Cisco Support Community
Community Member

VLAN Security

In advance of the obvious flaming the subject could receive (and deserves), I seeking verifiable replies to disprove that VLANs provide Security.


A very high-security (defined as Mission Critical per federal regulations) project has a proposed situation that places security reliance on VLANs.

There are three security levels (1=lowest; 3=highest):

*Core network backbone provisioned with Cisco 550x switches. The Core supports multiple upstream Distribution networks. This is a Level 2 network.

*Distribution is provisioned with Cisco 2820 or similar (multiple modules, VLAN capable), with workgroups switches below (Bay 350/3Com3000 or

similar). This is a single network upstream of the Distribution. This is a Level 3 network.

*In normal configuration, a firewall resides between the Core and Distribution.

[=CORE=] - - [FW] - - [DIST-A]{switches}resources, etc.


\- - - - [FW} - -[DIST-B]{switches}resources, etc.

Closeup of a facility's DISTRIBUTION:

/- workgroup switches {computers


[ DIST-A ] ----- workgroup switches {computers



\- workgroup switches {computers

All on same network, same VLAN (VLAN 0), same address space...


At times, management wants to support various configurations to support interim development:

The Distribution network may be split into two independant networks:

The Distribution is configured for 2 VLANS. Below is a suggested VLAN configuration to re-aggragate into 2 separate networks/VLANs.

VLAN1->/-wrkgrp switches{computers * = "Net1"


[ DIST-A ] - VLAN1 - switches {computers * = "Net1"




VLAN2--> \- wrkgrp switches {computers * = "Net2" **

*Aggregation of Net1 and Net2 is done solely by VLAN principles such as 802.1q or Cisco ISL.

*Dist switch will be configured to place Net1 devices in VLAN 1. Net1 is configured for Level 3. The firewall joins VLAN1. Firewall isolates Net1

and provides NAT. Net1 uses 1918 private IP addresses.

*Dist switch will be configured to place Net2 devices in VLAN2. Net2 will be configured for Level 2 (lower security, for development). The Core switch

joins VLAN 2. Net2 has public IP space and potential internet connectivity.

*In such configuration, "isolation" (i.e. firewall) must be maintained between Net1 and all lower networks (including Net2).


Define scenarios which would allow a party traversing the Core to the Net2 or within the Net2 could bypass VLAN restriction and thereby gain access to Net1 resources:

*MAC/ARP spoofing/manipulation attack

*dSniff or similar attack

*SNMP attack

*Switch hardware/OS attack

*DoS attack

If Risk is minimal, what designs/features would enhance/support VLAN1-VLAN2 configuration?:

* Subnet masking

* Switch or VLAN configuration

* Procure replacement for Distribution switches (better hardware?)

Evaluate Risk

What products are available to exploit?

How exploitable are threats to VLAN?

Testing facilities are available. Threats must be exploitable, and will

be perforned to verify.

Any other suggestions will be appreciated. I hope my \__-__/ drawings ;-) and descriptions provide enough information. I have seen papers at and a few others, as well a recent Cisco bug id CSCdt62732.

Thanks >+

Security Guy


Re: VLAN Security

I read through Cisco’s SAFE security blueprint whitepaper at and it definitely suggests switches are targets and recommends that you avoid using switches as a sole method of securing between two subnets. It’s worth reading.

CreatePlease to create content