VLAN: Router-on-a-stick

VLAN: Router-on-a-stick

by Cyrus Lok on Tuesday, March 30, 2010 at 2:07am
Vlan 1 is default native vlan if native vlan has not been explicitly defined. It is recommended to define a native vlan to another unused(unassigned vlan) to prevent vlan hopping attack. Interfaces that have not been assigned to vlan will belong to vlan 1. Shutdown unused ports and assigned them to native vlan.
fa0/0.10 Vlan 10, 172.16.1.32/27
fa0/0.20 Vlan 20, 172.16.1.64/27
fa0/0.30 Vlan 30, 172.16.1.96/27
fa0/0.100 native vlan 100

For vlan to work no router or multi-layer switch is needed, the router is there for intervlan routing. Vlan itself is a subnet, the switch interfaces can be configured into logical subnets, information within the same vlan can be forwarded however if one vlan needs to send frames across other vlan a layer3 device is needed.

Router0 (R1) Interface status:
R1#sh ip int bri
Interface IP-Address OK? Method Status Protocol

FastEthernet0/0 172.16.1.1 YES manual up up

FastEthernet0/0.10 172.16.1.33 YES manual up up

FastEthernet0/0.20 172.16.1.65 YES manual up up

FastEthernet0/0.30 172.16.1.97 YES manual up up

FastEthernet0/0.100 unassigned YES manual up up

FastEthernet0/1 unassigned YES manual administratively down down

Vlan1 unassigned YES manual administratively down down

Switch vlan status:
VLAN Name Status Ports
—- ——————————– ——— ——————————-
1 default active
10 HQ_Network active Fa0/2, Fa0/3, Fa0/4, Fa0/5
20 IT_Network active Fa0/6, Fa0/7, Fa0/8
30 HR_Network active Fa0/12, Fa0/13, Fa0/14, Fa0/15
Fa0/16, Fa0/17, Fa0/18, Fa0/19
Fa0/20, Fa0/21, Fa0/22, Fa0/23
Fa0/24
100 VLAN0100 active Fa0/9, Fa0/10, Fa0/11
1002 fddi-default active
1003 token-ring-default active
1004 fddinet-default active
1005 trnet-default active

It is best not to leave vtp domain as null even if it is only one switch. Configure vtp domain name, password and put to server mode, so that when a new switch (especially used switch) is deployed into this network vlan information will not be wiped out by the “new” switch.

Turned off DTP for all interface. A newly bought switch will have dynamic desirable configured on every interfaces, the purpose for this is well-intended by cisco however it is a bad feature as far as security is concerned.

Assigned the same native vlan for all trunk ports. Example:
int fa0/1
switchport mode trunk
switchport nonegotiate
switchport trunk native vlan <number>

Advertisements
This entry was posted in Security. Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s