Re: VLAN Question

From: Bennett Todd (
Date: 08/20/03

  • Next message: David Gillett: "RE: Blocking port 4444 for W32.Blaster.Worm"
    Date: Wed, 20 Aug 2003 12:51:20 -0400
    To: Steven Williams <>

    2003-08-20T03:09:24 Steven Williams:
    > I'm after some opinions of yours and your companies policy
    > regarding the use of VLAN's as a method of isolating the internet
    > to internal VLAN's on the same physical layer 2 / 3 switch and
    > access controlled by ACL's or firewalls.

    There are several sides to this question.

    Originally, VLANs were created solely to help mitigate the very high
    cost of early switches. Switches were being sold in multiples of 16
    or 32 ports, and they were vastly more expensive than hubs. To help
    people get the most out of their switch investments, VLANs allowed
    partitioning broadcast domains, to buy the performance advantages of
    switch isolation while allowing multiple smaller networks to be
    implemented on the same expensive switch. In this context, leakage
    between vlans wasn't an issue as long as the amount of leakage
    didn't cause a performance impact. vlans leaked. Minor leakage was
    not considered a problem by the vendors. They weren't designed as
    security partitions.

    Customers started pressing vendors, and they've responded. I've
    spoken with a Cisco engineer who said that properly, carefully
    configured, current switches with current CatOS were not believed to
    leak between vlans, and a finding that they could so leak would be
    treated as a priority security bug. Cool says I, this enables
    something I've wanted to have for some time. Combine switches with
    vlans that are secure and 802.1q trunking, and you can have a
    firewall with a ludicrous number of firewall ports --- it becomes
    practical to consider building a fully-firewalled fully-routed
    network, where every host has its own dedicated firewall port. Not
    for everybody, perhaps, but I can think of places where it'd be
    worth doing. Say, hotels offering network jacks in the rooms.

    But there's another issue to consider. Even if the vlan
    implementation is truly secure in the switch, sharing multiple vlans
    representing different security domains on the same switch means
    that a config error on that switch could compromise your isolation.
    Config errors happen. Config errors that don't overtly break
    anything are often not detected for a long time.

    Switches are cheap. Use multiple switches unless there's a really
    compelling engineering requirement to use multiple vlans on the same



  • Next message: David Gillett: "RE: Blocking port 4444 for W32.Blaster.Worm"