Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Switch Security Concerning VLANs


I have a question regarding Security for Inter-VLAN traffic on the same switch.

1. If i have different VLANs configured on the same switch and some of those are NOT supposed to Talk to each other, Is there a way for some person with malicious intent to break this security ? (Other than by "logging into the switch")

i.e If he is a member of one VLAN, Is it safe to say that he won't be able to send traffic to other VLANs what so ever ?

\\ Naman


Re: Switch Security Concerning VLANs

Depending on the level of skill of that person, no it's not safe to assume that the vlans are separate. Vlans by themselves aren't enough security. Please look at these links for more detail: security.html - id number SEC-202 and .

But what you can do is protect yourself via a number of methods, such as: port security/private vlans/disable unused ports/change native vlan of trunks to non-users vlan/set trunking to off on end-user ports/don't use vlan 1/bpdu guards/passwords for vtp/use ssh instead of telnet/etc.

Hope it helps.


New Member

Re: Switch Security Concerning VLANs

Thank you Steve. All of this would be very helpful.

However one part of my question was more specific to this scenario

Lets say the Port X is a member of VLAN Y. The management VLAN of the Switch is A and switch also has other VLANs C,D etc.....

My question is for any REMOTE user, who can ONLY send traffic to Port X. Is it possible for him to somehow send traffic to other VLANs on that switch, while accessing Port X ? OR for that matter, get into Management VLAN ?