Rappelez-vous que, par défaut, un trunk laisse passer tous les VLANs. Cela a permis à Gaston de faire de sacrés gags ! Une bonne pratique est de décrire explicitement les VLANs permis. Par exemple : switchport trunk allowed vlan 10, 20-29 En plus, un trunk laisse passer les trames Ethernet natives (sans étiquette de
VLAN). Le switch place ces trames dans un VLAN spécial, c’est le VLAN natif de l’interface. Par défaut, le VLAN natif est le VLAN 1 : les trames natives vont dans le VLAN 1. Et le VLAN 1 est toujours actif. En général, quand il y a une interface trunk, c’est pour échanger des trames avec une étiquette de VLAN. Dès lors, les trames sans étiquettes de VLAN doivent être écartées. Pour cela, il suffit de spécifier, pour chaque trunk, un VLAN natif exclusif. Quoi qu’il en soit, sur un trunk, il
faut toujours spécifier le VLAN natif. Bien sûr, il ne faut jamais utiliser le VLAN 1 pour véhiculer le trafic de données. En effet, ce VLAN est utilisé par de nombreux protocoles de niveau 2. Ah, j’allais oublier aussi ISL. Il s’agit d’un protocole propriétaire créé avant que les étiquettes de VLAN ne soient normalisées. A n’utiliser qu’en présence d’équipements CISCO obsolètes, qui gèrent uniquement ISL. Certains équipements récents ne gèrent plus
ISL. Vos remarques, questions et autres interventions sont les bienvenues. Pascal BONNARD les articles de la série "Ethernet" :
© ktsdesign - Fotolia.com Best Practice #1 - VLAN Port AssignmentPort Assignment Basics
Configuring Access Ports
To set these correctly, navigate to LAN > VLAN Settings. Select the VLAN IDs and click on edit icon. Select the drop-down menu for any of the LAN interfaces for VLANs listed to edit the VLAN tagging. Click Apply. Check out this example of each VLAN assigned its own LAN port: This Graphical User interface (GUI) image was taken from an RV260W router. Your options may appear slightly different. For example, on the RV34x series, the labels Untagged, Excluded, and Tagged are abbreviated to just the first letter. The process is still the same. Configuring Trunk Ports
Take a look at this example of various VLANs that are all on trunk ports. To set these correctly, select the VLAN IDs that need to be edited. Click on the edit icon. Change them based on your needs, following the above recommendations. By the way, did you notice that VLAN 1 is excluded from every LAN port? This will be explained in the section, Best Practice for Default VLAN 1. Frequently Asked QuestionsWhy is a VLAN left untagged when it is the only VLAN on that port? Since there is just one VLAN assigned on an access port, outgoing traffic from the port is sent without any VLAN tag on the frames. When the frame reaches the switch port (incoming traffic), the switch will add the VLAN tag. Why are VLANs tagged when they are part of a trunk? This is done so that traffic that passes doesn't get sent to the wrong VLAN on that port. The VLANs are sharing that port. Similar to apartment numbers added to an address to make sure the mail goes to the correct apartment within that shared building. Why is traffic left untagged when it is part of the native VLAN? A Native VLAN is a way of carrying untagged traffic across one or more switches. The switch assigns any untagged frame that arrives on a tagged port to the native VLAN. If a frame on the native VLAN leaves a trunk (tagged) port, the switch strips the VLAN tag out. Why are VLANs excluded when they are not on that port? This keeps the traffic on that trunk only for the VLANs the user specifically wants. It is considered a best practice. Best Practice #2 - Default VLAN 1 and Unused PortsAll ports need to be assigned to one or more than one VLAN, including the native VLAN. Cisco Business routers come with VLAN 1 assigned to all ports by default. A management VLAN is the VLAN that is used to remotely manage, control, and monitor the devices in you network using Telnet, SSH, SNMP, syslog, or Cisco’s FindIT. By default, this is also VLAN 1. A good security practice is to separate management and user data traffic. Therefore, it is recommended that when you configure VLANs, you use VLAN 1 for management purposes only. To communicate remotely with a Cisco switch for management purposes, the switch must have an IP address configured on the management VLAN. Users in other VLANs would not be able to establish remote access sessions to the switch unless they were routed into the management VLAN, providing an additional layer of security. Also, the switch should be configured to accept only encrypted SSH sessions for remote management. To read some discussions on this topic, click on the following links on the Cisco Community website:
Frequently Asked QuestionsWhy is default VLAN 1 not recommended to virtually segment your network? The main reason is that hostile actors know VLAN 1 is the default and often used. They can use it to gain access to other VLANs via “VLAN hopping”. As the name implies, the hostile actor may send spoofed traffic posing as VLAN 1 which enables access to trunk ports and thereby other VLANs. Can I leave an unused port assigned to default VLAN 1? To keep your network secure, you really shouldn’t. It is recommended to configure all those ports to be associated with VLANs other than default VLAN 1. I don’t want to assign any of my production VLANs to an unused port. What can I do? It is recommended that you create a “dead-end” VLAN following the instructions in the next section of this article. Best Practice #3 - Create a “Dead End” VLAN for Unused PortsStep 1. Navigate to LAN > VLAN Settings. Choose any random number for the VLAN. Be sure that this VLAN does not have DHCP, Inter-VLAN routing, or device management enabled. This keeps the other VLANs more secure. Put any unused LAN port on this VLAN. In the example below, VLAN 777 was created and assigned to LAN5. This should be done with all unused LAN ports. Notice that the other VLANs are excluded from this LAN port. Step 2. Click on the Apply button to save the configuration changes you have made. Best Practice #4 - IP Phones on a VLANVoice traffic has stringent Quality of Service (QoS) requirements. If your company has computers and IP phones on the same VLAN, each tries to use the available bandwidth without considering the other device. To avoid this conflict, it is good practice to use separate VLANs for IP telephony voice traffic and data traffic. To learn more about this configuration, check out the following articles and videos:
Best Practice #5 - Inter-VLAN RoutingVLANs are set up so that traffic can be separate, but sometimes you need VLANs to be able to route between each other. This is inter-VLAN routing and is typically not recommended. If this is a need for your company, set it up as securely as possible. When using inter-VLAN routing, make sure to restrict traffic using Access Control Lists (ACLs), to servers that contain confidential information. ACLs perform packet filtering to control the movement of packets through a network. Packet filtering provides security by limiting the access of traffic into a network, restricting user and device access to a network, and preventing traffic from leaving a network. IP access lists reduce the chance of spoofing and denial-of-service attacks, and allow dynamic, temporary user-access through a firewall.
ConclusionThere you have it, now you know some best practices for setting up secure VLANs. Keep these tips in mind when you configure VLANs for your network. Listed below are some articles that have step by step instructions. These will keep you moving toward a productive, efficient network that is just right for your business.
Quel est l'objectif de séparer le VLAN natif des VLAN de données ?La séparation fonctionnelle entre deux ports ayant des identifiants VLAN différents correspond à une séparation physique. En quelque sorte, la technologie VLAN permet de diviser logiquement les ports du commutateur, soit l'infrastructure physique elle-même.
Comment mettre un VLAN en natif ?Afin de configurer le VLAN natif, la commande Switch port trunk native VLAN est utilisée. Les VLAN natifs sont reconnus s'ils ne sont étiquetés sur aucune jonction. Il n'est pas nécessaire d'avoir un VLAN natif sur le tronc.
Quel est le rôle d'un VLAN ?Le VLAN regroupe, de façon logique et indépendante, un ensemble de machines informatiques. On peut en retrouver plusieurs coexistant simultanément sur un même commutateur réseau. Côté avantages, le VLAN améliore la gestion du réseau en apportant plus de souplesse dans son administration.
Quelles sont les deux caractéristiques qui décrivent le VLAN natif ?Quelles sont les deux caractéristiques qui décrivent le VLAN natif ? Le VLAN natif par défaut est en cours d'utilisation. Le mode d'agrégation est défini sur « auto ». L'agrégation est possible avec des commutateurs autres que Cisco.
|