1
      1. Understanding T1 Duplex
      2. Types of T1
      3. Encoding
      4. Framing
      5. Performance Monitoring
      6. Alarms
      7. Troubleshooting T1s
      8. Configuring T1s
    23. 22. DS3
      1. Framing
      2. Line Coding
      3. Configuring DS3s
    24. 23. Frame Relay
      1. Ordering Frame Relay Service
      2. Frame Relay Network Design
      3. Oversubscription
      4. Local Management Interface
      5. Configuring Frame Relay
      6. Troubleshooting Frame Relay
    25. 24. MPLS
    26. 25. Access Lists
      1. Designing Access Lists
      2. ACLs in Multilayer Switches
      3. Reflexive Access Lists
    27. 26. Authentication in Cisco Devices
      1. Basic (Non-AAA) Authentication
      2. AAA Authentication
    28. 27. Basic Firewall Theory
      1. Best Practices
      2. The DMZ
      3. Alternate Designs
    29. 28. ASA Firewall Configuration
      1. Contexts
      2. Interfaces and Security Levels
      3. Names
      4. Object Groups
      5. Inspects
      6. Managing Contexts
      7. Failover
      8. NAT
      9. Miscellaneous
      10. Troubleshooting
    30. 29. Wireless
      1. Wireless Standards
      2. Security
      3. Configuring a WAP
      4. Troubleshooting
    31. 30. VoIP
      1. How VoIP Works
      2. Small-Office VoIP Example
      3. Troubleshooting
    32. 31. Introduction to QoS
      1. Types of QoS
      2. QoS Mechanics
      3. Common QoS Misconceptions
    33. 32. Designing QoS
      1. LLQ Scenario
      2. Configuring the Routers
      3. Traffic-Shaping Scenarios
    34. 33. The Congested Network
      1. Determining Whether the Network Is Congested
      2. Resolving the Problem
    35. 34. The Converged Network
      1. Configuration
      2. Monitoring QoS
      3. Troubleshooting a Converged Network
    36. 35. Designing Networks
      1. Documentation
      2. Naming Conventions for Devices
      3. Network Designs
    37. 36. IP Design
      1. Public Versus Private IP Space
      2. VLSM
      3. CIDR
      4. Allocating IP Network Space
      5. Allocating IP Subnets
      6. IP Subnetting Made Easy
    38. 37. IPv6
      1. Addressing
      2. Simple Router Configuration
    39. 38. Network Time Protocol
      1. What Is Accurate Time?
      2. NTP Design
      3. Configuring NTP
    40. 39. Failures
      1. Human Error
      2. Multiple Component Failure
      3. Disaster Chains
      4. No Failover Testing
      5. Troubleshooting
    41. 40. GAD’s Maxims
      1. Maxim #1
      2. Maxim #2
      3. Maxim #3
    42. 41. Avoiding Frustration
      1. Why Everything Is Messed Up
      2. How to Sell Your Ideas to Management
      3. When to Upgrade and Why
      4. Why Change Control Is Your Friend
      5. How Not to Be a Computer Jerk
    43. Index
    44. About the Author
    45. Colophon
O'Reilly logo

Chapter 4. VLANs

Virtual LANs, or VLANs, are virtual separations within a switch that provide distinct logical LANs that each behave as if they were configured on a separate physical switch. Before the introduction of VLANs, one switch could serve only one LAN. VLANs enabled a single switch to serve multiple LANs. Assuming no vulnerabilities exist in the switch’s operating system, there should be no way for a frame that originates on one VLAN to make its way to another.


When I wrote the first edition of Network Warrior, I had not yet learned of VLAN-hopping exploits. There are ways to circumvent the VLAN barrier. Attacks such as switch spoofing and double tagging are methods used to gain access to one VLAN from another. Though reading data from another VLAN is not so easy, denial-of-service attacks could be accomplished through VLAN hopping, especially where trunks interconnect switches. Don’t rely on VLANs as your sole means of security, especially in high-risk environments.

Connecting VLANs

Figure 4-1 shows a switch with multiple VLANs. The VLANs have been numbered 10, 20, 30, and 40. In general, VLANs can be named or numbered; Cisco’s implementation uses numbers to identify VLANs by default. The default VLAN is numbered 1. If you plug a number of devices into a switch without assigning its ports to specific VLANs, all the devices will reside in VLAN 1.

VLANs on a switch

Figure 4-1. VLANs on a switch

Frames cannot leave the VLANs from which they originate. This means that in the example configuration, Jack can communicate with Jill, and Bill can communicate with Ted, but Bill and Ted cannot communicate with Jack or Jill in any way.

For a packet on a Layer-2 switch to cross from one VLAN to another, an outside router must be attached to each of the VLANs to be routed. Figure 4-2 shows an external router connecting VLAN 20 with VLAN 40. Assuming a proper configuration on the router, Bill will now be able to communicate with Jill, but neither workstation will show any indication that they reside on the same physical switch.

External routing between VLANs

Figure 4-2. External routing between VLANs

When expanding a network using VLANs, you face the same limitations. If you connect another switch to a port that is configured for VLAN 20, the new switch will be able to forward frames only to or from VLAN 20. If you wanted to connect two switches, each containing four VLANs, you would need four links between the switches: one for each VLAN. A solution to this problem is to deploy trunks between switches. Trunks are links that carry frames for more than one VLAN.

Figure 4-3 shows two switches connected with a trunk. Jack is connected to VLAN 20 on Switch B, and Diane is connected to VLAN 20 on Switch A. Because there is a trunk connecting these two switches together, assuming the trunk is allowed to carry traffic for all configured VLANs, Jack will be able to communicate with Diane. Notice that the ports to which the trunk is connected are not assigned VLANs. These ports are trunk ports and, as such, do not belong to a single VLAN.

Two switches connected with a trunk

Figure 4-3. Two switches connected with a trunk

Trunks also allow another possibility with switches. Figure 4-2 shows how two VLANs can be connected with a router, as if the VLANs were separate physical networks. Imagine you want to route between all of the VLANs on the switch. How would you go about implementing such a design? Traditionally, the answer would be to provide a single connection from the router to each network to be routed. On this switch, each network is a VLAN, so you’d need a physical connection between the router and each VLAN.

As you can see in Figure 4-4, with this setup, four interfaces are being used both on the switch and on the router. Smaller routers rarely have four Ethernet interfaces, though, and Ethernet interfaces on routers can be costly. Additionally, users buy switches with a certain port density in mind. In this configuration, a quarter of the entire switch has been used up just for routing between VLANs.

Routing between multiple VLANs

Figure 4-4. Routing between multiple VLANs

Another way to route between VLANs is commonly known as the router-on-a-stick configuration. Instead of running a link from each VLAN to a router interface, you can run a single trunk from the switch to the router. All the VLANs will then pass over a single link, as shown in Figure 4-5.

Router on a stick

Figure 4-5. Router on a stick

Deploying a router on a stick saves a lot of interfaces on both the switch and the router. The downside is that the trunk is only one link, and the total bandwidth available on that link is only 10 Mbps. In contrast, when each VLAN has its own link, each VLAN has 10 Mbps to itself. Also, don’t forget that the router is passing traffic between VLANs, so chances are each frame will be seen twice on the same link—once to get to the router, and once to get back to the destination VLAN.


When I edited this chapter for the second edition, I briefly contemplated updating all the drawings to bring them more in line with currently common interface speeds. I decided against it because the last time I saw anyone doing router on a stick, the fastest switches only had 10M interfaces. It had nothing to do with me being too lazy to change the drawings.

To be painfully accurate, running a trunk to a firewall and having the firewall perform default gateway functions for multiple VLANs employs the same principle, so you could argue that I’m just too lazy after all. I would then counter with the fact that the latest switching technology from Cisco, the Nexus line, has done away with interface names that describe their speed, and instead names all Ethernet interfaces as “e slot/port”. Therefore, I’m not lazy, but rather forward-thinking.

Then I started writing the VoIP chapter where, lo and behold, I configured router on a stick in order to get my Voice-VLAN trunked to the router. Good thing I didn’t pull the router-on-a-stick section. It looks like I was being forward-thinking after all.

Figure 4-6 shows conceptually how the same design would be accomplished with a Layer-3 switch. Because the switch contains the router, no external links are required. With a Layer-3 switch, every port can be dedicated to devices or trunks to other switches.

Layer-3 switch

Figure 4-6. Layer-3 switch

The best content for your career. Discover unlimited learning on demand for around $1/day.