Hallo,
hier noch abschliessend ein paarAnmerkungen:
zu 1: (wers braucht) --> richtig
ISL: maximal 1000 VLANs
1Q: maximal 4096 VLANs
zu 2:
-->
In computer networking, encapsulation is to include data from an upper layer protocol into a lower layer protocol. This is a method of abstraction for networking by allowing different layers to add features/functionality.
<--
ISL packt also den gesamten Ethernet Frame ein. 802.1Q packt also das gesamte IP Paket ein. IP packt also das gesamten TCP /UDP Segment ein. Das Einpacken eines Protokolls in
ein anderes nennt man dann encapsulation (das Auspacken decapsulation).
Cisco Seite:
Introduction
This document provides the basic information and a summary of the frame fields for Inter-Switch Link (ISL) and IEEE 802.1Q encapsulation.
Trunks are used to carry traffic that belongs to multiple VLANs between devices over the same link. A device can determine which VLAN the traffic belongs to by its VLAN identifier. The VLAN identifier is a tag that is encapsulated with the data. ISL and 802.1Q are two types of encapsulation that are used to carry data from multiple VLANs over trunk links.
ISL is a Cisco proprietary protocol for the interconnection of multiple switches and maintenance of VLAN information as traffic goes between switches. ISL provides VLAN trunking capabilities while it maintains full wire-speed performance on Ethernet links in full-duplex or half-duplex mode. ISL operates in a point-to-point environment and can support up to 1000 VLANs. In ISL, the original frame is encapsulated and an additional header is added before the frame is carried over a trunk link. At the receiving end, the header is removed and the frame is forwarded to the assigned VLAN. ISL uses Per VLAN Spanning Tree (PVST), which runs one instance of Spanning Tree Protocol (STP) per VLAN. PVST allows the optimization of root switch placement for each VLAN and supports the load balancing of VLANs over multiple trunk links.
802.1Q is the IEEE standard for tagging frames on a trunk and supports up to 4096 VLANs. In 802.1Q, the trunking device inserts a 4-byte tag into the original frame and recomputes the frame check sequence (FCS) before the device sends the frame over the trunk link. At the receiving end, the tag is removed and the frame is forwarded to the assigned VLAN. 802.1Q does not tag frames on the native VLAN. It tags all other frames that are transmitted and received on the trunk. When you configure an 802.1Q trunk, you must make sure that you configure the same native VLAN on both sides of the trunk. IEEE 802.1Q defines a single instance of spanning tree that runs on the native VLAN for all the VLANs in the network. This is called Mono Spanning Tree (MST). This lacks the flexibility and load balancing capability of PVST that is available with ISL. However, PVST+ offers the capability to retain multiple spanning tree topologies with 802.1Q trunking.
http://www.cisco.com/en/US/tech/tk38...80094665.shtml
zu 3:
Basic VLAN Hopping Attack:
• A station can spoof as a switch with ISL or 802.1Q signaling
(DTP signaling is usually required as well)
• The station is then member of all VLANs
• Requires a trunking favorable setting on the port (the SANS
paper is two years old)
Best practises:
• Always use a dedicated VLAN ID for all
trunk ports
• Disable unused ports and put them in an
unused VLAN
• Be paranoid: Do not use VLAN 1 for
anything
• Set all user ports to non-trunking
(DTP Off)
Ciao
)-> ein Trunk soll ein Trunk sein, ein Access-Port ein Acces-Port, ein Channel ein Channel... Und wenn sich daran was ändert dann weils der Admin so wollte.
