Hot Downloads

Welcome, Guest
Username: Password: Remember me

TOPIC: VLAN Security (??)

VLAN Security (??) 10 years 6 months ago #13578

apologies for all the questions but trying to get this VLAN stuff sorted in my head (Yes I've read two Cisco press books, and the stuff on this website 'which is incidently better than the cisco books!'.).

Now for my question? With vlan routing via a layer 3 switch surely the security reasons for using VLAN's become a bit pointless. [apart from removing broadcasts that it.]

In other words once the layer 3 'routing' part of the layer 3 switch routes traffic between all VLAN's unless you have decent ACL's in place on this layer 3 switch surely all machines can connect to each other anyway? i.e. host a (10.20.50.218/16) can happily connect to host b (10.21.50.17/16) as the layer 3 switch will just route traffic between the different VLAN's and ultimately hosts?

Am I missing something here or is this a correct assumption?

:?
The administrator has disabled public write access.

Re: VLAN Security (??) 10 years 6 months ago #13580

  • gibstom
  • gibstom's Avatar
  • Offline
  • New Member
  • Posts: 4
  • Karma: 0
As you said, members of different VLANs can talk to eachother only if routing is enabled between them. if u look at it differently, its entirely for the administrator to decide whether to enable routing between them. even with routing, a simple ACL can futher drill down as to what each host can reach.

Other advatage is broadcast control. It might not make a difference in a 20-50 user office but when it comes to 500-1000 people / location, you will appreciate what VLAN's can do for you.
The administrator has disabled public write access.

Re: VLAN Security (??) 10 years 6 months ago #13582

  • havohej
  • havohej's Avatar
  • Offline
  • Distinguished Member
  • Posts: 152
  • Karma: 0
Hi friend.

I agree with all it was mentioned, and yes, by default if you only enter the "ip routing" command in the multilayer switch, you can route between subnets of each different vlan without restrictions.

Another way to control bridgeg and routed traffic is to use VLAN ACLS or VLAN MAPS, so you can control bridgeg traffic that is crossing the vlan or the switch where the VLAN MAP is configured.

when setting up the vlan acl, it is quite different to teh traditional router acls, so in a router acls, you define direction, either in or out, with vlan acl, it is definded in the traffic that is crossing the switch or the vlan.

You can either apply the same vlan map, to only one or the vlans you want.
The administrator has disabled public write access.

thanks 10 years 6 months ago #13586

Hi all,

Thanks for your reply's. Obviously you need to work hard with the ACL's after enabling the intervlan routing.

:)
The administrator has disabled public write access.
Time to create page: 0.078 seconds

CCENT/CCNA

Cisco Routers

  • SSL WebVPN
  • Securing Routers
  • Policy Based Routing
  • Router on-a-Stick

VPN Security

  • Understand DMVPN
  • GRE/IPSec Configuration
  • Site-to-Site IPSec VPN
  • IPSec Modes

Cisco Help

  • VPN Client Windows 8
  • VPN Client Windows 7
  • CCP Display Problem
  • Cisco Support App.

Windows 2012

  • New Features
  • Licensing
  • Hyper-V / VDI
  • Install Hyper-V

Linux

  • File Permissions
  • Webmin
  • Groups - Users
  • Samba Setup