Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

Vulnerabilities of having multiple vlans on a single switch

I am creating a multi-level-security infrastructure using a 2980 swtich for L2 VLAN and PIX firewall for inter-vlan routing. Each PIX interface connects to a different vlan on the same switch.

Are there any vulnerabilities where a switch can be compromised and cause traffic to pass between the vlans on the switch without first being routed throught the pix? Do the call this vlan leaking?

thank you,

Art

5 REPLIES
New Member

Re: Vulnerabilities of having multiple vlans on a single switch

It is called VLAN Hopping and you get different answers depending on who you talk to. With a properly configured switch the chance of VLAN hopping is greatly mitigated. Do not use native VLAN, port secuirty...... Cisco has many docs on this. But your answer is not really stright forward. How critical is the data behind the firewall and would it be very costly to physically separate the internal and external switch networks. My opinion is separate company critical assets (financial servers...). If it is just workstations and you have buy one more switch to do it, don't. Remember, VLAN hopping is high level of effort and low probability attack that can be mitigated with proper configuration. It is also a layer 2 attack requiring the attacker to be on the local subnet and machines do get compromised. The decision is all about risk assessment.

Kevin

New Member

Re: Vulnerabilities of having multiple vlans on a single switch

Thank you very much Kevin. Could I impose on you to send me a link which I could use as a jumping off point. As you stated, its not very straight forward and I can't find anything very detailed.

Thank you,

Again

New Member

Re: Vulnerabilities of having multiple vlans on a single switch

In this link note the recommendations. "VLANS are good for segmenting LANs and broadcast traffic, but are not recommended to enforce security policy".

http://www.sans.org/resources/idfaq/vlan.php

www.cisco.com/warp/public/cc/pd/si/ casi/ca6000/tech/stake_wp.pdf

I have one more great document from Cisco at the office. I will post the link here on Tuesday.

Kevin

New Member

Re: Vulnerabilities of having multiple vlans on a single switch

Much obliged Kevin.

New Member

Re: Vulnerabilities of having multiple vlans on a single switch

Hi Kevin,

Can you post that last link for me when you have time? Thank you, Art

100
Views
0
Helpful
5
Replies
CreatePlease to create content