VLAN on Cisco Catalyst

I am getting conflicting advice from various sources concerning VLAN security. I have several Catalyst 2950 switches in my network, running one VLAN with public access (including wireless unrestricted access), and domain-controlled workstations on another. I classify those as low and medium security zones, respectively. I will now set up a network commanding higher security in the same physical space, and due to construction issues and safety precautions in the buildings, installing extra cables will be very expensive. I'm thinking of creating a new VLAN instead.

I get some warnings about the possibility of fixing a packet header to make traffic cross over between VLANs. Is that possible if all switchports have the communication explicitly set? (i.e.: ports connected to other Catalysts are set to Trunk mode, and ports towards the client side are set to access mode.) With no ports in auto mode, I'd think that such "trunk spoofing" would fail.

If such attacks are still possible, how serious could they be?
- Can the attacker get a response, or is it only one way?
- If two way communication is available, would it then be possible to do ARP poisoning, and could MiM attacks succeed?

Are there viable options for hardening the setup?
- Should I set up SSL/VPN channels to secure the network?
- The "high security" VLAN is not needed everywhere. Should I keep the VLAN undefined on the other switches, or is it better to define it and not assigning it to any port?

The high security nodes are mostly self sufficient (only occasional need for network) so DoS is probably not an issue. Eavesdropping and intrusion could be critical, though.
Any comments on the subject are welcome!
.

Relevant Pages

  • Re: VLANs & DMZs
    ... VLANS are *not* security constructs: ... it is considered to be best practice to implement VLANS of the same ... VLAN and a less secure VLAN on the same switch, ... and an internet connected network called NIPRNET. ...
    (comp.security.misc)
  • Re: VLANs & DMZs
    ... VLANS are *not* security constructs: ... it is considered to be best practice to implement VLANS of the same ... VLAN and a less secure VLAN on the same switch, ... and an internet connected network called NIPRNET. ...
    (comp.security.firewalls)
  • Re: VLANs & DMZs
    ... VLANS are *not* security constructs: ... it is considered to be best practice to implement VLANS of the same ... VLAN and a less secure VLAN on the same switch, ... and an internet connected network called NIPRNET. ...
    (microsoft.public.win2000.security)
  • Re: VLANs
    ... Most switches will not restrict broadcasts -- it's one of the things ... Most vlan ... > separation of a highly critical data collection network. ... layout and/or configuration changes. ...
    (comp.os.linux.networking)
  • VLAN Issues
    ... We have about 16 switches that are located across 4 ... floors in 4 seperate closets. ... out to our radiology dept. Vlan3 is our wireless network. ... VLAN 7 is a new VLAN that I am trying to create for the following ...
    (comp.dcom.sys.cisco)