Switch VLANing issue.

[grunger106]

Is bridging not the term when connecting two networks together. In essence connecting vlans together is a form of bridging although that term really doesn't mean a whole hill of beans in today's networks. Dig deep to old school days.

Oh my. You completely missed it. Was talking about a server not a hardware router. I can do similar with VMware and hyper-v nothing to try there I know what it does and how it works. Like I said you need an os that supports it.

Trying not to add any other pieces of networking hardware other than the switch itself or the servers to stay on topic.

There are several key pieces that we don't know. First what is meant by secure (inside attack, outside attack, malware attack, who knows maybe by this vague description he wants to know if he is secure from a std his girlfriends sister has who he never met...might as well be, we have about enough information to possibly to come to a conclusion about that). Second we know very little about his network, it's got vlans and what are we supposed to be able to tell with that information? I have some or all of the parts to put you in orbit, is it possible..that is similar to all of the information that was given in the initial post. Third, what exactly is he trying to accomplish? By attempting to understand the the limited information given he may not have the proper hardware and/or software in place to make this work.

Ah, fair point. Just the servers and the switch itself with potentially no L3 gear.

Sorry my bad, I was thinking of how I'd do it and forgetting the OP's question......

To which the real answer is, we need more info.

[+BudMan MVC]

"On a basic theory level VLANs are no more secure than having 3 different physical switches."

I think I would reword that a bit.

At a some level vlans could be considered less secure than physical switches. Because in theory it is possible to hop vlans.

But without more info to go on, we don't have the context of what he is considering security issues. In day to day business, normally vlans are sufficient in isolation without having to use physical switches for each segment.

Without context, It impossible to say if vlans are sufficient for your security requirements or not. Generally speaking I would say yes they are.

[+PeterUK MVC]

How and the hell did bridging come up? I doubt the user is doing any bridging..

Because sc302 want to prove you can access a different VLAN not in the same VLAN which you can do by bridging.

[Jeff Tan]

lets say vlan 1 for servers

vlan 2 for office people

vlan 3 for guess

so to make it simple i make 4 svr on vlan 1

1 file svr and 20 pc on vlan 2

and vlan 3 will be guess

my security concern here is not to the outside world...

but internally, i do not want any of the office user or the guess be able to access the server on the vlan 1

not only access but also the broadcasting will not be seen...eg pinging..

the question is....having them to be on the same switch(layer 3) can this be done ?

or i need something like this? another switch

[cawordsworth]

If we're talking about security isn't the first thing "why is the user actually using VLAN 1, which is typically the default VLAN for all ports on all switches?"

(Cisco) Best Practice states that your ports shouldn't be part of the default native VLAN and change your native VLAN number. Following configuring VLANs, you should configure all your unused ports into a "blackhole" VLAN.

In terms of "Guest" access, yes this can be done with a simple Guest SSID, unique vlan for the Guest network and then ACLs so that only internet access is allowed.

The same can be said for the server that users require access to. All servers in their own VLAN (I would suggest to move away from VLAN 1), with ACLs to ONLY allow users from VLAN 2 to access that specific server.

[+PeterUK MVC]

If we're talking about security isn't the first thing "why is the user actually using VLAN 1, which is typically the default VLAN for all ports on all switches?"

Ports don't have to be set with a given VLAN so there is no default VLAN for all ports unless you set all ports in the same VLAN.

[cawordsworth]

Ports don't have to be set with a given VLAN so there is no default VLAN for all ports unless you set all ports in the same VLAN.

All ports on a managed switch are part of VLAN 1 by default mate

[+PeterUK MVC]

All ports on a managed switch are part of VLAN 1 by default mate

Only if you set all ports to be on VLAN 1 you can set any port not to be on VLAN 1 and only be on VLAN 2.

[sc302 Veteran]

Now that we know that he has a layer 3, a acl will need to be created to explicitly deny access to that vlan if he gives the vlan a address (the gateway address). By default, the layer 3 switch will allow all vlans to communicate with each other if they have an address, and all vlans point to the default gateway.

A layer 3 switch enables bridging and routing out of the box with no other configuration needed other than supplying an IP address to the vlan, you may also need to supply an ip helper to be able to forward dhcp requests to servers not on the same vlan.

[cawordsworth]

Only if you set all ports to be on VLAN 1 you can set any port not to be on VLAN 1 and only be on VLAN 2.

I know you can change it, but my point being that the default for all ports out of the box is VLAN1, which when talking about security should be avoided.

[+PeterUK MVC]

I know you can change it, but my point being that the default for all ports out of the box is VLAN1, which when talking about security should be avoided.

Out of the box there are no VLAN set you can have ports in no VLAN at all there are MAC tables per VLAN ID for ports in that VLAN ID and a MAC table for ports without a VLAN set.

[trek]

Out of the box there are no VLAN set you can have ports in no VLAN at all there are MAC tables per VLAN ID for ports in that VLAN ID and a MAC table for ports without a VLAN set.

What the heck are you talking about? Default config on a 2960, all ports are members of VLAN 1.

Switch#sho vlan

VLAN Name                             Status    Ports
---- -------------------------------- --------- -------------------------------
1    default                          active    Fa0/1, Fa0/2, Fa0/3, Fa0/4
                                                Fa0/5, Fa0/6, Fa0/7, Fa0/8
                                                Fa0/9, Fa0/10, Fa0/11, Fa0/12
                                                Fa0/13, Fa0/14, Fa0/15, Fa0/16
                                                Fa0/17, Fa0/18, Fa0/19, Fa0/20
                                                Fa0/21, Fa0/22, Fa0/23, Fa0/24
                                                Gig1/1, Gig1/2
1002 fddi-default                     act/unsup 
1003 token-ring-default               act/unsup 
1004 fddinet-default                  act/unsup 
1005 trnet-default                    act/unsup 

[cawordsworth]

What the heck are you talking about? Default config on a 2960, all ports are members of VLAN 1.

Switch#sho vlan

VLAN Name							 Status	Ports
---- -------------------------------- --------- -------------------------------
1	default						  active	Fa0/1, Fa0/2, Fa0/3, Fa0/4
												Fa0/5, Fa0/6, Fa0/7, Fa0/8
												Fa0/9, Fa0/10, Fa0/11, Fa0/12
												Fa0/13, Fa0/14, Fa0/15, Fa0/16
												Fa0/17, Fa0/18, Fa0/19, Fa0/20
												Fa0/21, Fa0/22, Fa0/23, Fa0/24
												Gig1/1, Gig1/2
1002 fddi-default					 act/unsup
1003 token-ring-default			   act/unsup
1004 fddinet-default				  act/unsup
1005 trnet-default					act/unsup

Thanks Trek, was starting to pull my hair out abit there! My next point of call would've been to illustrate a Cisco default config showing all interfaces in VLAN1.

So coming back to the security issue, shouldn't we be recommending that the OP does not use VLAN1 first and foremost?

[+BudMan MVC]

"i do not want any of the office user or the guess be able to access the server on the vlan 1

not only access but also the broadcasting will not be seen...eg pinging.."

What is the point of this setup?? What are the point of servers if your not going to access them? Are there also guests on vlan1?

Is this some exercise only?

The points of moving active ports out of vlan 1 is valid - but I think the OP is more just talking 1,2,3 to distinguish that they are different not the actual tag number.

This is common practice to make sure you don't end up with ports in the wrong vlan by accident, etc.

And again if you can put ACLs or NOT route between the vlans your fine from a security issue - unless your worried about some internal hackers gaining access to your servers on vlan 1 that nobody accesses. As stated already, common business practice is vlans are fine from a security standpoint. Is your office the DOD? Or a government building? I doubt it - since it was we wouldn't be having this conversation, since the people setting up the network would not need to ask such questions. You would hope ;)

Keep in mind that some of the attacks against vlans are with trunking, in your 1 switch setup there is no trunking ;)

I would suggest you read this

http://www.cisco.com/en/US/products/hw/switches/ps708/products_white_paper09186a008013159f.shtml

VLAN Security White Paper

[Teebor]

This sounds like someones homework to me which is why its a bit wooly, but otherwise this thread is awesome

Since this is a single switch environment I think it is safe to say that most vlan hopping attacks should not be a problem (as Budman says they occur mostly when trunking is involved)

If this is homework I think we should assume its going to be a layer 3 switch (OP please confirm) and we need clarification on what excatly the desktop computers should have access too. Then we can discuss ACL creation.

Otherwise there is always community vlans that we could use, place the servers on promiscuous ports to allow desktops to communicate with them, Guest vlan is isolated and an external router on a promiscuous port.

But I think that is overkill and we are overthinking what could be a simple task.

[+PeterUK MVC]

What the heck are you talking about? Default config on a 2960, all ports are members of VLAN 1.

Fine not all switches are VLAN enabled only with all ports VLAN 1 but there are switches that implement VLAN so that you have to enable VLAN (namely on some NetGear switches) and VLAN 1 is not the default and that really should be how its done because VLAN is an addon to a switch before VLAN there was just a MAC table for all ports so having a VLAN 1 should not apply to all ports so that you can have ports on a VLAN and ports not in any VLAN the confusion here is your switch implements VLAN where all ports are on VLAN 1 thats why you don't know what I'm going on about.

[sc302 Veteran]

vlan is not an add on...to low end managed switches it is an enable function..and for the most part low end managed switches only support layer2 functionality with no interoperatory vlans (you cannot have the vlans talk to eachother, which is where I figured you were coming from....there is no routing or bridging within a layer2 switch that is a layer3 function), vlans in a layer2 switch is a near pointless function. I have yet to find a need to enable it, I want all of the ports to function and maybe I want to segment the network to enable some sort of qos or perhaps some sort of location based ip scheme but they may need to communicate with each other or the gateway. Native Layer 3 switches, you start off with everything in vlan1 by default.

[trek]

Am I the only one who is having trouble following what he's saying? PeterUK, can you write more concisely?

[sc302 Veteran]

He is talking about things like this.

http://www.newegg.co...CFUWd4AodpTEAkQ

vlan capability, no layer 3 switching capability...vlan=pointless. low end, crappy hardware (most netgear/linksys/dlink/belkin).

then you have this (notice the considerable price difference, still in the netgear family)

http://www.tigerdire...CFUVN4AodjS8AhQ

[majortom1981]

In my past job we had a security company come in. We were told to put all the servers in 1 vlan and all the workstations in another. You can then setup access lists to allow only specific ports through to each. At that company we had cisco switches though.

So vlans can be more secure if your switch can route traffic between the two and have access lists for both of them.

Certain higher end switches layer 2 switches can have 2 vlans talk to each other if you have the ports tagged. Cheaper ones do not do this.

[+PeterUK MVC]

Certain higher end switches layer 2 switches can have 2 vlans talk to each other if you have the ports tagged. Cheaper ones do not do this.

Which is where your missing the point the OP does not want 2 VLAN talking to each other.

[majortom1981]

Which is where your missing the point the OP does not want 2 VLAN talking to each other.

The OPS second post states the 20 workstations access files on the file server which is on vlan 1. If they access that server through the internet then it wouldn't matter BUT if they access files on that server through the net then vlan 2 would have to be able to access things on vlan 1.

On bigger switches like the 4108 I use you can tag the vlans and have the file server on both vlans at once. Then just open up access to the one port the file services use.

Some people were saying a layer 2 switch cannot have something on one vlan access something on another vlan which is not true. More expensive layer 2 switches can do this.

The OP is not clear on what he wants done.

[+PeterUK MVC]

The OPS second post states the 20 workstations access files on the file server which is on vlan 1. If they access that server through the internet then it wouldn't matter BUT if they access files on that server through the net then vlan 2 would have to be able to access things on vlan 1.

Which is why I said put that one server where by the 20 workstations can access it on the same VLAN the other servers are not in that same VLAN because the 20 workstations have no need to access them servers.

What is wrong with this as posted by the OP apart from other security things?

[cawordsworth]

Totally agree that some measures i.e. moving all ports out of the default VLAN 1 may be overkill. However, the customers that I come across in my job (range from SME to larger enterprises) focus around security and more importantly Best Practice. So naturally the first point of call for me would be those areas.

The simple solution (as already suggested numerous times) would be to segment Servers, Workstations and Guests into 3 different VLANs and just use ACLs.

[majortom1981]

Which is why I said put that one server where by the 20 workstations can access it on the same VLAN the other servers are not in that same VLAN because the 20 workstations have no need to access them servers.

What is wrong with this as posted by the OP apart from other security things?

With more expensive switches you don't have to have that server in the vlan . the Ethernet port it would be connected to would be in the vlan 1 but tagged so vlan 2 can access it BUT you would limit the ports to only the ones file sharing uses .so say port 80 would not be able to go through.

You wouldn't have to have it all on just vlan 2.

Its more secure that way BUT No mention I don't think of what brand and model the switch is.

This way only the specific traffic needed will get to that one file server. if its in the same vlan as the 20 machines all traffic will hit it.