Jump to content



Photo

Switch VLANing issue.


  • Please log in to reply
67 replies to this topic

#16 grunger106

grunger106

    Neowinian

  • Joined: 02-August 03
  • Location: London

Posted 18 February 2013 - 18:51

Any computer or server needing to access each other needs to be on the same VLAN.
Any computer or server not needing to access each other can be put in a different VLAN.

Machines in different VLANs can communicate, it all depends on the ACLs on the device.

It wouldn't be bridging on a L3 switch / router it would be InterVLAN routing.

You don't need two NICs either, you can have a server with a single NIC in VLAN30 which is accessible from VLAN10 and VLAN20, but still have VLAN10 and 20 unable to access each other.

You would have rules allowing traffic from VLAN10 to VLAN30 and VLAN20 to VLAN30, but with an explicit deny rule on traffic from VLAN10 with a destination in VLAN20 and VLAN20 with a destination in VLAN10


#17 sc302

sc302

    Neowinian Senior

  • Tech Issues Solved: 23
  • Joined: 12-July 05
  • Location: NJ, USA

Posted 18 February 2013 - 18:51

One requires the proper hardware on the network the other requires the proper hardware in the server.

#18 grunger106

grunger106

    Neowinian

  • Joined: 02-August 03
  • Location: London

Posted 18 February 2013 - 18:56

I tend to do this kind of stuff on a single NIC with port tagging and a 'router on a stick' at L3.

#19 sc302

sc302

    Neowinian Senior

  • Tech Issues Solved: 23
  • Joined: 12-July 05
  • Location: NJ, USA

Posted 18 February 2013 - 19:03

I haven't seen a switch allow you to have multiple untagged vlans to a port. You can do trunking but you would need an os that would handle that. Then yes you could do that with a tagged port.

#20 +PeterUK

PeterUK

    Neowinian Senior

  • Tech Issues Solved: 3
  • Joined: 26-March 07

Posted 18 February 2013 - 19:13

One requires the proper hardware on the network the other requires the proper hardware in the server.

No thats side stepping question bridging breaks VLAN thats the only reason a server on a difference VLAN can be accessed be another VLAN is by bridging even without VLAN you can access the server by bridging.

#21 sc302

sc302

    Neowinian Senior

  • Tech Issues Solved: 23
  • Joined: 12-July 05
  • Location: NJ, USA

Posted 18 February 2013 - 19:29

Not exactly. You want to keep the one server accessable to both vlans. How do you do it? Bridging the vlans together or by having multiple nics with each nic in a different vlan.

#22 grunger106

grunger106

    Neowinian

  • Joined: 02-August 03
  • Location: London

Posted 18 February 2013 - 19:51

I haven't seen a switch allow you to have multiple untagged vlans to a port. You can do trunking but you would need an os that would handle that. Then yes you could do that with a tagged port.


Try this - 24 Port Switch
P1-10 Untagged Members of VLAN10
P11-22 Untagged Members of VLAN20
P23 - Untagged Member of VLAN30
P24 Tagged Member of VLAN 10,20,30
P24 into a VLAN tagging aware router, in my normal case a Cisco or Zyxel USG series.

#23 +BudMan

BudMan

    Neowinian Senior

  • Tech Issues Solved: 85
  • Joined: 04-July 02
  • Location: Schaumburg, IL
  • OS: Win7, Vista, 2k3, 2k8, XP, Linux, FreeBSD, OSX, etc. etc.

Posted 18 February 2013 - 19:53

How and the hell did bridging come up? I doubt the user is doing any bridging..

I would wait to hear back from the OP before any continued discussion. Unless you feel you understand what the user is asking? I am not clear what he wants. Now that I reread what he posted, he might just be asking if vlans in general are secure enough - or should he break it out to a physical switch.

Comes down to what security policy your trying to adhere too -- yes in day to day businesses vlans are more than enough for separation. Keep in mind that yes their are attacks for hoping vlans, etc. But generally speaking your fine, we run multiple customers traffic over switches with just vlan isolation between the segments.

My point was that if you route traffic between the vlans - then vlans are not the security barrier, that would be where you route between them.

#24 sc302

sc302

    Neowinian Senior

  • Tech Issues Solved: 23
  • Joined: 12-July 05
  • Location: NJ, USA

Posted 18 February 2013 - 20:00

Is bridging not the term when connecting two networks together. In essence connecting vlans together (whether it be via a router or internally on a switch) is a form of bridging although that term really doesn't mean a whole hill of beans in today's networks. Dig deep to old school days.

Try this - 24 Port Switch
P1-10 Untagged Members of VLAN10
P11-22 Untagged Members of VLAN20
P23 - Untagged Member of VLAN30
P24 Tagged Member of VLAN 10,20,30
P24 into a VLAN tagging aware router, in my normal case a Cisco or Zyxel USG series.

Oh my. You completely missed it. Was talking about a server not a hardware router. I can do similar with VMware and hyper-v nothing to try there I know what it does and how it works. Like I said you need an os that supports it.

Trying not to add any other pieces of networking hardware other than the switch itself or the servers to stay on topic.

There are several key pieces that we don't know. First what is meant by secure (inside attack, outside attack, malware attack, who knows maybe by this vague description he wants to know if he is secure from a std his girlfriends sister has who he never met...might as well be, we have about enough information to possibly to come to a conclusion about that). Second we know very little about his network, it's got vlans and what are we supposed to be able to tell with that information? I have some or all of the parts to put you in orbit, is it possible..that is similar to all of the information that was given in the initial post. Third, what exactly is he trying to accomplish? By attempting to understand the the limited information given he may not have the proper hardware and/or software in place to make this work.

#25 simsie

simsie

    Neowinian

  • Joined: 12-February 06
  • Location: Bedfordshire UK

Posted 18 February 2013 - 20:17

Short answer: Not secure
Long answer: We need more idea of your setup - perhaps a diagram and parts list.

On a basic theory level VLANs are no more secure than having 3 different physical switches. It's all in how you connect them together that counts.

#26 grunger106

grunger106

    Neowinian

  • Joined: 02-August 03
  • Location: London

Posted 18 February 2013 - 20:17

Is bridging not the term when connecting two networks together. In essence connecting vlans together is a form of bridging although that term really doesn't mean a whole hill of beans in today's networks. Dig deep to old school days.


Oh my. You completely missed it. Was talking about a server not a hardware router. I can do similar with VMware and hyper-v nothing to try there I know what it does and how it works. Like I said you need an os that supports it.

Trying not to add any other pieces of networking hardware other than the switch itself or the servers to stay on topic.

There are several key pieces that we don't know. First what is meant by secure (inside attack, outside attack, malware attack, who knows maybe by this vague description he wants to know if he is secure from a std his girlfriends sister has who he never met...might as well be, we have about enough information to possibly to come to a conclusion about that). Second we know very little about his network, it's got vlans and what are we supposed to be able to tell with that information? I have some or all of the parts to put you in orbit, is it possible..that is similar to all of the information that was given in the initial post. Third, what exactly is he trying to accomplish? By attempting to understand the the limited information given he may not have the proper hardware and/or software in place to make this work.


Ah, fair point. Just the servers and the switch itself with potentially no L3 gear.
Sorry my bad, I was thinking of how I'd do it and forgetting the OP's question......
To which the real answer is, we need more info.

#27 +BudMan

BudMan

    Neowinian Senior

  • Tech Issues Solved: 85
  • Joined: 04-July 02
  • Location: Schaumburg, IL
  • OS: Win7, Vista, 2k3, 2k8, XP, Linux, FreeBSD, OSX, etc. etc.

Posted 18 February 2013 - 20:38

"On a basic theory level VLANs are no more secure than having 3 different physical switches."

I think I would reword that a bit.

At a some level vlans could be considered less secure than physical switches. Because in theory it is possible to hop vlans.

But without more info to go on, we don't have the context of what he is considering security issues. In day to day business, normally vlans are sufficient in isolation without having to use physical switches for each segment.

Without context, It impossible to say if vlans are sufficient for your security requirements or not. Generally speaking I would say yes they are.

#28 +PeterUK

PeterUK

    Neowinian Senior

  • Tech Issues Solved: 3
  • Joined: 26-March 07

Posted 18 February 2013 - 20:59

How and the hell did bridging come up? I doubt the user is doing any bridging..

Because sc302 want to prove you can access a different VLAN not in the same VLAN which you can do by bridging.

#29 OP Jeff Tan

Jeff Tan

    Neowinian

  • Joined: 22-November 12

Posted 19 February 2013 - 20:40

Posted Image

lets say vlan 1 for servers
vlan 2 for office people
vlan 3 for guess

so to make it simple i make 4 svr on vlan 1
1 file svr and 20 pc on vlan 2
and vlan 3 will be guess

my security concern here is not to the outside world...

but internally, i do not want any of the office user or the guess be able to access the server on the vlan 1
not only access but also the broadcasting will not be seen...eg pinging..

the question is....having them to be on the same switch(layer 3) can this be done ?


Posted Image
or i need something like this? another switch

#30 cawordsworth

cawordsworth

    Neowinian

  • Joined: 07-February 11

Posted 19 February 2013 - 21:02

If we're talking about security isn't the first thing "why is the user actually using VLAN 1, which is typically the default VLAN for all ports on all switches?"

(Cisco) Best Practice states that your ports shouldn't be part of the default native VLAN and change your native VLAN number. Following configuring VLANs, you should configure all your unused ports into a "blackhole" VLAN.

In terms of "Guest" access, yes this can be done with a simple Guest SSID, unique vlan for the Guest network and then ACLs so that only internet access is allowed.

The same can be said for the server that users require access to. All servers in their own VLAN (I would suggest to move away from VLAN 1), with ACLs to ONLY allow users from VLAN 2 to access that specific server.



Click here to login or here to register to remove this ad, it's free!