VLANs

The importance of the VLAN

A VLAN is a group of devices connected to separate LANs that are grouped together, acting with each other as if they were wired together. Because the connections are logical and not physical, they are more flexible than most other LAN networks. A system manager no longer needs to physically group similar entities together, which may require more work than its worth, as they can now group objects together in a VLAN. An example of this can be seen below, with three different switches connecting three different types of end devices. Those end devices are then bunched in VLANs based on their purpose, such as marketing, engineering, and business.

Three different physical LANs are logically connected together with a VLAN

When using a VLAN, there are six distinct benefits which stem from its use. These are:

• Security — A group which may contain sensitive information can be sectioned off from the rest of the network using a VLAN, which decreases the chance of a potential breach.
• Cost Efficiency — Expensive network upgrades are no longer needed as connections need to be create can now simply be connected with a VLAN.
• Better Performance — Dividing the network into multiple logic domains removing un-necessary traffic, which in turn boosts performance.
• A smaller broadcast domain — Dividing a network reduces the number of devices in a broadcast domain
• Improved efficiency in IT department — Management of a network is made easier with a VLAN, as management for a certain device can be enforced not based on ts physical connections, but rather its logical connections, which are much more flexible.
• Overall improvement in project management — Group members working on the same project are no longer forced to physically be i the same area, as a VLAN allows for connections in different areas.

However, the biggest benefit which comes from using a VLAN is that messages that would normally be broadcast to the entire network are only sent to the same VLAN as the sender. However, this doesn't answer why a VLAN can jump across a switch with ease, which is where the VLAN trunk comes into play.

VLAN Trunks

the point-to-point link between two network devices which carry more than one VLAN is called the VLAN trunk. The VLAN trunk allows for cross network VLAN network connections. The VLAN trunk is the most important aspect of a VLAN, as without it, the VLAN wouldn't be able to propagate traffic between switches, defeating the whole purpose of a VLAN.

The VLAN Trunk in this example allows for both VLANs’ traffic to cross back and forth between the two switches.

A big problem with the VLAN trunk however is that often even the slightest mismatch of commands can cause major security breaches. The three major errors which can occur in a VLAN trunk include:

• native VLAN mismatch — Poses a major security risk and can cfause unforeseen consequences.
• Trunk mode mismatch — Causes the network activity to stop working
• Allowed VLANs on trunks — Causes traffic errors in the trunk, such as creating traffic where there is none and not sending traffic when there is.

DTP

The dynamic trunk protocol, or better known as DTP, is a protocol which manages the trunk negotiations, but only if the port on the neighbor switch is properly configured to support DTP. On certain switches, there are certain modes which help the process of the DTP. These are:

• switchport mode access — This puts the interface in a permanent non-trunking mode and constantly change a link to a non-trunk link.
• switchport mode auto dynamic — Allows for the interface to convert a link to a trunk link. The interface is set to trunk mode if a neighboring interface is set to trunk mode
• switchport mode dynamic desirable — Forces the interface to actively attempt to convert the link to a trunk link. The interface is set to trunk if the neighboring switch is set to trunk, auto, or desirable.
• switchport mode trunk — Forces the interface into trunk mode and negotiates for neighboring links to be converted into trunk links.
• switchport more nonegotiate — Prevents the interface form receiving DTP frames.

VLAN ATTACKS AND DESIGN

While the VLAN architecture allows for a simpler maintenance of network, this also open the door to malicious abuse towards the system. These are the following types of attacks taken on a VLAN:

• Switch Spoofing Attacks — In a basic spoof attack, the attacker configures his or her own network to act as a switch. And because most switches are set to the auto setting, the attacker can gain access to the trunk by attempting for form a trunk. The best way to prevent this to disable trunking on all ports, save for the ones which actually need it.
• Double-Tagging Attack — The double tagging attack allows a frame to be forwarded to a VLAN that the original tag did not describe. An important characteristic which comes from this is that this attack can happen regardless of the trunking properties in the switch. One way to ensure this doesn't happen is by ensuring that the native VLAN of the trunk ports is different from the VLAN of the user ports.

A good security practice to use when working with VLANs is to separate the traffic of management and user data. Often, people change the VLAN # of management to some distinct random number.

All in all, VLANs are an important part of modern day networking, allowing for logical connections to be made with certain devices, so that the physical connections of a device do not affect the logical ones. And so long as the management of a VLAN understands and prepares for the potential dangers which many come when using one, there is no reason NOT to use a VLAN in your own networks.