Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
Community Member

Campus / Enterprise VLAN Security Integration

Ji Jeal  

One of the things that always bothers me about (including the many different ways of) deploying guest wireless is the need to have a VLAN that contains untrusted guest traffic on the same switches that carry trusted corporate traffic.

Given that the deployment model for a site with local internet break-out such as H-REAP requires the VLAN to be on multiple switches what are the recommendations and best practices to make the chance of someone breaking out of this guest VLAN nil?

Is this a viable model for a high security environment (like a bank or defence company)

Whilst my perception is that the biggest risk here is that someone unintentionally / mistakenly creates a L3 interface on the VLAN e.g. to provide DHCP services the same as all the corporate VLANs, I am also concerned that there is the possibility that someone could potentially attack the devices / switches and configure their way out of the VLAN.

I know there are several ways to get around this (like using the anchor controller) but that doesn't always work.



Re: Campus / Enterprise VLAN Security Integration

With anything short of physically separate infrastructure, there's always the risk of an accidental Config error causing you problems... It sounds to me like you probably already know about ACLs, VLANs, VRFs, SGT, Anchor Controllers, Private VLANs, DHCP Snooping, etc etc.... So what exactly are you looking for? All approaches (industry best practise, or otherwise) are all about mitigating risk and balancing effort, complexity and cost. Which of these factors is more important to you?

Sent from Cisco Technical Support iPad App

Community Member

Re: Campus / Enterprise VLAN Security Integration

I am trying to figure out two things;

1) Can I be confident that logical VLAN seperation provides "enough" security and the answer to that really is dependent upon how well and robustly the infrastructure components (AP, WLC, switch) are tested to manage the attack vectors, for example the obvious one being to encapsulate with VLAN tagging, do all the devices "deny" the possibility to spoof the vlan and so on...

2) In terms of configuration - is there something I havent thought of that is a (easy ?) way to not have the untrusted data directly touching the VLAN (e.g. tunnelling or something) between the AP and the local internet break-out (like an anchor controller but without the need to deploy WLCs in every branch) - which would effectively mean it didn't matter if the switch was misconfigured or a bug allowed crafted packets to break the switch or break the security as there's a "buffer" between the guest wireless traffic and the switch.

But I guess as a side question - is there a way to protect against mis-configuration (other than adding a note on the vlan saying "Dont configure a layer 3 address on this VLAN" - VRF Lite could be an option but as you say - quite a bit of overhead.


CreatePlease to create content