native vlan question

Discussion in 'Cisco' started by aaabbb16, Apr 15, 2008.

  1. aaabbb16

    News Reader Guest

    "interface Vlan20
    The switch I was referencing is a Layer 2 switch. I believe it permits
    assignment of a single IP address only (on a single logical VLAN
    interface). We didn't want to use the default VLAN interface (VLAN1), so
    we created another with a name that matched the VLAN ID of the VLAN that
    we wanted to use for that purpose.

    It is the administrative VLAN by virtue of it having a Layer 3 address
    that we can access (SSH, SNMP, etc.); ensuring no user devices are
    connected to ports assigned to this VLAN, and ensuring that interVLAN
    routing prohibits user traffic from accessing the administrative VLAN.

    With a Layer 2 switch, a trunk port is connected to a router to
    facilitate interVLAN routing. The router is configured with
    sub-interfaces; each configured in unique address space (e.g.:
    192.168.16.0 /24, 192.168.17.0 /24, etc) matching the VLAN that it
    serves (as the VLAN's default gateway).

    E.g.:

    Hosts in VLAN 16 configured with addresses 192.168.16.0 /24, and a
    default gateway of 192.168.16.1 (perhaps sub-interface 16 (f0.16) on the
    interVLAN router). When a host on VLAN 16 sends a ping to a host on VLAN
    17, it sends it to its default gateway (f0.16). The router (if permitted
    by security policy) would send it out the sub-interface that serves as
    the default gateway for VLAN 17 (f0.17 perhaps). The host on VLAN 17
    would use its default gateway (f0.17) to return a response.

    The ping traverses the trunk twice (host 16 > router > host 17), and the
    reply traverses the trunk twice (host 17 > router > host 16).

    Best Regards,
    News Reader
     
    News Reader, Apr 17, 2008
    #21
    1. Advertisements

  2. aaabbb16

    aaabbb16 Guest

    Thanks,
    Your switchs look like "Access layer switch" (based on switch
    "location" on network topolory, cisco define Access,Distribution
    and Core layer switch).
    Back to my previous question, if every vlan can assign a ip addr.
    (l3 support) Does it mean that all attached hosts can config that
    switch or there are some solutions to prohibit some host to do it?
    No managenment concept here?

    TIA,
    st
     
    aaabbb16, Apr 18, 2008
    #22
    1. Advertisements

  3. aaabbb16

    News Reader Guest

    You protect management services with ACLs.

    e.g.:

    access-list 1 remark Network Management Stations
    access-list 1 permit 192.168.20.8 0.0.0.7 log
    access-list 1 deny any log

    ip http server
    ip http access-class 1

    line vty 0 4
    access-class 1 in
    exec-timeout 9 0
    transport input ssh note: could also use an extended ACL to specify a
    protocol restriction.

    .... SNMP, and others.

    Best Regards,
    News Reader
     
    News Reader, Apr 18, 2008
    #23
  4. aaabbb16

    Trendkill Guest

    The management IP is accessible anywhere you make it accessible. If
    you want to lock it down, you have a multitude of choices. ACLs to
    block specific IPs or ranges (or block everything and only allow
    specific IPs/ranges), as well as AAA for authentication and
    authorization (and yes the final A is accounting). You could also
    lock it down so only console or terminal servers can do configuration
    changes, and block via telnet or ssh. In short, this type of
    constraint or requirement is way above layer 2 at that point, and onto
    layer 3 and above.
     
    Trendkill, Apr 18, 2008
    #24
  5. aaabbb16

    News Reader Guest

    You protect management services with ACLs.
    As Trendkill pointed out, there are many opportunities for limiting
    administrative access/control to/of your devices.

    The access-list examples provided are a first line of defense that help
    you limit from "where" access can be gained, and in some instances via
    "which" protocol. Doesn't address the "who" though.

    The Cisco devices support a local AAA user database which can support
    authentication and limited authorization of users, but it doesn't scale
    well.

    With a RADIUS access control server you can control "who" has access,
    from "where", "what" resources/services they are authorized to access,
    and as Trendkill mentioned, create accounting records. TACACS+ provides
    the additional benefit of defining sets of commands that an
    authenticated and authorized administrator may execute from the device's
    command line interface once logged in.

    Perhaps you are well aware of these protocols.

    Best Regards,
    News Reader
     
    News Reader, Apr 18, 2008
    #25
  6. aaabbb16

    Sam Wilson Guest

    Let me add some background points to this discussion.

    1) Avaya have a very comprehensive tutorial on VLAN technologies on
    their web site - have a look at <http://www.avaya.com/master-usa/en-us/
    resource/assets/applicationnotes/vlan-tutorial.pdf>. Start at about
    slide 21 if you already know LAN basics.

    2) The terminology can get very confusing, partly because a lot of it
    predates standards. Cisco talk about native VLAN; the 802.1Q standard
    about PVID (port VLAN ID). These are separate from which VLANs are
    tagged on any particular port.

    3) According to Avaya (I've not read the standard) 802.1Q defines three
    types of port: access ports where frames are not tagged; trunk ports
    where *all* frames are tagged and hybrid ports where frames may be
    tagged or not tagged. Cisco trunk ports are hybrid ports according
    802.1Q.

    4) The usual Cisco behaviour on a trunk (hybrid) port is to send all
    frames tagged except for the native VLAN (PVID); all untagged frames
    received are noted[1] as belonging to the native VLAN, as are frames
    tagged for the native VLAN; other tagged frames are noted for their
    correct VLAN.

    5) Just as a side note, 802.1Q inserts tags into frames to provide the
    VLAN information. Cisco ISL encapsulates the original frame with a new
    header containing the VLAN id.


    HTH

    Sam


    [1] I use the word "noted" to mean that the switch internally keeps
    track of which VLAN a frame belongs to. How it does that - with
    tagging, encapsulation, a field in a data table or whatever - is up to
    its designer and is actually irrelevant to us poor users since we can't
    see inside the switch.
     
    Sam Wilson, Apr 22, 2008
    #26
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.