VLAN Security vs. Inter-VLAN Routing

From the Cisco website:

"VLANs address scalability, security, and network management"

However, once you introduce inter-vlan routing, doesn't the security aspect of VLANs pretty much go out the window? In other words, using simple vlans if I have a computer in port 2/vlan 2, it's not supposed to be able to talk to a computer in port 3/vlan 3. But if I implement inter-vlan routing, then the computer on port 2 now knows how to get to the computer on port 3, thus the inherent security (such as it is) in VLANs is no longer applicable? Is this correct?

If so, I presume the answer is to start using ACLs if security is still a concern.

Thanks.

Reply to
JohnD
Loading thread data ...

Technically and from a layer 3 security perspective, you are correct. A default gateway would get them to the router, which would then forward on traffic as necessary. However, vlans are still layer 2 secure as they create logical separation to prevent things like sniffing, man in the middle, etc, from nodes that are not on the same network. However, you can still do these things if a box on the local network has an open communication stream with the destination box. Either way, I agree completely with what you are saying, but I think they are talking about the lower level security features of separation, which may or may not be adequate depending on what you are trying to protect/secure.

Reply to
Trendkill

JohnD,

Trendkill pretty much nailed it down. VLANs provide a lot of benefits, Layer 2 security being just one of them. It can provide broadcast segmentation as well, keeping subnet broadcasts from overwhelming what could normally take out a flat network. Also, some Cisco equipment has the ability to run things like Private VLANs now that would allow you to isolate your networks even more. You can find more info on that here:

formatting link
HTH, neteng
formatting link

Reply to
pcmccollum

you are making at least 2 assumptions - that you route between all vlans and that you use a router to link the vlans.

so - you can leave a vlan isolated.

you can use VRF lite on a router or a firewall to restrict what goes where. Or you might use a proxy server?

thats one way.

vlans can provide L2 separation / segregation (although there are some ways to "jump" between them on some kit), but if you have a higher level bit of connectivity then controlling what goes where has to happen at that higher level.

Reply to
stephen

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.