Re: VLAN Question
From: Bennett Todd (bet_at_rahul.net)
Date: Wed, 20 Aug 2003 12:51:20 -0400 To: Steven Williams <Steven.Williams@computershare.com.au>
2003-08-20T03:09:24 Steven Williams:
> I'm after some opinions of yours and your companies policy
> regarding the use of VLAN's as a method of isolating the internet
> to internal VLAN's on the same physical layer 2 / 3 switch and
> access controlled by ACL's or firewalls.
There are several sides to this question.
Originally, VLANs were created solely to help mitigate the very high
cost of early switches. Switches were being sold in multiples of 16
or 32 ports, and they were vastly more expensive than hubs. To help
people get the most out of their switch investments, VLANs allowed
partitioning broadcast domains, to buy the performance advantages of
switch isolation while allowing multiple smaller networks to be
implemented on the same expensive switch. In this context, leakage
between vlans wasn't an issue as long as the amount of leakage
didn't cause a performance impact. vlans leaked. Minor leakage was
not considered a problem by the vendors. They weren't designed as
Customers started pressing vendors, and they've responded. I've
spoken with a Cisco engineer who said that properly, carefully
configured, current switches with current CatOS were not believed to
leak between vlans, and a finding that they could so leak would be
treated as a priority security bug. Cool says I, this enables
something I've wanted to have for some time. Combine switches with
vlans that are secure and 802.1q trunking, and you can have a
firewall with a ludicrous number of firewall ports --- it becomes
practical to consider building a fully-firewalled fully-routed
network, where every host has its own dedicated firewall port. Not
for everybody, perhaps, but I can think of places where it'd be
worth doing. Say, hotels offering network jacks in the rooms.
But there's another issue to consider. Even if the vlan
implementation is truly secure in the switch, sharing multiple vlans
representing different security domains on the same switch means
that a config error on that switch could compromise your isolation.
Config errors happen. Config errors that don't overtly break
anything are often not detected for a long time.
Switches are cheap. Use multiple switches unless there's a really
compelling engineering requirement to use multiple vlans on the same
- application/pgp-signature attachment: stored