Jump to content



Photo

Switch VLANing issue.


  • Please log in to reply
67 replies to this topic

#31 +PeterUK

PeterUK

    Neowinian Senior

  • Tech Issues Solved: 5
  • Joined: 26-March 07

Posted 19 February 2013 - 21:54

If we're talking about security isn't the first thing "why is the user actually using VLAN 1, which is typically the default VLAN for all ports on all switches?"

Ports don't have to be set with a given VLAN so there is no default VLAN for all ports unless you set all ports in the same VLAN.


#32 cawordsworth

cawordsworth

    Neowinian

  • Joined: 07-February 11

Posted 19 February 2013 - 22:04

Ports don't have to be set with a given VLAN so there is no default VLAN for all ports unless you set all ports in the same VLAN.


All ports on a managed switch are part of VLAN 1 by default mate

#33 +PeterUK

PeterUK

    Neowinian Senior

  • Tech Issues Solved: 5
  • Joined: 26-March 07

Posted 19 February 2013 - 22:11

All ports on a managed switch are part of VLAN 1 by default mate

Only if you set all ports to be on VLAN 1 you can set any port not to be on VLAN 1 and only be on VLAN 2.

#34 sc302

sc302

    Neowinian Senior

  • Tech Issues Solved: 36
  • Joined: 12-July 05
  • Location: NJ, USA

Posted 19 February 2013 - 22:23

Now that we know that he has a layer 3, a acl will need to be created to explicitly deny access to that vlan if he gives the vlan a address (the gateway address). By default, the layer 3 switch will allow all vlans to communicate with each other if they have an address, and all vlans point to the default gateway.

A layer 3 switch enables bridging and routing out of the box with no other configuration needed other than supplying an IP address to the vlan, you may also need to supply an ip helper to be able to forward dhcp requests to servers not on the same vlan.

#35 cawordsworth

cawordsworth

    Neowinian

  • Joined: 07-February 11

Posted 19 February 2013 - 22:42

Only if you set all ports to be on VLAN 1 you can set any port not to be on VLAN 1 and only be on VLAN 2.


I know you can change it, but my point being that the default for all ports out of the box is VLAN1, which when talking about security should be avoided.

#36 +PeterUK

PeterUK

    Neowinian Senior

  • Tech Issues Solved: 5
  • Joined: 26-March 07

Posted 19 February 2013 - 23:08

I know you can change it, but my point being that the default for all ports out of the box is VLAN1, which when talking about security should be avoided.

Out of the box there are no VLAN set you can have ports in no VLAN at all there are MAC tables per VLAN ID for ports in that VLAN ID and a MAC table for ports without a VLAN set.

#37 trek

trek

    Neowinian Senior

  • Joined: 11-August 02
  • Location: Vancouver, Canada

Posted 20 February 2013 - 03:04

Out of the box there are no VLAN set you can have ports in no VLAN at all there are MAC tables per VLAN ID for ports in that VLAN ID and a MAC table for ports without a VLAN set.


What the heck are you talking about? Default config on a 2960, all ports are members of VLAN 1.

Switch#sho vlan

VLAN Name                             Status    Ports
---- -------------------------------- --------- -------------------------------
1    default                          active    Fa0/1, Fa0/2, Fa0/3, Fa0/4
                                                Fa0/5, Fa0/6, Fa0/7, Fa0/8
                                                Fa0/9, Fa0/10, Fa0/11, Fa0/12
                                                Fa0/13, Fa0/14, Fa0/15, Fa0/16
                                                Fa0/17, Fa0/18, Fa0/19, Fa0/20
                                                Fa0/21, Fa0/22, Fa0/23, Fa0/24
                                                Gig1/1, Gig1/2
1002 fddi-default                     act/unsup 
1003 token-ring-default               act/unsup 
1004 fddinet-default                  act/unsup 
1005 trnet-default                    act/unsup 



#38 cawordsworth

cawordsworth

    Neowinian

  • Joined: 07-February 11

Posted 20 February 2013 - 09:46

What the heck are you talking about? Default config on a 2960, all ports are members of VLAN 1.

Switch#sho vlan

VLAN Name							 Status	Ports
---- -------------------------------- --------- -------------------------------
1	default						  active	Fa0/1, Fa0/2, Fa0/3, Fa0/4
												Fa0/5, Fa0/6, Fa0/7, Fa0/8
												Fa0/9, Fa0/10, Fa0/11, Fa0/12
												Fa0/13, Fa0/14, Fa0/15, Fa0/16
												Fa0/17, Fa0/18, Fa0/19, Fa0/20
												Fa0/21, Fa0/22, Fa0/23, Fa0/24
												Gig1/1, Gig1/2
1002 fddi-default					 act/unsup
1003 token-ring-default			   act/unsup
1004 fddinet-default				  act/unsup
1005 trnet-default					act/unsup


Thanks Trek, was starting to pull my hair out abit there! My next point of call would've been to illustrate a Cisco default config showing all interfaces in VLAN1.

So coming back to the security issue, shouldn't we be recommending that the OP does not use VLAN1 first and foremost?

#39 +BudMan

BudMan

    Neowinian Senior

  • Tech Issues Solved: 107
  • Joined: 04-July 02
  • Location: Schaumburg, IL
  • OS: Win7, Vista, 2k3, 2k8, XP, Linux, FreeBSD, OSX, etc. etc.

Posted 20 February 2013 - 10:07

"i do not want any of the office user or the guess be able to access the server on the vlan 1
not only access but also the broadcasting will not be seen...eg pinging.."

What is the point of this setup?? What are the point of servers if your not going to access them? Are there also guests on vlan1?

Is this some exercise only?

The points of moving active ports out of vlan 1 is valid - but I think the OP is more just talking 1,2,3 to distinguish that they are different not the actual tag number.

This is common practice to make sure you don't end up with ports in the wrong vlan by accident, etc.

And again if you can put ACLs or NOT route between the vlans your fine from a security issue - unless your worried about some internal hackers gaining access to your servers on vlan 1 that nobody accesses. As stated already, common business practice is vlans are fine from a security standpoint. Is your office the DOD? Or a government building? I doubt it - since it was we wouldn't be having this conversation, since the people setting up the network would not need to ask such questions. You would hope ;)

Keep in mind that some of the attacks against vlans are with trunking, in your 1 switch setup there is no trunking ;)

I would suggest you read this
http://www.cisco.com...08013159f.shtml
VLAN Security White Paper

#40 Teebor

Teebor

    Neowinian Senior

  • Joined: 12-January 10

Posted 20 February 2013 - 10:56

This sounds like someones homework to me which is why its a bit wooly, but otherwise this thread is awesome

Since this is a single switch environment I think it is safe to say that most vlan hopping attacks should not be a problem (as Budman says they occur mostly when trunking is involved)

If this is homework I think we should assume its going to be a layer 3 switch (OP please confirm) and we need clarification on what excatly the desktop computers should have access too. Then we can discuss ACL creation.

Otherwise there is always community vlans that we could use, place the servers on promiscuous ports to allow desktops to communicate with them, Guest vlan is isolated and an external router on a promiscuous port.
But I think that is overkill and we are overthinking what could be a simple task.

#41 +PeterUK

PeterUK

    Neowinian Senior

  • Tech Issues Solved: 5
  • Joined: 26-March 07

Posted 20 February 2013 - 16:59

What the heck are you talking about? Default config on a 2960, all ports are members of VLAN 1.

Fine not all switches are VLAN enabled only with all ports VLAN 1 but there are switches that implement VLAN so that you have to enable VLAN (namely on some NetGear switches) and VLAN 1 is not the default and that really should be how its done because VLAN is an addon to a switch before VLAN there was just a MAC table for all ports so having a VLAN 1 should not apply to all ports so that you can have ports on a VLAN and ports not in any VLAN the confusion here is your switch implements VLAN where all ports are on VLAN 1 thats why you don't know what I'm going on about.

#42 sc302

sc302

    Neowinian Senior

  • Tech Issues Solved: 36
  • Joined: 12-July 05
  • Location: NJ, USA

Posted 20 February 2013 - 17:11

vlan is not an add on...to low end managed switches it is an enable function..and for the most part low end managed switches only support layer2 functionality with no interoperatory vlans (you cannot have the vlans talk to eachother, which is where I figured you were coming from....there is no routing or bridging within a layer2 switch that is a layer3 function), vlans in a layer2 switch is a near pointless function. I have yet to find a need to enable it, I want all of the ports to function and maybe I want to segment the network to enable some sort of qos or perhaps some sort of location based ip scheme but they may need to communicate with each other or the gateway. Native Layer 3 switches, you start off with everything in vlan1 by default.

#43 trek

trek

    Neowinian Senior

  • Joined: 11-August 02
  • Location: Vancouver, Canada

Posted 20 February 2013 - 18:13

Am I the only one who is having trouble following what he's saying? PeterUK, can you write more concisely?

#44 sc302

sc302

    Neowinian Senior

  • Tech Issues Solved: 36
  • Joined: 12-July 05
  • Location: NJ, USA

Posted 20 February 2013 - 18:33

He is talking about things like this.
http://www.newegg.co...CFUWd4AodpTEAkQ

vlan capability, no layer 3 switching capability...vlan=pointless. low end, crappy hardware (most netgear/linksys/dlink/belkin).

then you have this (notice the considerable price difference, still in the netgear family)
http://www.tigerdire...CFUVN4AodjS8AhQ

#45 majortom1981

majortom1981

    The crazy one

  • Tech Issues Solved: 1
  • Joined: 30-November 01

Posted 20 February 2013 - 18:43

In my past job we had a security company come in. We were told to put all the servers in 1 vlan and all the workstations in another. You can then setup access lists to allow only specific ports through to each. At that company we had cisco switches though.

So vlans can be more secure if your switch can route traffic between the two and have access lists for both of them.

Certain higher end switches layer 2 switches can have 2 vlans talk to each other if you have the ports tagged. Cheaper ones do not do this.