Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Restricting machines to a single VLAN

Hi all,

I am trying to figure out if there is a way to stop a single machine from possibly acting as a bridge between VLANS. Assuming there are two VLANS (10 being operations and 20 being secure), how can one ensure that a machine cannot be added with two network cards, connecting one to VLAN10 and the other to VLAN20. Of course, being a secure VLAN, we would restrict which MAC addresses can connect to a VLAN20 port.

Any ideas? Is this just a risk that a client must accept when using VLANS for security rather than separate switches?

1 ACCEPTED SOLUTION

Accepted Solutions
Hall of Fame Super Blue

Re: Restricting machines to a single VLAN

This is nothing to do with vlans as such because the same would still apply if you used separate physcial switches ie. sw1 for vlan 10 and sw2 for vlan 20 and then you connected a PC with 2 NIC's one to each switch.

If a user could add another NIC and has the capability to connect his 2 NIC's to two different vlans/switches within your network then you have some very serious physical security problems.

I guess what i'm trying to say is that yes you can use port-security etc.. but the sort of problem you are outlining is much better dealt with at the procedures/physical level.

Jon

2 REPLIES
Hall of Fame Super Blue

Re: Restricting machines to a single VLAN

This is nothing to do with vlans as such because the same would still apply if you used separate physcial switches ie. sw1 for vlan 10 and sw2 for vlan 20 and then you connected a PC with 2 NIC's one to each switch.

If a user could add another NIC and has the capability to connect his 2 NIC's to two different vlans/switches within your network then you have some very serious physical security problems.

I guess what i'm trying to say is that yes you can use port-security etc.. but the sort of problem you are outlining is much better dealt with at the procedures/physical level.

Jon

New Member

Re: Restricting machines to a single VLAN

Thank you very much! I was assuming that I would have to insist that a policy would be in place whereby all workstations would have to be physically locked so that users would not be able to add a network (easily).

Thanks for confirming my thoughts!

106
Views
0
Helpful
2
Replies