International Journal of Application or Innovation in Engineering & Management (IJAIEM)
Web Site: www.ijaiem.org Email: editor@ijaiem.org, editorijaiem@gmail.com
ISSN 2319 - 4847
Special Issue for National Conference On Recent Advances in Technology and Management for
Integrated Growth 2013 (RATMIG 2013)
Effective Remote Management for Inter-VLAN
Routing Networks
Rajiv O. Verma
Asst. Professor, Guru Nanak Institute of Engineering & Technology, Nagpur.
rajiv_verma44@hotmail.com
ABSTRACT
VLANs are extensively used in enterprise network to ease management of hosts to improve scalability and flexibility. Despite their
wide usage in enterprise network, VLAN security is a greater concern for the network administrator due to very little attention has
been paid on error prone, unsystematic, high risk of misconfiguration in the design and management of enterprise VLAN network
[20] . This paper extends the consideration of how to handle remote access to VLAN switches. We have shown the management of
VLAN switches from remote location by using protocols such as telnet, SSH, etc. We proposed effective ways to restrict access to
management functions from remote sources. We have used access-control-lists to filter the traffic of inter-VLAN routing as well as
to restrict remote access to VLAN switches designed in VTP model. Unless otherwise stated this paper is based upon configuration
& hardware implementation in a Cisco environment. We demonstrate the security optimization techniques in designing VLAN both
for Inter-VLAN communication and addressing VTP issues.
Keywords-- VLAN; VTP; DTP; SSH; ACL
1. INTRODUCTION
Today’s enterprise network is undergoing a stringent complexity due to frequent change in design of their networks for
new organizational needs. Configuration changes are required due to movement of departments and user, addition of new
hosts, revision of security policies, company mergers and malicious intruders. The frequency and complexity of
configuration changes results in error-prone enterprise networks [5]. However, yet these challenges in enterprise network
have received little attention from the research community. One prominent example is VLAN design which is
extensively used in enterprise networks[2].VLAN’s were initially intended to connect a group of hosts in the same
broadcast domain, independent of their physical location. The expectation for today’s VLAN has increases due to better
security, flexibility and scalability requirements [1]. CISCO’s VLAN trunking protocol reduces administration in a
switched network [4]. VTP has some issues but not much research has been done for complexities arise in VTP based
configuration. In this paper, we focus strongly on various security aspects of VLAN design using with VTP to reduce the
much administrative work apart from optimal Inter-VLAN routing design. We proposed various security aspects like
access-lists based layer 3 securities in Inter-VLAN routing, deactivating native VLAN1 to secure Layer 2 traffic in VTP
model, application of authentication on VTP server and nonnegotiating Dynamic Trunking Protocol mode to counter the
effect of inserting a rogue switch/trunk with higher config revision number [20]. Cisco Catalyst switches can provide a
remote administration and management interface into the switch which can be configured with an IP address. These
management interfaces are referred to as in-band management interfaces because they are attached to and can be
accessed from the data network.
Organized By: GNI Nagpur, India
International Journal of Application or Innovation in Engineering & Management (IJAIEM)
Web Site: www.ijaiem.org Email: editor@ijaiem.org, editorijaiem@gmail.com
ISSN 2319 - 4847
Special Issue for National Conference On Recent Advances in Technology and Management for
Integrated Growth 2013 (RATMIG 2013)
2. INTER-VLAN ROUTING
In this section a simulated VLAN design is used using VLAN Trunking protocol (VTP) to fulfill our objective to reduce
the much administrative work with less costing. In the first part we have configure the VTP model by interconnecting
four switches such that one acts as VTP Server and the other three are clients. VTP server will automatically update the
summary/subset advertisement to all the connected clients. In the second part we have connected a router with single
interface with the VTP Server switch to simulate inter-VLAN Routing.
Table I. Interface ports for Network in Figure 1.
ROUTER0
A
B
C
D
E
A
F0/F1
*
F1/F2
F1/F3
F1/F4
*
PC1
*
*
F2/E0
*
*
*
PC2
*
*
*
F2/E0
*
*
PC3
*
*
*
*
F2/E0
*
PC0
*
*
*
*
*
F2/E0
ROUTER1
S0/S0
*
*
*
*
F1/F0
Table II. IP Address Allocation in Figure 1.
Organized By: GNI Nagpur, India
International Journal of Application or Innovation in Engineering & Management (IJAIEM)
Web Site: www.ijaiem.org Email: editor@ijaiem.org, editorijaiem@gmail.com
ISSN 2319 - 4847
Special Issue for National Conference On Recent Advances in Technology and Management for
Integrated Growth 2013 (RATMIG 2013)
Router0
F0/0.1- 192.168.1.254
Router0
F0/0.2- 192.168.2.254
Router0
F0/0.3- 192.168.3.254
Router1
F0/0-192.168.4.254
PC1- 192.168.1.1
DG- 192.168.1.254
PC2- 192.168.2.1
DG- 192.168.2.254
PC3- 192.168.3.1
DG- 192.168.3.254
PC0- 192.168.4.1
DG- 192.168.4.254
VLAN’s allow you to isolate users from each other by placing them in different VLAN’s but how do you pass traffic
from one VLAN to another VLAN? Doing so involves the use of Layer 3 device to route the traffic from one VLAN to
another [10]. The best way is to use a router for inter-VLAN communication. In traditional method, each of the router
interfaces is connected to an access links that in turn is connected to hosts. Such design requires 3 physical interfaces for
three VLAN’s (as per our example). In our proposed method, router interface is not connected to an access links; instead
the router fast Ethernet interface is connected to the VTP server switch interface and configured with ISL or 802.1q
trunking. The benefit of using a trunk link is to reduce the number of router and switch interfaces used. A single trunk
link saves the cost and minimizes configuration complexity. One fast Ethernet interface f0/0 is divided into three subinterfaces and VLAN encapsulation is defined for each sub-interface. The configuration of sub-interfaces is shown
below:
Router#show run
interface FastEthernet0/0
no ip address
duplex full
speed 100
!
interface FastEthernet0/0.1
encapsulation dot1Q 10
ip address 192.168.1.254 255.255.255.0
!
interface FastEthernet0/0.2
encapsulation dot1Q 11
ip address 192.168.2.254 255.255.255.0
!
interface FastEthernet0/0.3
encapsulation dot1Q 12
ip address 192.168.3.254 255.255.255.0
!
2.1 Remote Management of VLAN
The remote connectivity can be done by using any routing protocols from static or dynamic. In our paper we use static
routing protocol. We have configured telnet port vty along with other required authentication. Your management VLAN
does not have to be the same as your Native VLAN. Matter of fact, it is good practice to make sure that they are
different. Your management VLAN should only carry in-band management traffic and should not be the default
VLAN. We have specified an ip address to vlan 10 & make sure that they are not shutdown. Also specify ip default
gateway to router0 in the server switch. The configuration of server switch A for telnet support is given below:
Organized By: GNI Nagpur, India
International Journal of Application or Innovation in Engineering & Management (IJAIEM)
Web Site: www.ijaiem.org Email: editor@ijaiem.org, editorijaiem@gmail.com
ISSN 2319 - 4847
Special Issue for National Conference On Recent Advances in Technology and Management for
Integrated Growth 2013 (RATMIG 2013)
interface Vlan10
ip address 192.168.1.10 255.255.255.0
!
ip default-gateway 192.168.1.254
!
line con 0
password 7 08224340
login
!
line vty 0 4
password 7 08375857
login
line vty 5 15
password 7 08375857
login
!
end
2.2 Access-List Based Inter-VLAN Communication
ACL’s are used to secure and control traffic into or out of networks. In modern implementations, central file servers and
services are usually placed in their own isolated VLAN, securing them from possible network attacks while controlling
access to them. An administrator can smartly disable ICMP echoes and other protocols used to detect a live host,
avoiding possible detection by an attacker host located over a different VLAN [10]. After configuring ACL, router works
as a firewall and checks each statement sequentially before forwarding the traffic to its destination. By using standard or
extended access-lists, a router processes each ACL from top to bottom, one statement at a time. We propose extended
ACL’s to filter the traffic between VLAN’s or between hosts of a VLAN. Also we can use standard ACL to restrict telnet
access from the remote network. The configuration of ACL as per figure 1on router0 is shown below:
access-list 101 deny ip 192.168.1.0 0.0.0.255 192.168.3.0 0.0.0.255
access-list 101 permit ip any any
To configure a more restrictive ACL, create permit entries and omit the permit any entry at the end of the standard ACL.
access-list 15 permit host 192.168.4.1 209.157.22.32
access-list 15 permit 192.168.4.0 0 0.0.0.255
telnet access-group 15
3. SECURITY FOR VLAN HOPPING ATTACK
VLAN hopping attack allows a user on a VLAN to unauthorized access to another VLAN. This can be done by using a
native VLAN1 (default). Normally 802.1q trunking does not tag frames for native VLAN. An attacker can connect a
rogue switch/trunk to an unused port & spoofs DTP messages to automatically negotiate and thus turn on trunking
between the rogue switch and the target switch. An attacker can also send a double-tagging 802.1q frame to access the
victim switch. The outer header has the VLAN tag of the attacker, which is the same as the native VLAN of the trunk
port. To mitigate this type of attack the best approach is to ensure that the native VLAN of the trunk ports is different
from the native VLAN of the other ports. In our proposed model we have changed the native VLAN to VLAN 90; we
have disallowed VLAN 1 from the trunk ports and keep the desired VLANs allowed. Also we proposed that either
disable the remaining ports or change them to access ports in non-negotiate mode. Set nonnegotiate mode on both side of
the trunk. From figure 2, PC5 is an attacker which is connected to VTP client 1 switch, and trunk port F0/1 is connected
to VTP server switch.
Organized By: GNI Nagpur, India
International Journal of Application or Innovation in Engineering & Management (IJAIEM)
Web Site: www.ijaiem.org Email: editor@ijaiem.org, editorijaiem@gmail.com
ISSN 2319 - 4847
Special Issue for National Conference On Recent Advances in Technology and Management for
Integrated Growth 2013 (RATMIG 2013)
Figure 2. Layer-2 attack Model
4. CONCLUSION
The security of VLAN technology is reliable and robust. The problem arises only due to user misconfiguration or
improper use of features. In this paper our primary contribution is to show the security measures arises due to InterVLAN communication both locally and remotely, and issues in using VTP in an enterprise network. Solutions proposed
to secure Inter-VLAN communication and to address VTP issues are brought into practice using simulated network
configuration. We proposed access-list based security on layer 3 to prevent unauthorized access to different VLANs. We
proposed security solutions emerges due to VLAN hopping attacks by deactivating the native VLAN1 which is the root
cause of such type of attacks. For secured remote administration the management VLAN should not have to be same as
your Native VLAN or default VLAN 1.
REFERENCES
[1] Milan Yu and Jennifer Rexford, Princeton University,Xin Sun and Sanjay Rao, Purdue University, Nick Feamster,
Georgia institute of Technology. “A survey of Virtual LAN Usage in Campus Networks” IEEE Paper in IEEE
Communications Magazine July, Volume: 49, Issue: 7 pp. 98-103.
[2] Yu-Wei Eric Sung, Sanjay G. Rao, Geoffrey G. Xie,David A. Maltz, Purdue University.“Towards systematic Design
of Enterprise network” Networking, IEEE/ACM Transactions, 2011,Volume: 19 , Issue: 3 pp. 695-708.
[3] Kolbuchi M, Otsuka T, kudoh T, amano H. “A switch-tagged routing methodology for PC clusters withVLAN
Ethernet” Parallel and Distributed Systems, IEEE Transactions, 2011, Volume: 22 , Issue: 2 pp. 217-230.
[4] Johal, Hatinder Singh. “Access list based VLAN Map architecture & modified 802.1q frame scheme for addressing
VTP issues.” Eighth ACIS International Conference, 2010, pp.11-18.
[5] Xin Sun, Yu-Wei E Sung, Sunil D. Krothpalli, and Sanjay G. Rao, Purdue University. “A systematic Approach for
evolving
VLAN Designs” INFOCOM, 2010 Proceedings IEEE, pp. 1-9.
Organized By: GNI Nagpur, India
International Journal of Application or Innovation in Engineering & Management (IJAIEM)
Web Site: www.ijaiem.org Email: editor@ijaiem.org, editorijaiem@gmail.com
ISSN 2319 - 4847
Special Issue for National Conference On Recent Advances in Technology and Management for
Integrated Growth 2013 (RATMIG 2013)
[6] Rajiv O. Verma, S.S. Shriramwar “Effective VTP Model for Enterprise VLAN Security” 2013 International
Conference on Communication Systems and Network Technologies.
[7] Cisco. (2006, Aug 6). Configuration examples related to VLAN Features. [Online]. Available: http://cisco.com/
univered/cc/td/doc/product/lan/28201900/1928v8x/eescg8x/aleakyv.htm.
[8] “Secure use of VLANs": An@stake security Assessment.
http://www.cisco.com/warp/public/cc/pd/si/casi/ca6000/tech/stake_wp.pdf.
[9] “UnderstandingVTP”: http://www.cisco.com/en/US/docs
/switches/lan/catalyst2960/software/release/12.2_25_see/configuration/guide/swvtp.pdf.
[10] “InterVLAN Routing – Routing between VLAN Networks” Available:http://www.firewall.cx/networkingtopics/vlan-networks/222-intervlan-routing.html.
[11] “VLAN Hopping Attack And Mitigation/Prevention”: Available:http://lonetsec.blogspot.in/2011/02/vlan-hoppingattacks-and.html.
[12] Gobjuka, H. “Topology discovery for virtual local area” INFOCOM, 2010 Proceedings IEEE, pp. 1-5.
[13] Yamasak, Y, Miyamoto, Y, Yamoto, J, Goto, H, Sone, H. “Flexible access management system for campus VLAN
based on open-flow” Applications and the Internet (SAINT), 2011 IEEE/IPSJ 11th International Symposium
on pp. 347-351.
[14] Hirotsu T, Fukuda K, Abe H, Kurihara S, Akashi O, Sugawara T. “Dynamic & distributed routing control for
virtualized local area network” Local Computer Networks (LCN), 2010 IEEE 35th Conference pp.212-215.
[15] M casado, T. Garfinkel, A. Akella, M. Freedman, D. Boneh, N. Mckeron, and S. Shenker. SANE: A protection
architecture for enterprise networks. In Proc USENIX security, 2006.
[16] Maltz, G. Xie, J. Zhan, H. Zhang, G. Hjalmtysson,and A. Greenbug. Routing design in operational networks: A look
from inside. In Proc. ACM SIGCOMM, 2004.
[17] IEEE standard 802.1Q-2003. “Virtual Bridged Local AreaNetworks”. Technical report ISBN 0-7381-3662-X.
[18] Cisco, “Catalyst Family of LAN Switching” CLVco system Inc. product information, 1998.
[19] Garrett Leischner and codyTews, Security through VLAN segmentation: Isolating and Securing Critical Assets
without Loss of Usability. Schweitzer engineering Laboratories, Inc. SEL 2007 TP6277-01.
[20]Rajiv O. Verma, S.S. Shriramwar “Security Optimization of VTP Model in an Enterprise VLAN” International
Journal
of Electronics Communication and Computer Engineering Volume 4, Issue 3, ISSN (Online): 2249–071X, ISSN
(Print):
2278–4209.
AUTHOR’S PROFILE
A. Rajiv O. Verma
The author Rajiv O. Verma is born in Gorakhpur (UP), India on 11th of November,1967. He has done Bachelor of Engineering in
Electronics Engineering from Yeshwantrao Chavan College of Engineering at Nagpur, Maharashtra, India, in the year 1990. Currently
he is a student of Mtech in Communication & working as an Asst. Professor in Guru Nanak Institute og Engineering & Technology,
Nagpur, India.. Computer Communication Network is the author’s major field of study.
Organized By: GNI Nagpur, India