Module 8

Question 1

Network Segmentation Overview

Answer 1

• Definition: Dividing a larger network into smaller broadcast domains.
• Benefits:
  o Enhanced security
   Limits malware/hacker access to sensitive parts.
   Allows open access to specific areas (e.g., web server in a screened subnet / DMZ).
   Part of defense-in-depth strategy.
  o Improved performance
   Reduces size of broadcast domains.
   More efficient use of bandwidth.
   Prioritizes critical traffic (e.g., studio traffic vs. office traffic).
  o Simplified troubleshooting
   Easier to isolate issues to specific segments (e.g., only Accounting has issues).
• Common segmentation bases:
  o Geographic – e.g., LAN per floor, WAN per building.
  o Departmental – e.g., HR, Accounting, Sales.
  o Device types – e.g., IP phones, printers, desktops.
• OSI layers involved:
  o Layer 1–2: Physical segmentation using routers/switches.
  o Layer 2: VLANs.
  o Layer 3: Subnets/IP organization.

Question 2

Subnets

Answer 2

• Definition: Group of IP addresses forming a logical network segment.
• Function: Organizes address space; divides larger networks into smaller logical pieces.
• OSI Layer: Layer 3 (Network).
• Purpose in segmentation:
  o Works with VLANs for traffic isolation.
  o Ensures logical separation of IP traffic.
• Example usage: A subnet per department (e.g., one for HR, one for IT).

Question 3

VLANs (Virtual Local Area Networks)

Answer 3

• Definition: Group of switch ports assigned to a virtual segment regardless of physical location.
• Function: Logically groups devices on different switches.
• OSI Layer: Layer 2 (Data Link).
• Purpose in segmentation:
  o Separates traffic virtually instead of physically.
  o Often paired with subnets for complete isolation.
  o Allows flexibility: ports from different physical locations can be in the same VLAN.

Question 4

Methods of Segmenting Networks

Answer 4

• Physical Segmentation:
  o Use of routers and separate hardware.
  o Creates separate LANs.
• Logical Segmentation:
  o Uses VLANs.
  o Segments based on switch configuration.
• Layer 3 Segmentation:
  o Uses subnetting to divide IP space.
  o Can apply to both physical and virtual LANs.

Question 5

Subnetting Basics

Answer 5

• Subnetting = dividing a large network into smaller, more manageable subnets
• Helps manage:
  o Broadcast traffic
  o IP address space efficiently
  o Troubleshooting (easier to isolate issues)
  o Documentation and routing
• Routers = broadcast boundaries; do not forward broadcasts between interfaces
• Subnets created by splitting IP address pool into ranges per LAN/floor
• Devices use subnet info to decide if traffic is local or needs to go to the gateway

Question 6

Subnet Masks

Answer 6

• IPv4 address = 32 bits (4 octets)
  o Network portion = defined by 1s in subnet mask
  o Host portion = defined by 0s in subnet mask
• Example:
  o IP: 192.168.123.132 → 11000000.10101000.01111011.10000100
  o Mask: 255.255.255.0 → 11111111.11111111.11111111.00000000
  o Network ID: 192.168.123.0
  o Host: 0.0.0.132
• Devices compare their own network ID with destination:
  o If match → direct send
  o If not match → send to default gateway
• Subnet mask defines how many bits of IP are network ID:
  o E.g., /24 means 24 bits = network, 8 bits = host

Question 7

Classful IPv4 Addressing

Answer 7

• Class A
  o Format: nnnnnnnn.hhhhhhhh.hhhhhhhh.hhhhhhhh
  o Network bits: 8
  o Host bits: 24
  o Default mask: 255.0.0.0 or /8
  o Example network ID: 92.0.0.0
• Class B
  o Format: nnnnnnnn.nnnnnnnn.hhhhhhhh.hhhhhhhh
  o Network bits: 16
  o Host bits: 16
  o Default mask: 255.255.0.0 or /16
  o Example network ID: 147.12.0.0
• Class C
  o Format: nnnnnnnn.nnnnnnnn.nnnnnnnn.hhhhhhhh
  o Network bits: 24
  o Host bits: 8
  o Default mask: 255.255.255.0 or /24
  o Example network ID: 192.168.123.0

Question 8

Classful Addressing Notes

Answer 8

• Always uses whole octets for dividing network/host portions
• Network ID’s last octet is always 0
• Host IPs should not end in .0
• Each octet can only range from 0 to 255
• Used as a starting point for subnetting in modern networks
• Class D and E = reserved (not used for host addressing)

Question 9

Subnetting Basics

Answer 9

• Classless Addressing: Allows borrowing host bits to create subnets
• More subnet bits = more networks, fewer hosts per network
• Trade-off: More subnets created, but lose 2 host addresses per subnet (network ID + broadcast)
• Subnetting advantages:
  o Improves management
  o Limits broadcast domains
  o Enables logical segmentation

Question 10

Binary Subnetting Example (1 bit borrowed)

Answer 10

• Original Network ID: 192.168.89.0
• Original Subnet Mask: 255.255.255.0 (/24)
• Borrow 1 host bit → /25 mask
• Binary subnet mask: 11111111.11111111.11111111.10000000
• Decimal subnet mask: 255.255.255.128
• Subnets created: 2
  o Subnet 1: 192.168.89.0/25
  o Subnet 2: 192.168.89.128/25
• Usable host IPs:
  o Subnet 1: 192.168.89.1 → 192.168.89.126 (126 hosts)
  o Subnet 2: 192.168.89.129 → 192.168.89.254 (126 hosts)
• Lost hosts: 2 (per subnet) for network & broadcast addresses

Question 11

Subnetting Formulas

Answer 11

To calculate # of subnets:
* 2^n = # of subnets
* n = # of bits borrowed

To calculate # of hosts per subnet:
* 2^h - 2 = # of usable hosts
* h = # of bits remaining for hosts

CIDR notation:
* /x where x = number of bits for network ID

Question 12

Subnetting Example with 3 Bits Borrowed (Formula Method)

Answer 12

Goal: Create 6 subnets from 192.168.89.0

Formula: 2ⁿ ≥ needed subnets → 2³ = 8 (borrow 3 bits)

New subnet mask:
* Binary: 11111111.11111111.11111111.11100000
* Decimal: 255.255.255.224
* CIDR: /27

Remaining host bits: 5 → 2⁵ - 2 = 30 hosts per subnet

Question 13

Calculating Network IDs Using Magic Number

Answer 13

Magic Number = 256 - subnet mask’s last octet
* In /27 mask → last octet: 224 → magic number = 32

Subnet IDs (add 32 each time):
* Subnet 1: 192.168.89.0
* Subnet 2: 192.168.89.32
* Subnet 3: 192.168.89.64
* Subnet 4: 192.168.89.96
* Subnet 5: 192.168.89.128
* Subnet 6: 192.168.89.160
* Subnet 7: 192.168.89.192
* Subnet 8: 192.168.89.224

Question 14

IP Address Ranges per Subnet (/27 Example)

Answer 14

Total addresses per subnet: 2⁵ = 32

Usable hosts: 30 per subnet
* First = Network ID
* Last = Broadcast address

Example (Subnet 1):
* Network ID: 192.168.89.0
* Broadcast: 192.168.89.31
* Host range: 192.168.89.1 → 192.168.89.30

Subnet 2:
* Network ID: 192.168.89.32
* Broadcast: 192.168.89.63
* Host range: 192.168.89.33 → 192.168.89.62

(Repeat pattern with +32 each time)

Question 15

Subnetting Trade-Off Summary

Answer 15

Advantages:
* More logical segmentation
* Better traffic control
* Tailored broadcast domains

Disadvantages:
* Lose 2 host addresses per subnet
* Increased complexity

Total available hosts = (# subnets × usable hosts)
* Eg: 8 subnets × 30 hosts = 240 total usable hosts
* Original /24 had 254 usable hosts
* Trade-off: -14 usable hosts for more networks

Question 16

Class B Subnet Mask Table (IPv4)

Answer 16

• Based on default Class B mask: 255.255.0.0
• Subnet mask progression and their properties:
  Mask CIDR Subnets Hosts/Subnet
  255.255.128.0 /17 2 32,766
  255.255.192.0 /18 4 16,382
  255.255.224.0 /19 8 8,190
  255.255.240.0 /20 16 4,094
  255.255.248.0 /21 32 2,046
  255.255.252.0 /22 64 1,022
  255.255.254.0 /23 128 510
  255.255.255.0 /24 256 254
  255.255.255.128 /25 512 126
  255.255.255.192 /26 1024 62
  255.255.255.224 /27 2048 30
  255.255.255.240 /28 4096 14
  255.255.255.248 /29 8192 6
  255.255.255.252 /30 16384 2

Question 17

Class C Subnetting Summary

Answer 17

• Fewer subnetting options than Class B
• Fewer host bits = fewer hosts per subnet
• Limited number of subnets due to fewer bits available to borrow

Question 18

Types of Subnetting Exam Questions

Answer 18

• Type 1: Given requirements (hosts/subnets), calculate:
  o Possible subnet masks
  o IP address ranges per subnet
• Type 2: Given a single IP address, determine:
  o Network ID
  o Broadcast address
  o First and last usable host addresses

Question 19

Subnet Implementation (Static IP)

Answer 19

• Admin assigns IP and subnet mask to each router interface
• Convention: use first or last usable IP in range for default gateway
• Static IP settings shown via:
  o Ubuntu: TCP/IPv4 config
  o Windows: Manual IP config
• Example use case: three LANs using different subnets from same network block

Question 20

Subnet Implementation (DHCP / Dynamic IP)

Answer 20

• DHCP server must be configured with:
  o Network ID
  o Subnet mask
  o IP range
  o Default gateway
• Cost-prohibitive to deploy a DHCP server per subnet
• DHCP relies on broadcasts, which do not cross routers by default

Question 21

Centralized DHCP via UDP Forwarding

Answer 21

• Relay Agent (router/firewall/L3 switch) enables UDP forwarding
• Common UDP services:
  o DHCP (port 67)
  o DNS (port 53)
  o NTP (port 123)
  o TFTP (port 69)
• Relay agent detects broadcast message, then:

Step 1: Receives DHCP request on local subnet
Step 2: Repackages & sends to IP helper address (central DHCP)
Step 3: DHCP server assigns IP based on relay agent’s source interface
Step 4: Reply is routed back to original subnet
* IP Helper Address:
o Can be a single server (e.g. DHCP only)
o Or subnet broadcast address (e.g. DHCP, DNS, NTP servers monitor)

Question 22

VLSM (Variable Length Subnet Mask)

Answer 22

• Subnetting a subnet to match varying host needs
• Avoids inefficiency of fixed-size subnets
• Process:
  o Start with the largest subnet
  o Subdivide remaining address space for next largest, and so on
• Analogy: pizza slices sized differently for Dad, Mom, kids
• Efficient but leaves little room for future growth
• Best used with private IPs; public IPs have limitations
• Planning for growth:
  o Start with /23 or /22 instead of /24
  o Or move to IPv6

Question 23

VLSM Example – Subnet Breakdown (IPv4: 192.168.10.0/24)

Answer 23

• Step 1:
  o /25 = 192.168.10.0 → Sales
  o Remaining: 192.168.10.128/25
• Step 2:
  o /26 = 192.168.10.128 → Accounting
  o Remaining: 192.168.10.192/26
• Step 3:
  o /27 = 192.168.10.192 → HR
  o Remaining: 192.168.10.224/27
• Step 4:
  o /29 =
   192.168.10.224 → IT
   192.168.10.232 → Executives
   192.168.10.240 → reserved
   192.168.10.248 → future use
• Step 5:
  o /30 =
   192.168.10.240 → WAN 1
   192.168.10.244 → WAN 2
   192.168.10.248/29 → future use

Question 24

IPv6 Subnetting – Key Differences

Answer 24

• 128-bit addresses (vs. IPv4’s 32-bit)
• Vast address space = one subnet holds 18 quintillion+ addresses
• Subnetting = for organization, not conservation
• IPv6 has:
  o No classes (no A, B, C)
  o No subnet masks
  o All addresses are classless

Question 25

IPv6 Address Structure

Answer 25

* Format: 8 blocks of 4 hex digits, e.g., 2608:FE10:1:AA:002:50FF:FE2B:E708 * Divided into: o Network prefix (first 64 bits) o Interface ID (last 64 bits) * Example: o Network prefix: 2608:FE10:1:AA o Interface ID: 002:50FF:FE2B:E708 * Often written as: 2608:FE10:1:AA::/64

Question 26

IPv6 Prefixes and Subnet IDs

Answer 26

* /64 = 1 subnet with 18 quintillion addresses * /56 = 256 subnets (8 bits for Subnet ID) * /48 = 65,536 subnets (16 bits for Subnet ID) * Subnet ID block: o 1 hex block = 4 hex digits = 16 bits o Can be divided for site, sub-site, and subnet IDs o Example:  /48 → Subnet ID = 0000 to FFFF (65,536)  /56 → Subnet ID = 00 to FF (256) * Assigned from RIR → ISP → Organization: o RIR: /32 (e.g., 2608:FE10::/32) o ISP to org: /48 (e.g., 2608:FE10:1::/48) o Small business: /56 or /64

Question 27

VLANs vs Subnets

Answer 27

* Subnets: o Group IP addresses (Layer 3) o Use router interfaces to create multiple broadcast domains o Organize network by IP addressing * VLANs: o Group ports on one or more switches (Layer 2) o Abstract broadcast domains from physical hardware o Define boundaries virtually within a physical LAN o Force local traffic through a router to isolate broadcast domains o Similar to how VMs virtualize hardware resources

Question 28

Reasons to Use VLANs

Answer 28

* Prioritize data for specific device groups (e.g., executive clients, ICS systems) * Isolate high-traffic connections (e.g., VoIP) * Segregate legacy systems using incompatible protocols (e.g., SCADA) * Separate users needing special/limited access (e.g., guest networks) * Set up temporary project networks * Reduce equipment costs (e.g., adding departments without new routers)

Question 29

VLAN Configuration (Switches)

Answer 29

* Requires managed switches (CLI or web GUI) * Ports are assigned to specific VLANs * Switch adds a VLAN tag to traffic from each port * Tags identify the VLAN membership of the transmission * VLAN Port Grouping: o Ports don’t need to be physically adjacent o Ports across multiple switches can belong to the same VLAN o Each VLAN = separate broadcast domain * Tagged VLAN Traffic: o Traffic within same VLAN: direct switch forwarding o Traffic between different VLANs: must go through a router (inter-VLAN routing) o Tagged traffic is stripped at:  Destination switch port (if same VLAN)  Router (if crossing VLANs – new tag added on re-entry)

Question 30

Inter-VLAN Routing & Router-on-a-Stick

Answer 30

* Inter-VLAN routing: o Needed when devices on different VLANs need to communicate o Router handles traffic between VLANs * Router-on-a-Stick: o One router connects to a VLAN-aware switch o Router interface handles multiple VLANs via subinterfaces

Question 31

IEEE 802.1Q (Dot1Q) VLAN Tagging

Answer 31

* Adds a tag field to Ethernet frame header * Defines how VLAN info appears in Ethernet frames * Standard for VLAN-aware switches * Switches interpret and act on tag to manage VLAN traffic * Tag is removed at destination port or router * Tagging enables VLANs to span multiple switches

Question 32

VLAN Communication Scenarios

Answer 32

* Same VLAN, different switches: o Traffic behaves like local (same broadcast domain) o Does not cross router * Different VLANs, same switch: o Traffic must go through router * Different VLANs, different switches: o Traffic must travel to router, then to destination VLAN * Effect: Devices unaware of VLAN tags; VLAN infra is transparent to end devices

Question 33

VLAN Ports & Trunking

Answer 33

* Access Port o Connects switch to a host (e.g., workstation, printer) o Carries traffic for only one VLAN o Host is unaware of VLAN membership * Trunk Port o Connects switch to other switches/routers/servers o Carries traffic for multiple VLANs o Single physical link → multiple logical VLANs o Used between networking devices, not hosts * Trunk Line o Link between two trunk ports o Origin: telephony (many signals over one line) o Transports traffic for multiple VLANs on one connection * Trunking Protocol o VTP (VLAN Trunk Protocol) – Cisco’s protocol for VLAN info exchange  Central VLAN management via a stack master switch  Other switches in same VTP domain receive updates  Can propagate VLAN additions/deletions/changes

Question 34

VLANs and Subnets

Answer 34

* Each VLAN is typically assigned its own IP subnet * Example: o VLAN 1 = Subnet 1 o VLAN 2 = Subnet 2 o VLAN 3 = Subnet 3 * Subinterfaces on a single router interface used to handle VLAN traffic o Example:  FastEthernet0/0.1 → VLAN 1  FastEthernet0/0.2 → VLAN 2  FastEthernet0/0.3 → VLAN 3 * Each VLAN + Subnet combo = 1 broadcast domain * Best practice: o 1 VLAN = 1 Subnet = 1 Broadcast Domain * IP Assignment Methods o DHCP relay agent to sort requests by subnet o Router-based DHCP via subinterfaces with subnetted IP ranges * Layer Differences o VLANs: Layer 2 segmentation o Subnets: Layer 3 IP addressing

Question 35

Types of VLANs

Answer 35

* Default VLAN o Preconfigured on most switches (usually VLAN 1) o All ports belong here initially o Cannot be renamed or deleted o Ports can be moved out of default VLAN * Native VLAN o Handles untagged traffic on trunk ports o Default = same as default VLAN o Security risk: change to unused VLAN o Must match on both ends of a trunk o Native VLAN mismatch = config error * Data VLAN (User VLAN) o Carries user traffic: email, web, databases * Management VLAN o Used for admin access to switches o Often same as default VLAN initially – should be changed for security * Voice VLAN o Optimized for VoIP o Requires:  High bandwidth  Low latency  Traffic prioritization  Flexible routing * Private VLAN (PVLAN) o Partitions a VLAN into subdomains o Contains:  Primary VLAN – defines main broadcast domain  Secondary VLANs – isolated groups within primary VLAN o Promiscuous Port  Connected to primary VLAN  Can communicate with all secondary VLANs o Secondary VLAN Types:  Isolated VLAN  Hosts cannot communicate with other hosts (even within same VLAN)  May still access external networks (e.g., Internet)  Example use: email or DB servers needing isolation  Community VLAN  Hosts can communicate within same VLAN  Cannot talk to other community VLANs  Optional external access  Example use: departmental workstations or customer devices

Question 36

VLAN Configuration & Maintenance

Answer 36

* show vlan command: o Lists VLANs recognized by a Cisco switch o Output includes: VLAN number, name, status, ports o Example: VLAN 18 → "VLAN0018", active, ports Gi1/3 & Gi2/3 o "Gi1/3" = 3rd port on 1st Gigabit Ethernet module * Default VLANs: o VLAN 1 and VLANs 1002–1005 are pre-established on Cisco switches o Only VLAN 1 typically in use by default * VLAN types: o Active VLANs use Ethernet (shown as enet) * SAID (Security Association Identifier): o Identifies VLAN for connectivity devices o Default = 100000 + VLAN number (e.g., VLAN 18 → SAID 100018) * MTU (Maximum Transmission Unit): o Default: 1500 bytes o Rarely modified by admins

Question 37

VLAN Assignment Methods

Answer 37

* Static VLAN assignment: o Based on switch port connection * Dynamic VLAN assignment: o Criteria-based assignment:  MAC address  Physical location  User authentication (via RADIUS server) o Use cases:  Different VLANs for same device based on user login  Unauthenticated or failed-authentication devices placed in quarantine VLAN  WLAN traffic:  Grouped in a single VLAN or  Segmented by SSID or authentication

Question 38

VLAN Troubleshooting

Answer 38

* Use show vlan to: o Verify current VLAN config o Identify misconfigurations * Common VLAN config errors: o Incorrect VLAN assignment:  Wrong switch port  VLAN assigned before client authentication o Incorrect port mode:  Endpoints → access mode  Inter-device connections (multiple VLANs) → trunk mode o VLAN isolation:  Nodes in one VLAN can’t reach others unless routed  Requires router or Layer 3 switch for inter-VLAN communication

Question 39

VLAN Security & VLAN Hopping Attacks

Answer 39

* VLAN hopping: o Attacker forges VLAN tags to access restricted VLANs * Methods: o Double tagging:  Two VLAN tags in a frame  First tag stripped → second (malicious) tag triggers switch to forward to protected VLAN o Switch spoofing:  Attacker mimics trunk connection  Switch may auto-configure port as trunk  Attacker injects VLAN traffic into multiple VLANs

Question 40

VLAN Hopping Mitigation

Answer 40

* Avoid using default VLAN * Change native VLAN to an unused VLAN ID * Disable auto-trunking on ports that don’t need it * Set all ports as access ports unless trunking is required * Restrict VLANs on trunks: o Only specify necessary VLANs * Apply physical security: o Lock access to network hardware