Quick Best Practices question on VLANs

Discussion in 'Cisco' started by unix, May 21, 2010.

  1. unix

    unix Guest

    This is my setup:

    Dirty traffic ---> firewall interface on VLAN100 ---> filtered traffic
    to VLAN200 --- server interface on VLAN200.

    Both VLANs are on the same physical switch. I seem to recall from my
    Cisco training (20 years ago) that there was a potential security risk
    putting a "trusted" VLAN on the same switch as a "dirty" VLAN (even if
    there is a firewall between the VLANs). Is this still a concern? I
    don't want the corporate security guys to beat me up some time down
    the road.

    Thanks
    Ron
    unix, May 21, 2010
    #1
    1. Advertising

  2. unix

    Rob Guest

    Of course you must make sure that the switch does not do L3 routing
    between de VLANs...
    Rob, May 21, 2010
    #2
    1. Advertising

  3. unix

    Scott Lowe Guest

    On 2010-05-21 10:37:18 -0400, unix said:

    > This is my setup:
    >
    > Dirty traffic ---> firewall interface on VLAN100 ---> filtered traffic
    > to VLAN200 --- server interface on VLAN200.
    >
    > Both VLANs are on the same physical switch. I seem to recall from my
    > Cisco training (20 years ago) that there was a potential security risk
    > putting a "trusted" VLAN on the same switch as a "dirty" VLAN (even if
    > there is a firewall between the VLANs). Is this still a concern? I
    > don't want the corporate security guys to beat me up some time down
    > the road.
    >
    > Thanks
    > Ron



    I'm not an expert (yet), but I believe the concern to which you are
    referring involved VLAN hopping attacks (jumping from one VLAN to
    another VLAN). It's my understanding that most of those concerns have
    been mitigated in recent versions of IOS and can be further mitigated
    with proper configuration of the VLANs and the switches.

    As has also been suggested in this thread, be sure that the switch is
    not doing any Layer 3 routing between VLANs.

    Hope this helps!

    --
    Scott Lowe
    Author, "Mastering VMware vSphere 4" and "VMware vSphere 4
    Administration Instant Reference"
    http://blog.scottlowe.org
    Scott Lowe, May 26, 2010
    #3
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Peter Rowe
    Replies:
    2
    Views:
    6,894
    Peter Rowe
    Oct 28, 2003
  2. Peter Yardley
    Replies:
    0
    Views:
    522
    Peter Yardley
    Dec 27, 2003
  3. Abhi

    Cisco Best Practices

    Abhi, Apr 14, 2004, in forum: Cisco
    Replies:
    1
    Views:
    3,272
  4. Replies:
    0
    Views:
    571
  5. ~misfit~

    Quick question, hopefully quick answer.

    ~misfit~, Dec 28, 2004, in forum: NZ Computing
    Replies:
    114
    Views:
    2,406
    Troglodyte
    Jan 6, 2005
Loading...

Share This Page