Cisco Support Community
Community Member

How secure are VLANS ?


I am designing a network using the PIX with a DMZ.

i.e Outside, Inside and middle interface ... simple.

For maximum secuirty I understand I should use 3x "seperate" switches. (for physical security!)

For cost, is would be nice to use the same ethernet switch and implement VLANS. i.e vlan1, vlan2 and vlan3.

I have to weigh Cost and Security Risk. Is it a realistic threat that a hacker can jump Vlans by messing with Ethernet/ISL headers ?

All comments are welcome and appreciated. Thanks

Matt C,

Community Member

Re: How secure are VLANS ?

There was a bug a while ago in Cisco switches that would allow VLAN jumping, but that has been fixed for some time now. Personally, I would never use a VLAN'd switch for the inside, outside, and DMZ. But if you have to, just stay away from using the native vlan on the switch. Keep in mind, you can get 24 port switches for under $1k now.




Re: How secure are VLANS ?

A malicious user can cause frames to hop from one VLAN to another depending on the configuration of the switch. This isn't a bug, but rather the result of the dot1q standard and all vendors have this "problem".

As mentioned, don't use native vlans to carry any traffic, and don't provide any trunked ports to any devices. This will mitigate the concerns with VLANs themselves.

The other problem is that a malicious user in the DMZ or on the Outside can hack at the switch itself to gain admin access. If this happens due to poor security configuration of the switch as a host, the attacker could simply make the port of another device on the switch that was formely in the DMZ/Outside in the inside VLAN giving full access.

The last problem is human errors in configuration have a high risk on creating new problems. With three switches, this isn't a concern as each network segment is both logically and physically separate.

Cisco even has 8 port switches now that are cheap. It's hard to make a arguement these days for using one switch for all three purposes.

Community Member

Re: How secure are VLANS ?

Thanks for all your help guys.

Your commenets are much appreciated.

Community Member

Re: How secure are VLANS ?

Just a quick note on the mentioned VLAN hopping security risks mentioned. These are mitigated by shutting down VLAN 1. VLAN hopping uses VLAN 1 to inject packets onto other VLAN's

CreatePlease to create content