VLAN Security vs. Inter-VLAN Routing

Discussion in 'Cisco' started by JohnD, Dec 18, 2007.

  1. JohnD

    JohnD Guest

    From the Cisco website:

    "VLANs address scalability, security, and network management"

    However, once you introduce inter-vlan routing, doesn't the security aspect
    of VLANs pretty much go out the window? In other words, using simple vlans
    if I have a computer in port 2/vlan 2, it's not supposed to be able to talk
    to a computer in port 3/vlan 3. But if I implement inter-vlan routing, then
    the computer on port 2 now knows how to get to the computer on port 3, thus
    the inherent security (such as it is) in VLANs is no longer applicable? Is
    this correct?

    If so, I presume the answer is to start using ACLs if security is still a
    concern.

    Thanks.
     
    JohnD, Dec 18, 2007
    #1
    1. Advertisements

  2. JohnD

    Trendkill Guest

    Technically and from a layer 3 security perspective, you are correct.
    A default gateway would get them to the router, which would then
    forward on traffic as necessary. However, vlans are still layer 2
    secure as they create logical separation to prevent things like
    sniffing, man in the middle, etc, from nodes that are not on the same
    network. However, you can still do these things if a box on the local
    network has an open communication stream with the destination box.
    Either way, I agree completely with what you are saying, but I think
    they are talking about the lower level security features of
    separation, which may or may not be adequate depending on what you are
    trying to protect/secure.
     
    Trendkill, Dec 18, 2007
    #2
    1. Advertisements

  3. JohnD

    pcmccollum Guest

    JohnD,

    Trendkill pretty much nailed it down. VLANs provide a lot of benefits,
    Layer 2 security being just one of them. It can provide broadcast
    segmentation as well, keeping subnet broadcasts from overwhelming what
    could normally take out a flat network. Also, some Cisco equipment has
    the ability to run things like Private VLANs now that would allow you
    to isolate your networks even more. You can find more info on that
    here:

    http://blogs.interfacett.com/mike-s...nting-private-vlans-how-they-really-work.html

    HTH,
    neteng
    http://blog.humanmodem.com
     
    pcmccollum, Dec 18, 2007
    #3
  4. JohnD

    stephen Guest

    you are making at least 2 assumptions - that you route between all vlans and
    that you use a router to link the vlans.

    so - you can leave a vlan isolated.

    you can use VRF lite on a router or a firewall to restrict what goes where.
    Or you might use a proxy server?
    thats one way.

    vlans can provide L2 separation / segregation (although there are some ways
    to "jump" between them on some kit), but if you have a higher level bit of
    connectivity then controlling what goes where has to happen at that higher
    level.
     
    stephen, Dec 18, 2007
    #4
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.