Skip to main content

VLAN Security (??)

More
18 years 8 months ago #13578 by future2000
apologies for all the questions but trying to get this VLAN stuff sorted in my head (Yes I've read two Cisco press books, and the stuff on this website 'which is incidently better than the cisco books!'.).

Now for my question? With vlan routing via a layer 3 switch surely the security reasons for using VLAN's become a bit pointless. [apart from removing broadcasts that it.]

In other words once the layer 3 'routing' part of the layer 3 switch routes traffic between all VLAN's unless you have decent ACL's in place on this layer 3 switch surely all machines can connect to each other anyway? i.e. host a (10.20.50.218/16) can happily connect to host b (10.21.50.17/16) as the layer 3 switch will just route traffic between the different VLAN's and ultimately hosts?

Am I missing something here or is this a correct assumption?

:?
More
18 years 8 months ago #13580 by gibstom
Replied by gibstom on topic Re: VLAN Security (??)
As you said, members of different VLANs can talk to eachother only if routing is enabled between them. if u look at it differently, its entirely for the administrator to decide whether to enable routing between them. even with routing, a simple ACL can futher drill down as to what each host can reach.

Other advatage is broadcast control. It might not make a difference in a 20-50 user office but when it comes to 500-1000 people / location, you will appreciate what VLAN's can do for you.
More
18 years 8 months ago #13582 by havohej
Replied by havohej on topic Re: VLAN Security (??)
Hi friend.

I agree with all it was mentioned, and yes, by default if you only enter the "ip routing" command in the multilayer switch, you can route between subnets of each different vlan without restrictions.

Another way to control bridgeg and routed traffic is to use VLAN ACLS or VLAN MAPS, so you can control bridgeg traffic that is crossing the vlan or the switch where the VLAN MAP is configured.

when setting up the vlan acl, it is quite different to teh traditional router acls, so in a router acls, you define direction, either in or out, with vlan acl, it is definded in the traffic that is crossing the switch or the vlan.

You can either apply the same vlan map, to only one or the vlans you want.
More
18 years 8 months ago #13586 by future2000
Replied by future2000 on topic thanks
Hi all,

Thanks for your reply's. Obviously you need to work hard with the ACL's after enabling the intervlan routing.

:)
Time to create page: 0.121 seconds