Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
286
Views
0
Helpful
2
Replies

Restricting machines to a single VLAN

Go to solution
MIWConsulting
Level 1
Level 1

‎10-27-2008 08:34 AM - edited ‎03-09-2019 09:44 PM

Hi all,

I am trying to figure out if there is a way to stop a single machine from possibly acting as a bridge between VLANS. Assuming there are two VLANS (10 being operations and 20 being secure), how can one ensure that a machine cannot be added with two network cards, connecting one to VLAN10 and the other to VLAN20. Of course, being a secure VLAN, we would restrict which MAC addresses can connect to a VLAN20 port.

Any ideas? Is this just a risk that a client must accept when using VLANS for security rather than separate switches?

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame

‎10-27-2008 08:55 AM

This is nothing to do with vlans as such because the same would still apply if you used separate physcial switches ie. sw1 for vlan 10 and sw2 for vlan 20 and then you connected a PC with 2 NIC's one to each switch.

If a user could add another NIC and has the capability to connect his 2 NIC's to two different vlans/switches within your network then you have some very serious physical security problems.

I guess what i'm trying to say is that yes you can use port-security etc.. but the sort of problem you are outlining is much better dealt with at the procedures/physical level.

Jon

View solution in original post

0 Helpful
2 Replies 2

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame

‎10-27-2008 08:55 AM

This is nothing to do with vlans as such because the same would still apply if you used separate physcial switches ie. sw1 for vlan 10 and sw2 for vlan 20 and then you connected a PC with 2 NIC's one to each switch.

If a user could add another NIC and has the capability to connect his 2 NIC's to two different vlans/switches within your network then you have some very serious physical security problems.

I guess what i'm trying to say is that yes you can use port-security etc.. but the sort of problem you are outlining is much better dealt with at the procedures/physical level.

Jon

0 Helpful

Go to solution
MIWConsulting
Level 1
Level 1
In response to Jon Marshall

‎10-27-2008 09:02 AM

Thank you very much! I was assuming that I would have to insist that a policy would be in place whereby all workstations would have to be physically locked so that users would not be able to add a network (easily).

Thanks for confirming my thoughts!

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents