1 00:00:07,250 --> 00:00:10,360 - [Narrator] One way to identify a local area network 2 00:00:10,360 --> 00:00:13,750 is to say that all the devices in the same LAN 3 00:00:13,750 --> 00:00:17,850 have a common layer three IP network address, and that 4 00:00:17,850 --> 00:00:20,870 they also are all located in the same 5 00:00:20,870 --> 00:00:23,090 layer 2 broadcast domain. 6 00:00:23,090 --> 00:00:26,640 A virtual LAN, or VLAN, is another name 7 00:00:26,640 --> 00:00:29,393 for a layer 2 broadcast domain. 8 00:00:30,370 --> 00:00:32,790 VLANs are controlled by the switch. 9 00:00:32,790 --> 00:00:36,000 The switch also controls which ports are associated 10 00:00:36,000 --> 00:00:38,130 with the VLANs. 11 00:00:38,130 --> 00:00:40,770 We often take for granted layer 2 in the network 12 00:00:40,770 --> 00:00:42,410 because it just works. 13 00:00:42,410 --> 00:00:44,610 Address resolution protocol or "ARP", 14 00:00:44,610 --> 00:00:47,750 and layer 2 forwarding on ethernet, 15 00:00:47,750 --> 00:00:50,283 are all proven technologies that work very well. 16 00:00:51,330 --> 00:00:56,240 The CCNP security and CCIE security certifications are built 17 00:00:56,240 --> 00:00:58,800 with the presumption that candidates would have some 18 00:00:58,800 --> 00:01:02,090 of the fundamentals of routing and switching. 19 00:01:02,090 --> 00:01:04,770 With this knowledge, your understanding of the details 20 00:01:04,770 --> 00:01:09,070 about VLANs, trunking, and inter-VLAN routing is presumed. 21 00:01:09,070 --> 00:01:11,960 However, so that you absolutely understand 22 00:01:11,960 --> 00:01:13,860 these fundamental concepts, 23 00:01:13,860 --> 00:01:16,790 this lesson will begin with the review. 24 00:01:16,790 --> 00:01:18,940 It is important to make sure that the basics are 25 00:01:18,940 --> 00:01:21,610 in place so that you can fully understand the discussion 26 00:01:21,610 --> 00:01:26,310 about protecting layer 2 in the last section of this lesson, 27 00:01:26,310 --> 00:01:28,920 which covers the really important stuff. 28 00:01:28,920 --> 00:01:33,550 That section focuses on just a few 29 00:01:33,550 --> 00:01:36,260 layer 2 related security vulnerabilities 30 00:01:36,260 --> 00:01:40,870 and explains exactly how to mitigate threats at layer 2. 31 00:01:40,870 --> 00:01:42,867 If you are currently comfortable with VLANs, 32 00:01:42,867 --> 00:01:45,870 trunking, and routing between VLANs, 33 00:01:45,870 --> 00:01:48,053 you might want to jump to the next lesson. 34 00:01:48,990 --> 00:01:51,010 In a previous lesson, you learned 35 00:01:51,010 --> 00:01:55,340 that VLANs can be used to segment your network 36 00:01:55,340 --> 00:01:58,060 and are assigned to switch ports, 37 00:01:58,060 --> 00:02:01,593 as well as wireless clients to enforce policy. 38 00:02:02,690 --> 00:02:06,200 In this lesson, you will also learn about several 39 00:02:06,200 --> 00:02:10,280 security challenges when protecting layer 2 networks, 40 00:02:10,280 --> 00:02:13,790 VLAN assignment, and trunking protocols. 41 00:02:13,790 --> 00:02:16,050 However, you must understand the basics 42 00:02:16,050 --> 00:02:18,950 of how VLANs and trunking operate 43 00:02:18,950 --> 00:02:22,740 before you can learn how to secure these features. 44 00:02:22,740 --> 00:02:27,740 This section reviews how VLANs and trunking are configured 45 00:02:27,890 --> 00:02:29,900 and how they operate. 46 00:02:29,900 --> 00:02:31,870 This diagram serves as a reference 47 00:02:31,870 --> 00:02:34,750 for the discussion going forward. 48 00:02:34,750 --> 00:02:37,950 You might want to screenshot this page 49 00:02:37,950 --> 00:02:42,100 or take a moment to make a simple drawing of the topology. 50 00:02:42,100 --> 00:02:44,480 You'll want to refer to this illustration 51 00:02:44,480 --> 00:02:46,520 often during this discussion. 52 00:02:46,520 --> 00:02:47,930 So what is a VLAN? 53 00:02:47,930 --> 00:02:50,050 One way to identify a local area network 54 00:02:50,050 --> 00:02:52,640 is to say that all devices in the same LAN 55 00:02:52,640 --> 00:02:55,770 have a common layer 3 IP network address 56 00:02:55,770 --> 00:02:58,350 and they also are all located in the same 57 00:02:58,350 --> 00:03:00,360 layer 2 broadcast domain. 58 00:03:00,360 --> 00:03:02,090 A virtual LAN, or VLAN, 59 00:03:02,090 --> 00:03:04,950 is another name for layer 2 broadcast domain. 60 00:03:04,950 --> 00:03:07,370 VLANs are configured on the switch. 61 00:03:07,370 --> 00:03:09,950 The switch also controls which ports are associated 62 00:03:09,950 --> 00:03:11,593 with the VLANs. 63 00:03:12,690 --> 00:03:14,530 In the diagram here, 64 00:03:14,530 --> 00:03:17,780 the switches are in their default configuration. 65 00:03:17,780 --> 00:03:22,420 All ports by default are assigned to VLAN 1. 66 00:03:22,420 --> 00:03:26,740 And that means all the devices, including the two users 67 00:03:26,740 --> 00:03:28,528 and the router, are all in the same 68 00:03:28,528 --> 00:03:32,270 broadcast domain or VLAN. 69 00:03:32,270 --> 00:03:34,080 As you start adding hundreds of users, 70 00:03:34,080 --> 00:03:35,970 you might want to separate groups 71 00:03:35,970 --> 00:03:38,600 of users into individual subnets 72 00:03:38,600 --> 00:03:41,823 and associated individual VLANs. 73 00:03:42,720 --> 00:03:45,880 To do this, you assign the switch ports to the VLAN, 74 00:03:45,880 --> 00:03:47,520 and then any device that connects 75 00:03:47,520 --> 00:03:51,133 to that specific switch port is a member of that VLAN. 76 00:03:52,050 --> 00:03:54,030 Hopefully all the devices that connect 77 00:03:54,030 --> 00:03:56,400 to the switch ports that are assigned 78 00:03:56,400 --> 00:03:59,409 to the given VLAN also have a common IP network 79 00:03:59,409 --> 00:04:02,510 address configured so that they can communicate 80 00:04:02,510 --> 00:04:05,010 with other devices in the same VLAN. 81 00:04:05,010 --> 00:04:08,910 Often dynamic host configuration protocol, or DHCP, 82 00:04:08,910 --> 00:04:11,570 is used to assign IP addresses 83 00:04:11,570 --> 00:04:15,683 from a common subnet range to the devices in a given VLAN. 84 00:04:16,570 --> 00:04:19,980 If you want to move the two users in the diagram 85 00:04:19,980 --> 00:04:24,980 to a new common VLAN, you create the VLAN on the switches 86 00:04:25,710 --> 00:04:28,770 and then assign the individual access ports 87 00:04:28,770 --> 00:04:31,670 that connect the users to the network- 88 00:04:31,670 --> 00:04:35,093 to that new VLAN as shown in the example here. 89 00:04:36,260 --> 00:04:41,260 In the example, interface GigabitEthernet 2 of switch one 90 00:04:41,560 --> 00:04:43,760 is configured as an access port 91 00:04:44,730 --> 00:04:46,773 and assigned to VLAN 10. 92 00:04:47,630 --> 00:04:51,640 Interface GigabitEthernet 2 of switch two is configured 93 00:04:51,640 --> 00:04:56,640 as an access port interface and assigned to VLAN 20. 94 00:04:56,950 --> 00:04:58,580 You can do a quick verification 95 00:04:58,580 --> 00:05:01,550 of the newly created VLANs and associated ports 96 00:05:01,550 --> 00:05:04,760 with the "show VLAN" brief command, 97 00:05:04,760 --> 00:05:06,113 as demonstrated here.