• 0
Sign in to follow this  
Followers 0

Switch VLANing issue.

Question

Posted

I have a 48 port POE switch,


5 core server are connect into it and in Vlan 1

i have 20 office computer connected to it in vlan2

and 2 AP each suppoert up to 20 user each in vlan 2


is my design secure? or do i need to get a smaller swtich to hold my server in vlan 1

Share this post


Link to post
Share on other sites

67 answers to this question

  • 0

Posted

secure from what standpoint? Just putting devices in different vlans does not make it secure? What ACLs do you have between the vlans?

From the info you have given all that can be assumed is broadcasts will not be seen between vlan1 and vlan2 ;)

Share this post


Link to post
Share on other sites
  • 0

Posted

ok..i will go into more details,

basically....

i have 5 server, 1 of them is a file server which store office files...
the 20 office computer has are able to read/write to a certain directory (eg . Office Doc) in D: drive
but not able to change any setting on this server.


the other 4 server are mail sever and web server etc..

putting them in seperate vlan is not allowing the user to ping or access the server. including the 40 user that are connected wirelessly.


now i wish to include 10 address space(wireless) for guess which only allow browsing of http and nothing else. <--how should i setup this


and putting them all in same switch but in diff vlan, how secure are information is kept?
just like what u said broadcasts should not be seen on different vlan
lets say vlan 1 for server
vlan 2 for users
vlan 3 guess network

Share this post


Link to post
Share on other sites
  • 0

Posted

Again just putting things in vlans does not prevent access.. Unless you don't route between the vlans, which then how do the users access the servers? Kind of pointless to have servers that users can not access.

So do you have a firewall routing traffic between the vlans? Or is the switch just routing intervlan traffic - if so what acls are you putting into place?

You clearly stated "the 20 office computer has are able to read/write to a certain directory" So you must be routing traffic between the vlans, so how are they now secure?

I think you misunderstand what a vlan is, a vlan is just another network segment. What is your security device between them? Firewall, just acls on the switch. What is the exact model of switch, is it layer 4?

If all you have done is create 2 network segments and are now routing traffic between them - all you have done is create 2 different broadcast domains to limit the broadcast traffic the servers will see ;)

If you are not routing traffic between the segments -- how do the uses or guests access your servers services?

Share this post


Link to post
Share on other sites
  • 0

Posted

Any computer or server needing to access each other needs to be on the same VLAN.
Any computer or server not needing to access each other can be put in a different VLAN.

Share this post


Link to post
Share on other sites
  • 0

Posted

[quote name='PeterUK' timestamp='1361198329' post='595528446']
Any computer or server needing to access each other needs to be on the same VLAN.
Any computer or server not needing to access each other can be put in a different VLAN.
[/quote]
This is not true. You can have servers and computers on as many vlans that you want, it is the routing (or layer3) that needs to link them together. Most managed switches are capable of layer 3 these days but there are quite a few that do not and because of this makes vlaning a useless feature on those switches (IMO anyway).

Share this post


Link to post
Share on other sites
  • 0

Posted

^ exactly

The OP has not given enough details for a discussion of any sort of security. Since he states his servers are on 1 vlan, and his users are on another - I have to assume he is routing between them or how would they access the server their files are on?

Now maybe that is the OP issue, maybe he created 2 vlans and he has no routing between them? Yeah that would be secure ;) but kind of useless in accessing user files stored on the server..

If he is just routing between the vlans - then no there is no security by just having the devices on different segments/vlans.. What is handing the routing? Is it the switch just doing intervlan routing.. Unless the switch is capable of acls again we don't have any security.

Now if he has a firewall that is doing the routing between the segments - then sure he could say you can only access IP on server vlan via port 80, or via smb/cifs to different IP in the server vlan from the users/guest vlan.

Need more info from the OP to continue this discussion.

Share this post


Link to post
Share on other sites
  • 0

Posted

[quote name='sc302' timestamp='1361199029' post='595528454']
This is not true. You can have servers and computers on as many vlans that you want
[/quote]
Your saying servers and computers can be on VLAN 1,2,3,4....... even for the same servers and computers I'm not talking about that for the first line yes you could do that but not the second line which is a server to be on VLAN 1 only and a computer not to be on that same VLAN 1 but to be on VLAN 2 only.

VLAN can be flawed even without mirroring in that VLAN 1 is linked to VLAN 3 and VLAN 2 is linked to VLAN 3 with a MAC that is the same in VLAN 1 and VLAN 2 so that when traffic is received by VLAN 3 its sent to a MAC thats in both VLAN 1 and VLAN 2. That shouldn

Share this post


Link to post
Share on other sites
  • 0

Posted

PeterUK sounds like your taking about vlan hopping or attacks against vlans... Sure there are attacks that could allow you to hop vlans.. Now is the switch he is using open to some of these attacks? Not sure since he has not given the details of his switch.

Sure there are mac flooding attacks, there are vlan tagging attacks, there are multicast attacks, encapsulated attacks -- lots of attacks that could be used to hop a vlan or break the switch to bleed traffic between the vlans. Depends on the switch being used how secure it is against such attacks.

But generally speaking you have to assume that traffic between vlans is isolated, are we talking DOD secure or just how companies do business?

Is that what the user is asking? Should he use physical switches vs vlans so that there is a physical separation between the segments? I really am not clear to what the OP is after. But I can tell you with most companies vlans are highly used and considered secure.. Now what might be required in a DOD or government network -- they might not allow just vlans and require physical network segments?

From the info given I would be more worried about using wireless AP on the same vlan/segment as the users than being worried about only vlan separation between his users and his servers.

Share this post


Link to post
Share on other sites
  • 0

Posted

never stated vlans in itself was secure. It really doesn't matter what vlan servers are on, in many instances the vlans are quite open. There are other things that should be added into the network to make your network secure. Install a NAC appliance for instance would make your network pretty secure, well it will keep out unauthorized equipment from attaching to your network anyway, this would "fix" your vlan issue.

http://en.wikipedia.org/wiki/Cisco_NAC_Appliance

Share this post


Link to post
Share on other sites
  • 0

Posted

The OP wants isolated networks but 1 of the 5 servers is a file server which store office files which has to be on the same VLAN as the 20 office computer with the 2 AP by the looks of it.

Share this post


Link to post
Share on other sites
  • 0

Posted

The server doesn't have to be on the same vlan, but it does have to be on an accessible vlan.

server 1 can be on vlan2 and workstations can be on vlan5, vlan2 can access vlan5 and vice versa...provided you have a layer 3 switch or something doing some sort of bridging/routing.

Share this post


Link to post
Share on other sites
  • 0

Posted

[quote name='sc302' timestamp='1361211103' post='595528784']
The server doesn't have to be on the same vlan, but it does have to be on an accessible vlan.

server 1 can be on vlan2 and workstations can be on vlan5, vlan2 can access vlan5 and vice versa...provided you have a layer 3 switch or something doing some sort of bridging/routing.
[/quote]
Because your bridging which is nothing to do with vlan2 can access vlan5 and vice versa it is because of bridging. I doubt bridging is needed in this setup any way.

Share this post


Link to post
Share on other sites
  • 0

Posted

If any server is going to be accessed from any other vlan, you would need to do bridging or you would need to have a second nic in the server attached to the other vlan.

Share this post


Link to post
Share on other sites
  • 0

Posted

[quote name='sc302' timestamp='1361212572' post='595528850']
If any server is going to be accessed from any other vlan, you would need to do bridging or you would need to have a second nic in the server attached to the other vlan.
[/quote]
Whats the difference between accessing the server on a difference VLAN by bridging then accessing the server on the same VLAN without bridging?

Your accessing the server either way.

Share this post


Link to post
Share on other sites
  • 0

Posted

[quote name='PeterUK' timestamp='1361198329' post='595528446']
Any computer or server needing to access each other needs to be on the same VLAN.
Any computer or server not needing to access each other can be put in a different VLAN.
[/quote]
Machines in different VLANs can communicate, it all depends on the ACLs on the device.

It wouldn't be bridging on a L3 switch / router it would be InterVLAN routing.

You don't need two NICs either, you can have a server with a single NIC in VLAN30 which is accessible from VLAN10 and VLAN20, but still have VLAN10 and 20 unable to access each other.

You would have rules allowing traffic from VLAN10 to VLAN30 and VLAN20 to VLAN30, but with an explicit deny rule on traffic from VLAN10 with a destination in VLAN20 and VLAN20 with a destination in VLAN10

Share this post


Link to post
Share on other sites
  • 0

Posted

One requires the proper hardware on the network the other requires the proper hardware in the server.

Share this post


Link to post
Share on other sites
  • 0

Posted

I tend to do this kind of stuff on a single NIC with port tagging and a 'router on a stick' at L3.

Share this post


Link to post
Share on other sites
  • 0

Posted

I haven't seen a switch allow you to have multiple untagged vlans to a port. You can do trunking but you would need an os that would handle that. Then yes you could do that with a tagged port.

Share this post


Link to post
Share on other sites
  • 0

Posted

[quote name='sc302' timestamp='1361213518' post='595528894']
One requires the proper hardware on the network the other requires the proper hardware in the server.
[/quote]
No thats side stepping question bridging breaks VLAN thats the only reason a server on a difference VLAN can be accessed be another VLAN is by bridging even without VLAN you can access the server by bridging.

Share this post


Link to post
Share on other sites
  • 0

Posted

Not exactly. You want to keep the one server accessable to both vlans. How do you do it? Bridging the vlans together or by having multiple nics with each nic in a different vlan.

Share this post


Link to post
Share on other sites
  • 0

Posted

[quote name='sc302' timestamp='1361214187' post='595528938']
I haven't seen a switch allow you to have multiple untagged vlans to a port. You can do trunking but you would need an os that would handle that. Then yes you could do that with a tagged port.
[/quote]

Try this - 24 Port Switch
P1-10 Untagged Members of VLAN10
P11-22 Untagged Members of VLAN20
P23 - Untagged Member of VLAN30
P24 Tagged Member of VLAN 10,20,30
P24 into a VLAN tagging aware router, in my normal case a Cisco or Zyxel USG series.

Share this post


Link to post
Share on other sites
  • 0

Posted

How and the hell did bridging come up? I doubt the user is doing any bridging..

I would wait to hear back from the OP before any continued discussion. Unless you feel you understand what the user is asking? I am not clear what he wants. Now that I reread what he posted, he might just be asking if vlans in general are secure enough - or should he break it out to a physical switch.

Comes down to what security policy your trying to adhere too -- yes in day to day businesses vlans are more than enough for separation. Keep in mind that yes their are attacks for hoping vlans, etc. But generally speaking your fine, we run multiple customers traffic over switches with just vlan isolation between the segments.

My point was that if you route traffic between the vlans - then vlans are not the security barrier, that would be where you route between them.

Share this post


Link to post
Share on other sites
  • 0

Posted

Is bridging not the term when connecting two networks together. In essence connecting vlans together (whether it be via a router or internally on a switch) is a form of bridging although that term really doesn't mean a whole hill of beans in today's networks. Dig deep to old school days.

[quote name='grunger106' timestamp='1361217106' post='595529048']
Try this - 24 Port Switch
P1-10 Untagged Members of VLAN10
P11-22 Untagged Members of VLAN20
P23 - Untagged Member of VLAN30
P24 Tagged Member of VLAN 10,20,30
P24 into a VLAN tagging aware router, in my normal case a Cisco or Zyxel USG series.
[/quote]
Oh my. You completely missed it. Was talking about a server not a hardware router. I can do similar with VMware and hyper-v nothing to try there I know what it does and how it works. Like I said you need an os that supports it.

Trying not to add any other pieces of networking hardware other than the switch itself or the servers to stay on topic.

There are several key pieces that we don't know. First what is meant by secure (inside attack, outside attack, malware attack, who knows maybe by this vague description he wants to know if he is secure from a std his girlfriends sister has who he never met...might as well be, we have about enough information to possibly to come to a conclusion about that). Second we know very little about his network, it's got vlans and what are we supposed to be able to tell with that information? I have some or all of the parts to put you in orbit, is it possible..that is similar to all of the information that was given in the initial post. Third, what exactly is he trying to accomplish? By attempting to understand the the limited information given he may not have the proper hardware and/or software in place to make this work.

Share this post


Link to post
Share on other sites
  • 0

Posted

Short answer: Not secure
Long answer: We need more idea of your setup - perhaps a diagram and parts list.

On a basic theory level VLANs are no more secure than having 3 different physical switches. It's all in how you connect them together that counts.

Share this post


Link to post
Share on other sites
  • 0

Posted

[quote name='sc302' timestamp='1361217658' post='595529070']
Is bridging not the term when connecting two networks together. In essence connecting vlans together is a form of bridging although that term really doesn't mean a whole hill of beans in today's networks. Dig deep to old school days.


Oh my. You completely missed it. Was talking about a server not a hardware router. I can do similar with VMware and hyper-v nothing to try there I know what it does and how it works. Like I said you need an os that supports it.

Trying not to add any other pieces of networking hardware other than the switch itself or the servers to stay on topic.

There are several key pieces that we don't know. First what is meant by secure (inside attack, outside attack, malware attack, who knows maybe by this vague description he wants to know if he is secure from a std his girlfriends sister has who he never met...might as well be, we have about enough information to possibly to come to a conclusion about that). Second we know very little about his network, it's got vlans and what are we supposed to be able to tell with that information? I have some or all of the parts to put you in orbit, is it possible..that is similar to all of the information that was given in the initial post. Third, what exactly is he trying to accomplish? By attempting to understand the the limited information given he may not have the proper hardware and/or software in place to make this work.
[/quote]

Ah, fair point. Just the servers and the switch itself with potentially no L3 gear.
Sorry my bad, I was thinking of how I'd do it and forgetting the OP's question......
To which the real answer is, we need more info.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now
Sign in to follow this  
Followers 0

  • Recently Browsing   0 members

    No registered users viewing this page.