VLAN Security vs. Inter-VLAN Routing

12-18-2007

From the Cisco website:

"VLANs address scalability, security, and network management"

However, once you introduce inter-vlan routing, doesn't the security aspect
of VLANs pretty much go out the window? In other words, using simple vlans
if I have a computer in port 2/vlan 2, it's not supposed to be able to talk
to a computer in port 3/vlan 3. But if I implement inter-vlan routing, then
the computer on port 2 now knows how to get to the computer on port 3, thus
the inherent security (such as it is) in VLANs is no longer applicable? Is
this correct?

If so, I presume the answer is to start using ACLs if security is still a
concern.

Thanks.

12-18-2007

On Dec 18, 4:26 pm, "JohnD" <Jo...@JohnDdotNet.net> wrote:
> From the Cisco website:
>
> "VLANs address scalability, security, and network management"
>
> However, once you introduce inter-vlan routing, doesn't the security aspect
> of VLANs pretty much go out the window? In other words, using simple vlans
> if I have a computer in port 2/vlan 2, it's not supposed to be able to talk
> to a computer in port 3/vlan 3. But if I implement inter-vlan routing, then
> the computer on port 2 now knows how to get to the computer on port 3, thus
> the inherent security (such as it is) in VLANs is no longer applicable? Is
> this correct?
>
> If so, I presume the answer is to start using ACLs if security is still a
> concern.
>
> Thanks.

Technically and from a layer 3 security perspective, you are correct.
A default gateway would get them to the router, which would then
forward on traffic as necessary. However, vlans are still layer 2
secure as they create logical separation to prevent things like
sniffing, man in the middle, etc, from nodes that are not on the same
network. However, you can still do these things if a box on the local
network has an open communication stream with the destination box.
Either way, I agree completely with what you are saying, but I think
they are talking about the lower level security features of
separation, which may or may not be adequate depending on what you are
trying to protect/secure.

12-18-2007

On Dec 18, 1:26 pm, "JohnD" <Jo...@JohnDdotNet.net> wrote:
> From the Cisco website:
>
> "VLANs address scalability, security, and network management"
>
> However, once you introduce inter-vlan routing, doesn't the security aspect
> of VLANs pretty much go out the window? In other words, using simple vlans
> if I have a computer in port 2/vlan 2, it's not supposed to be able to talk
> to a computer in port 3/vlan 3. But if I implement inter-vlan routing, then
> the computer on port 2 now knows how to get to the computer on port 3, thus
> the inherent security (such as it is) in VLANs is no longer applicable? Is
> this correct?
>
> If so, I presume the answer is to start using ACLs if security is still a
> concern.
>
> Thanks.

JohnD,

Trendkill pretty much nailed it down. VLANs provide a lot of benefits,
Layer 2 security being just one of them. It can provide broadcast
segmentation as well, keeping subnet broadcasts from overwhelming what
could normally take out a flat network. Also, some Cisco equipment has
the ability to run things like Private VLANs now that would allow you
to isolate your networks even more. You can find more info on that
here:

http://blogs.interfacett.com/mike-st...ally-work.html

HTH,
neteng
http://blog.humanmodem.com

12-18-2007

"JohnD" <> wrote in message
news:...
> From the Cisco website:
>
> "VLANs address scalability, security, and network management"
>
> However, once you introduce inter-vlan routing, doesn't the security
aspect
> of VLANs pretty much go out the window? In other words, using simple
vlans
> if I have a computer in port 2/vlan 2, it's not supposed to be able to
talk
> to a computer in port 3/vlan 3. But if I implement inter-vlan routing,
then
> the computer on port 2 now knows how to get to the computer on port 3,
thus
> the inherent security (such as it is) in VLANs is no longer applicable?
Is
> this correct?

you are making at least 2 assumptions - that you route between all vlans and
that you use a router to link the vlans.

so - you can leave a vlan isolated.

you can use VRF lite on a router or a firewall to restrict what goes where.
Or you might use a proxy server?
>
> If so, I presume the answer is to start using ACLs if security is still a
> concern.
>
thats one way.

vlans can provide L2 separation / segregation (although there are some ways
to "jump" between them on some kit), but if you have a higher level bit of
connectivity then controlling what goes where has to happen at that higher
level.

> Thanks.
--
Regards

- replace xyz with ntl

Similar Threads
Thread	Thread Starter	Forum	Replies	Last Post
VLan OR NO VLan	rahul_hotin	Cisco	1	04-27-2005 04:38 AM
native vlan mismatch on 2 2924 switches w/ only 1 vlan defined (same on both switches)	avraham shir-el	Cisco	4	07-20-2004 08:08 AM
HI, I have some question about native vlan and default vlan.	PS2 gamer	Cisco	1	05-28-2004 11:47 AM
Auxiliary VLAN V VLan	Neil Rowland	Cisco	1	04-14-2004 02:03 PM
VLAN or Not to VLAN	Paul	Cisco	0	10-27-2003 06:16 PM