VLAN Security vs. Inter-VLAN Routing

Discussion in 'Cisco' started by JohnD, Dec 18, 2007.

  1. JohnD

    JohnD Guest

    From the Cisco website:

    "VLANs address scalability, security, and network management"

    However, once you introduce inter-vlan routing, doesn't the security aspect
    of VLANs pretty much go out the window? In other words, using simple vlans
    if I have a computer in port 2/vlan 2, it's not supposed to be able to talk
    to a computer in port 3/vlan 3. But if I implement inter-vlan routing, then
    the computer on port 2 now knows how to get to the computer on port 3, thus
    the inherent security (such as it is) in VLANs is no longer applicable? Is
    this correct?

    If so, I presume the answer is to start using ACLs if security is still a
    concern.

    Thanks.
     
    JohnD, Dec 18, 2007
    #1
    1. Advertising

  2. JohnD

    Trendkill Guest

    On Dec 18, 4:26 pm, "JohnD" <> wrote:
    > From the Cisco website:
    >
    > "VLANs address scalability, security, and network management"
    >
    > However, once you introduce inter-vlan routing, doesn't the security aspect
    > of VLANs pretty much go out the window? In other words, using simple vlans
    > if I have a computer in port 2/vlan 2, it's not supposed to be able to talk
    > to a computer in port 3/vlan 3. But if I implement inter-vlan routing, then
    > the computer on port 2 now knows how to get to the computer on port 3, thus
    > the inherent security (such as it is) in VLANs is no longer applicable? Is
    > this correct?
    >
    > If so, I presume the answer is to start using ACLs if security is still a
    > concern.
    >
    > Thanks.


    Technically and from a layer 3 security perspective, you are correct.
    A default gateway would get them to the router, which would then
    forward on traffic as necessary. However, vlans are still layer 2
    secure as they create logical separation to prevent things like
    sniffing, man in the middle, etc, from nodes that are not on the same
    network. However, you can still do these things if a box on the local
    network has an open communication stream with the destination box.
    Either way, I agree completely with what you are saying, but I think
    they are talking about the lower level security features of
    separation, which may or may not be adequate depending on what you are
    trying to protect/secure.
     
    Trendkill, Dec 18, 2007
    #2
    1. Advertising

  3. JohnD

    Guest

    On Dec 18, 1:26 pm, "JohnD" <> wrote:
    > From the Cisco website:
    >
    > "VLANs address scalability, security, and network management"
    >
    > However, once you introduce inter-vlan routing, doesn't the security aspect
    > of VLANs pretty much go out the window? In other words, using simple vlans
    > if I have a computer in port 2/vlan 2, it's not supposed to be able to talk
    > to a computer in port 3/vlan 3. But if I implement inter-vlan routing, then
    > the computer on port 2 now knows how to get to the computer on port 3, thus
    > the inherent security (such as it is) in VLANs is no longer applicable? Is
    > this correct?
    >
    > If so, I presume the answer is to start using ACLs if security is still a
    > concern.
    >
    > Thanks.


    JohnD,

    Trendkill pretty much nailed it down. VLANs provide a lot of benefits,
    Layer 2 security being just one of them. It can provide broadcast
    segmentation as well, keeping subnet broadcasts from overwhelming what
    could normally take out a flat network. Also, some Cisco equipment has
    the ability to run things like Private VLANs now that would allow you
    to isolate your networks even more. You can find more info on that
    here:

    http://blogs.interfacett.com/mike-s...nting-private-vlans-how-they-really-work.html

    HTH,
    neteng
    http://blog.humanmodem.com
     
    , Dec 18, 2007
    #3
  4. JohnD

    stephen Guest

    "JohnD" <> wrote in message
    news:...
    > From the Cisco website:
    >
    > "VLANs address scalability, security, and network management"
    >
    > However, once you introduce inter-vlan routing, doesn't the security

    aspect
    > of VLANs pretty much go out the window? In other words, using simple

    vlans
    > if I have a computer in port 2/vlan 2, it's not supposed to be able to

    talk
    > to a computer in port 3/vlan 3. But if I implement inter-vlan routing,

    then
    > the computer on port 2 now knows how to get to the computer on port 3,

    thus
    > the inherent security (such as it is) in VLANs is no longer applicable?

    Is
    > this correct?


    you are making at least 2 assumptions - that you route between all vlans and
    that you use a router to link the vlans.

    so - you can leave a vlan isolated.

    you can use VRF lite on a router or a firewall to restrict what goes where.
    Or you might use a proxy server?
    >
    > If so, I presume the answer is to start using ACLs if security is still a
    > concern.
    >

    thats one way.

    vlans can provide L2 separation / segregation (although there are some ways
    to "jump" between them on some kit), but if you have a higher level bit of
    connectivity then controlling what goes where has to happen at that higher
    level.

    > Thanks.

    --
    Regards

    - replace xyz with ntl
     
    stephen, Dec 18, 2007
    #4
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Mamun Shaheed

    Inter VLAN Routing.

    Mamun Shaheed, Oct 22, 2003, in forum: Cisco
    Replies:
    5
    Views:
    22,802
    shakeel
    Dec 15, 2007
  2. John Gill

    Re: Inter VLAN Routing

    John Gill, Oct 27, 2003, in forum: Cisco
    Replies:
    4
    Views:
    4,410
    Andre Beck
    Nov 1, 2003
  3. Damo
    Replies:
    8
    Views:
    6,689
  4. FeatureBug
    Replies:
    3
    Views:
    14,719
    Ivan Ostres
    Sep 3, 2004
  5. Amy L.
    Replies:
    1
    Views:
    7,289
    Barry Margolin
    Sep 7, 2004
Loading...

Share This Page