Restricting machines to a single VLAN

Answered Question
Oct 27th, 2008
User Badges:

Hi all,


I am trying to figure out if there is a way to stop a single machine from possibly acting as a bridge between VLANS. Assuming there are two VLANS (10 being operations and 20 being secure), how can one ensure that a machine cannot be added with two network cards, connecting one to VLAN10 and the other to VLAN20. Of course, being a secure VLAN, we would restrict which MAC addresses can connect to a VLAN20 port.


Any ideas? Is this just a risk that a client must accept when using VLANS for security rather than separate switches?

Correct Answer by Jon Marshall about 8 years 5 months ago

This is nothing to do with vlans as such because the same would still apply if you used separate physcial switches ie. sw1 for vlan 10 and sw2 for vlan 20 and then you connected a PC with 2 NIC's one to each switch.


If a user could add another NIC and has the capability to connect his 2 NIC's to two different vlans/switches within your network then you have some very serious physical security problems.


I guess what i'm trying to say is that yes you can use port-security etc.. but the sort of problem you are outlining is much better dealt with at the procedures/physical level.


Jon

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
Jon Marshall Mon, 10/27/2008 - 08:55
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

This is nothing to do with vlans as such because the same would still apply if you used separate physcial switches ie. sw1 for vlan 10 and sw2 for vlan 20 and then you connected a PC with 2 NIC's one to each switch.


If a user could add another NIC and has the capability to connect his 2 NIC's to two different vlans/switches within your network then you have some very serious physical security problems.


I guess what i'm trying to say is that yes you can use port-security etc.. but the sort of problem you are outlining is much better dealt with at the procedures/physical level.


Jon

MIWConsulting Mon, 10/27/2008 - 09:02
User Badges:

Thank you very much! I was assuming that I would have to insist that a policy would be in place whereby all workstations would have to be physically locked so that users would not be able to add a network (easily).


Thanks for confirming my thoughts!

Actions

This Discussion