VLAN Question

Collapse
X
Collapse
 
  • Page of 1
  • Time
  • Show
Clear All
new posts
Previous template Next
  • dashpilot79
    New Member
    • Oct 2015
    • 3
    #1

    VLAN Question

    I have a question about security of VLANs that I'm setting up for a friend of mine's business.

    General Network Setup. There is a hard wired internal network, that has a firewall protecting it from a perimeter network, which in turn has a firewall protecting it from the open internet. The perimeter network is a mix of wired and wireless connections.

    The issue is they are expanding and would need more ports in a different part of a building and there would be a mix of ports belonging to either the internal and perimeter network. There will be two physically separate links ran to the new switching area, one for the internal and one for the perimeter.

    He is on a budget so I was trying to cut cost but still provide for scalability and security. Initially I wanted to make sure he had roughly 24 ports available for each of the two networks. I saw that 1 48 port switch is cheaper than two 24 port switches and in the future, if need be, I could buy a second switch if necessary, plus more than likely the internal network will be heavier on ports than the perimeter so I would be able to mix the ports as necessary if its all on one switch.

    So my question is, how secure (how hard would it be to jump between VLANs) if the only spot they physical touch is on just the one switch?
    Tags: None
    • ryno du preez
      New Member
      • Jul 2011
      • 91
      #2
      It is not hard to reach your end goal, If you use a Manageable switch that you can configure to allow your IP ranges to the new switches. But this, of course, depends on your core switch. you will have to setup the core switch to listen for the vlans on the attached ports

        Comment

        • dashpilot79
          New Member
          • Oct 2015
          • 3
          #3
          I know its easy to do, The core switches will have no clue that there are VLANs since the one switch that I have split up will have dedicated links to the two core switches. What my question was how hard (secure) is it to jump between the two VLANs that reside on the same switch. The rest of the networks will all have physically isolated hardware and links.

            Comment

            • RonB
              Recognized Expert Contributor
              • Jun 2009
              • 589
              #4
              Any network can be hacked, but if you configure the vlans correctly and do MAC address filtering (i.e., assign each devices MAC address to a specific port), then you would be fine.

              If you want to add additional protection and ease of maintenance, you could use PacketFence which is an open source Network Access Control (NAC) package. It uses SNMP traps to monitor and control the switch ports.

              We have 35 locations and each location has 30+ switches (managed by PacketFence) with multiple VLANS and have not had any security issues.

              Regarding the choice between using one 48 port switch vs two 24 port switches, I'd go with two 24 port switches. The cost difference isn't that much assuming you're comparing the same brand and class of switches and the 2 switches add more flexibility.
              Last edited by RonB; Jul 23 '16, 03:00 PM.

                Comment

                • ScottishKing
                  New Member
                  • Jan 2021
                  • 7
                  #5
                  You can't "hop" between vlans on a switch.

                  They segregate the network, each vlan is completely separate little networks from each other.

                  What may be confusing you is that with a router, or a "layer 3" switch ( a combo-switch-router) you can send data between vlans. You can secure this flow of traffic using access lists or firewalls etc. But you have to program this data flow in, it won't happen normally.

                  Your initial idea is right, buy 1x 48 port switch and configure 2 separate vlans. one for phone, one for data lets say and then just don't program in any inter-vlan routing. It will be like having 2 separate switches. You will need Trunk links between this switch and your other switches with both vlans on it.

                    Comment

                    Previous template Next
                    Working...