VLAN woes

[ScottReed13]

Hi - I am new to this forum. I'm studying for CCNA and currently in ICND2 material.

I have a 1760 running IOS Version 12.3(23)
flash:c1700-sy7-mz.123-23.bin

...and a 2912 running IOS Version 12.0(5)WC17
flash:2900xl-c3h2s-mz.120-5.WC17.bin

I'm confused about conflicting configuration steps for Router-On-A-Stick configs.

1) When do you use 'encapsulation dot1q VID# native'? Some configuration guides (ie: Portable Command Guide) show configuring the sub-interface with 'native' and others without.

2) VLAN 1 is the default management VLAN correct? So if I setup a VLAN2 and VLAN3 on my 2912, stuck my accounting computer in VLAN2 and my Wireless AP in VLAN3 I could leave my workstation in VLAN1 in the correct subnet so I could manage my cisco equipment?

For example:

2912 Switch: (192.168.1.9)
Mgmt Workstation PC - 192.168.1.12 - VLAN1 - Port 0/1
Business Accounting PC - 192.168.2.12 - VLAN2 - Port 0/2
Public AP - 192.168.3.10 - VLAN3 - Port 0/3
8021.q Trunk - Port 0/12

1760 Router: (192.168.1.1)
FA0/0 - no ip
FA0/0.1 - 192.168.1.1/24 - encapsulation dot1q 1
FA0/0.2 - 192.168.2.1/24 - encapsulation dot1q 2
FA0/0.3 - 192.168.3.1/24 - encapsulation dot1q 3

So I would ASSume that would work? What happens if I put 'native' on FA0/0.1?

Thanks,
Scott

 

[unclerico]

1) You would only use the 'native' option if the trunk link connecting the router to the switch is using a native VLAN other than VLAN1. Since 802.1q VLANs make use of the native VLAN (where ISL does not) you open yourself up to VLAN hopping attacks (among others) by leaving it at its default. Best practice is to always use an unused VLAN for the trunk links and be sure to exclude it from the allowed VLAN list on the switch side. On the router side you configure your subinterfaces like usual with one exception; you configure an extra subinterface just to accomodate the native VLAN like so:

Switch(config)# interface f0/12
Switch(config-if)# switchport encapsulation dot1q
Switch(config-if)# switchport mode trunk
Switch(config-if)# switchport trunk native vlan 900
Switch(config-if)# switchport trunk allowed VLAN 1,2,3
Swtich(config-if)# switchport nonegotiate


Router(config)# interface f0/0.900
Router(config-if)# encapsulation dot1q 900 native
Router(config)# interface f0/0.1
Router(config-if)# ip add 192.168.1.1 255.255.255.0
Router(config-if)# encapsulation dot1q 1
Router(config)# interface f0/0.2
Router(config-if)# ip add 192.168.2.1 255.255.255.0
Router(config-if)# encapsulation dot1q 2
Router(config)# interface f0/0.3
Router(config-if)# ip add 192.168.3.1 255.255.255.0
Router(config-if)# encapsulation dot1q 3

2) You'll be able to manage the router from any subnet configured by telneting to the IP address of the interface (assuming that you have no access-lists configured and telnet access configured correctly). VLAN1 is the default VLAN, but it is best to not use it for anything other than management traffic (CDP, VTP, etc.). If you put 'native' on f0/0.1 in your current config then nothing will happen since VLAN1 is the default VLAN.

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)

 

[ScottReed13]

Thanks very much for the information. As soon as I get back to my equipment I am going to re-write my configs and try your method out. The trunk on its own VLAN makes perfect sense the way you describe it - I wish the books covered this topic likewise.

Access-lists are definitely something I want to implement to block the Wireless AP from the other VLANS.

So I gather from your post that leaving VLAN1 alone is the best bet and I should be sticking my Workstation PC in another VLAN? But if I had a box doing SNMP monitoring (A Cacti box is what I have) then I would have that on VLAN1 so that all the SNMP traffic is confined to VLAN1 and not going across another network segment? Is this a correct assumption?

Thanks,
Scott

 

[unclerico]

So I gather from your post that leaving VLAN1 alone is the best bet and I should be sticking my Workstation PC in another VLAN?

Exactly. As with everything, other people will have varying opinions on what they consider best practice. Every major switch manufacturer that I know of has VLAN1 as the default VLAN. Most attackers know this and will attempt to exploit it.

But if I had a box doing SNMP monitoring (A Cacti box is what I have) then I would have that on VLAN1 so that all the SNMP traffic is confined to VLAN1 and not going across another network segment? Is this a correct assumption?

Actually you won't make use of VLAN1 at all. If you want to segment your SNMP monitoring I would create a dedicated management VLAN and a corresponding subinterface on your router in order to allow your management station access into your other VLAN's. I hope my explanation makes sense.

Two things:
- There are some incredibly smart people on this board that you can garner a heck of a lot of experience from. You can look at the MVP list or just look for posts from burtsbees, ADB100, jneilberger, jeter, vipergg, Minue, and brianinms (to name just a few). Some of these guys are CCIE's, others are CCNP or variants (CCSP, CCVP, etc.). If you have questions, no matter how trivial you might think they are, don't be afraid to ask.

- There is a forum on Tek-Tips dedicated solely to Cisco certification preparation. You can find it here:

http://www.tek-tips.com/threadminder.cfm?pid=473

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)