I am evaluating subneting our network with a Layer 2 switch and VLAN. From what I know, VLAN only works on broadcast domain, and if I know the MAC address of a remote computer on the same switch, I can bypass the VLAN security entirely by mapping the MAC address to my own ARP table. Is that correct?
Thanks
-
No, it isn't. This may have been possible in some of the earliest implementations of VLANs (20 years ago...) but on any modern switch, once a port is tagged with an 802.1q VLAN, that's it. The switching engine won't allow VLAN hopping. Of course, if you have an insecure configuration (say, a host with interfaces on more than one network, with IP forwarding enabled...) you could have some security issues.
I work at a rather large university (we have two Class B's, and still need most of a Class A for NATted clients). Our network is run on Cisco, Foundry, and Juniper hardware, and everything is VLANed. We've never had any issues with it, security or otherwise.
From Jason Antman -
You are not correct. When a switch creates a VLAN, it is effectively the same as if you created two separate networks connected with their own switches. A person can no more bypass the VLAN using a direct MAC address than you could gain access to your neighbor across the street if you knew his MAC address.
Think of it as two physically separated networks.jackbean : Can you clarify a little further. My understanding has been that VLAN tagging only affects broadcast packets. Cisco defines VLAN as "a broadcast domain within a switched network." It also mentions, "VLANs improves performance and security in the switched network by controlling broadcast propagation." According to: http://www.ciscopress.com/articles/article.asp?p=102157 ThanksScott Lundberg : VLAN tagging affects all packets that are tagged, regardless of whether they are broadcast or not. It improves performance because inherently a broadcast on VLAN 1 will not be passed to VLAN2 because the broadcast packet has been tagged with VLAN=1. This is an Ethernet (layer 2) property, so broadcast and unicast packets perform equally. Look at http://en.wikipedia.org/wiki/IEEE_802.1Q and notice that the VLAN is actually inserted into the EII frame. This applies for all packets, not just broadcast packets.Scott Lundberg : Concerning Cisco's definition, it means a broadcast domain includes all devices that would receive the broadcast. I.e. any device on the same VLAN, but that doesn't mean VLANs only apply to broadcast packets.jackbean : Thanks for the clarification.From Scott Lundberg -
There are some techniques to bypass VLAN tagging, but they only apply for some switches and in some configurations. If you have Cisco switches that have VLAN 1 on a trunk, you can send packets to machines in another VLAN (but not get anything back) if you send a .1q-encapsulated frame with the target VLAN as the VLAN tag.
From Vatine
0 comments:
Post a Comment