467,092 Members | 1,273 Online
Bytes | Developer Community
Ask Question

Home New Posts Topics Members FAQ

Post your question to a community of 467,092 developers. It's quick & easy.

VLAN Question

I have a question about security of VLANs that I'm setting up for a friend of mine's business.

General Network Setup. There is a hard wired internal network, that has a firewall protecting it from a perimeter network, which in turn has a firewall protecting it from the open internet. The perimeter network is a mix of wired and wireless connections.

The issue is they are expanding and would need more ports in a different part of a building and there would be a mix of ports belonging to either the internal and perimeter network. There will be two physically separate links ran to the new switching area, one for the internal and one for the perimeter.

He is on a budget so I was trying to cut cost but still provide for scalability and security. Initially I wanted to make sure he had roughly 24 ports available for each of the two networks. I saw that 1 48 port switch is cheaper than two 24 port switches and in the future, if need be, I could buy a second switch if necessary, plus more than likely the internal network will be heavier on ports than the perimeter so I would be able to mix the ports as necessary if its all on one switch.

So my question is, how secure (how hard would it be to jump between VLANs) if the only spot they physical touch is on just the one switch?
Jul 9 '16 #1
  • viewed: 4571
4 Replies
ryno du preez
It is not hard to reach your end goal, If you use a Manageable switch that you can configure to allow your IP ranges to the new switches. But this, of course, depends on your core switch. you will have to setup the core switch to listen for the vlans on the attached ports
Jul 20 '16 #2
I know its easy to do, The core switches will have no clue that there are VLANs since the one switch that I have split up will have dedicated links to the two core switches. What my question was how hard (secure) is it to jump between the two VLANs that reside on the same switch. The rest of the networks will all have physically isolated hardware and links.
Jul 22 '16 #3
Expert Mod 512MB
Any network can be hacked, but if you configure the vlans correctly and do MAC address filtering (i.e., assign each devices MAC address to a specific port), then you would be fine.

If you want to add additional protection and ease of maintenance, you could use PacketFence which is an open source Network Access Control (NAC) package. It uses SNMP traps to monitor and control the switch ports.

We have 35 locations and each location has 30+ switches (managed by PacketFence) with multiple VLANS and have not had any security issues.

Regarding the choice between using one 48 port switch vs two 24 port switches, I'd go with two 24 port switches. The cost difference isn't that much assuming you're comparing the same brand and class of switches and the 2 switches add more flexibility.
Jul 23 '16 #4
You can't "hop" between vlans on a switch.

They segregate the network, each vlan is completely separate little networks from each other.

What may be confusing you is that with a router, or a "layer 3" switch ( a combo-switch-router) you can send data between vlans. You can secure this flow of traffic using access lists or firewalls etc. But you have to program this data flow in, it won't happen normally.

Your initial idea is right, buy 1x 48 port switch and configure 2 separate vlans. one for phone, one for data lets say and then just don't program in any inter-vlan routing. It will be like having 2 separate switches. You will need Trunk links between this switch and your other switches with both vlans on it.
1 Week Ago #5

Post your reply

Sign in to post your reply or Sign up for a free account.

Similar topics

2 posts views Thread by JP SIngh | last post: by
2 posts views Thread by Rob Wahmann | last post: by
3 posts views Thread by Stevey | last post: by
7 posts views Thread by pietro.cerutti@gmail.com | last post: by
reply views Thread by jsskippy | last post: by
By using this site, you agree to our Privacy Policy and Terms of Use.