Category: Networking

Creating VLANs Using Cisco IOS

VLANs can easily be implemented on Cisco switches to improve network layout as well as security and efficiency. With VLANs we are able to, with software, logically separate ports on a switch (or other network device) into discrete groups that function as their own independent LANs. For example, let’s say we are designing a network for a small school that will provide access to the Internet via a 48 port switch. We want to separate the Faculty and Staff network devices from Students and Guests.

For our internal network we will be using a 192.168.1.0/24 network address, and we will divide our network into two subnets, 192.168.1.0/25 for the faculty and staff (Fac/Staff) and 192.168.1.128/25 for students and the Public (Students). Now let’s set up our VLANs on the switch.

In IOS, enter config mode

Switch>;enable
Switch#configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
Switch(config)#

Next we will create the VLANs and give them a name. I don’t think naming the VLAN is required, but it is recommended.

Switch(config)#vlan 10
Switch(config-vlan)#name facstaff
Switch(config-vlan)#exit
Switch(config)#vlan 20
Switch(config-vlan)#name students
Switch(config-vlan)#end
%SYS-5-CONFIG_I: Configured from console by console

Let’s take a look at our VLAN set up.

Switch#show vlan brief

VLAN Name                             Status    Ports
---- -------------------------------- --------- -------------------------------
1    default                          active    Fa0/1, Fa0/2, Fa0/3, Fa0/4
Fa0/5, Fa0/6, Fa0/7, Fa0/8
Fa0/9, Fa0/10, Fa0/11, Fa0/12
Fa0/13, Fa0/14, Fa0/15, Fa0/16
Fa0/17, Fa0/18, Fa0/19, Fa0/20
Fa0/21, Fa0/22, Fa0/23, Fa0/24
Gig1/1, Gig1/2
10   facstaff                         active
20   students                         active
1002 fddi-default                     active
1003 token-ring-default               active
1004 fddinet-default                  active
1005 trnet-default                    active
Switch#

VLAN 1 is the default VLAN and all ports are members of it. VLANs 1002 – 1005, are also assigned by default, as show. We are going to split the 24 FastEthernet ports between the two new VLANs. We will take advantage of the ability in IOS to configure a range of interfaces at a time.

Switch#configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
Switch(config)#interface range fastEthernet 0/1-12
Switch(config-if-range)#switchport mode access
Switch(config-if-range)#switchport access vlan 10
Switch(config-if-range)#exit
Switch(config)#interface range fastEthernet 0/13-24
Switch(config-if-range)#switchport mode access
Switch(config-if-range)#switchport access vlan 20
Switch(config-if-range)#exit
Switch(config)#end

%SYS-5-CONFIG_I: Configured from console by console

Switch# show vlan brief

VLAN Name                             Status    Ports
---- -------------------------------- --------- -------------------------------
1    default                          active    Gig1/1, Gig1/2
10   facstaff                         active    Fa0/1, Fa0/2, Fa0/3, Fa0/4
Fa0/5, Fa0/6, Fa0/7, Fa0/8
Fa0/9, Fa0/10, Fa0/11, Fa0/12
20   students                         active    Fa0/13, Fa0/14, Fa0/15, Fa0/16
Fa0/17, Fa0/18, Fa0/19, Fa0/20
Fa0/21, Fa0/22, Fa0/23, Fa0/24
1002 fddi-default                     active
1003 token-ring-default               active
1004 fddinet-default                  active
1005 trnet-default                    active

Protecting Against SSH Server Spoofing

To defend against SSH server spoofing – where an attacker sets up an SSH server and masquerades as another in order to capture users’ login credentials – every SSH server has a unique public key that can be utilized to verify that servers identity. This key is located in the /etc/ssh/ directory, and is used by clients to encrypt communications with the server. In turn, the server must use its private key to decrypt these communications.

The key is a rather long string of random characters and not very useful for humans, but a fingerprint of the key can be produced which is more compatible with the operating system of the mind. The first time an SSH client connects to an SSH server, this fingerprint is displayed.

The authenticity of host 'host.example.org (54.21.151.16)' can't be established.
ECDSA key fingerprint is 03:ed:6d:1f:ff:56:9d:5f:f3:65:20:b5:ad:55:55:87.
Are you sure you want to continue connecting (yes/no)?

This prompt is asking the user to verify the offered fingerprint (the fingerprint of the server) against a known good fingerprint under their control. But how is this done? At the time the SSH server is installed and the public/private key pairs are generated, the SSH server administrator can fingerprint the server and distribute this fingerprint to users who will access the server. One can do such fingerprinting with the ssh-keygen program:

ssh-keygen -lf /etc/ssh/ssh_host_ecdsa_key.pub 
256 03:ed:6d:1f:ff:56:9d:5f:f3:65:20:b5:ad:55:55:87  host (ECDSA)

The -l option instructs the program to show the fingerprint, and f for a key file. Simply direct the output the above command to a file and distribute that file to users who will be connecting to the server.

ssh-keygen -lf /etc/ssh/ssh_host_ecdsa_key.pub > server_fingerprint.txt

To get a look at the server’s public key fingerprint before attempting a connection, one can utilize the ssh-keyscan program

ssh-keyscan -t ecdsa host.example.org > tmp
ssh-keygen -lf tmp 
256 03:ed:6d:1f:ff:56:9d:5f:f3:65:20:b5:ad:55:55:87 host.example.org (ECDSA)

Here the -t is for type of key to be scanned (which can be rsa1 for protocol version 1, dsa, ecdsa, ed25519, or rsa for protocol version 2). The output is redirected to a temporary file named tmp, then the file is checked with the ssh-keygen program.

Once client has verified the fingerprint, it will store a copy of the server’s public key in $HOME/.ssh/known_hosts and will check the stored key on subsequent connections to that host. If the server has changed its keys, or another machine is attempting to spoof the real server, the client will notice and will not allow connections to that host.