Quick Best Practices question on VLANs
in [Cisco]
|
Prev: No tftpdnld command
Next: WANTED TO BUY - NETWORKING, TELECOM EQUIPMENT & SOFTWARE - CISCO, NORTEL, LUCENT, JUNIPER, EXTREME, FOUNDRY, FUJITSU, MICROSOFT, ADOBE, SYMANTEC & MORE
From: unix on 21 May 2010 10:37 This is my setup: Dirty traffic ---> firewall interface on VLAN100 ---> filtered traffic to VLAN200 --- server interface on VLAN200. Both VLANs are on the same physical switch. I seem to recall from my Cisco training (20 years ago) that there was a potential security risk putting a "trusted" VLAN on the same switch as a "dirty" VLAN (even if there is a firewall between the VLANs). Is this still a concern? I don't want the corporate security guys to beat me up some time down the road. Thanks Ron
From: Rob on 21 May 2010 10:42 Of course you must make sure that the switch does not do L3 routing between de VLANs...
From: Scott Lowe on 26 May 2010 12:51
On 2010-05-21 10:37:18 -0400, unix said: > This is my setup: > > Dirty traffic ---> firewall interface on VLAN100 ---> filtered traffic > to VLAN200 --- server interface on VLAN200. > > Both VLANs are on the same physical switch. I seem to recall from my > Cisco training (20 years ago) that there was a potential security risk > putting a "trusted" VLAN on the same switch as a "dirty" VLAN (even if > there is a firewall between the VLANs). Is this still a concern? I > don't want the corporate security guys to beat me up some time down > the road. > > Thanks > Ron I'm not an expert (yet), but I believe the concern to which you are referring involved VLAN hopping attacks (jumping from one VLAN to another VLAN). It's my understanding that most of those concerns have been mitigated in recent versions of IOS and can be further mitigated with proper configuration of the VLANs and the switches. As has also been suggested in this thread, be sure that the switch is not doing any Layer 3 routing between VLANs. Hope this helps! -- Scott Lowe Author, "Mastering VMware vSphere 4" and "VMware vSphere 4 Administration Instant Reference" http://blog.scottlowe.org |