VLANs are a common way to segment network traffic. While they can provide a degree of security by segregating traffic, VLANs alone do not offer robust security mechanisms and are insufficient to protect against all network attacks. Let’s break it down into different perspectives, Network and Security.
From a Network Perspective:
VLANs: VLANs (Virtual Local Area Networks) are primarily a networking tool for segregating network traffic. They partition a physical network into multiple, smaller logical networks. Each VLAN forms its broadcast domain, which means devices in the same VLAN can communicate with each other directly, but they need a router (or Layer 3 device) to communicate with devices in different VLANs. This helps reduce unnecessary traffic, manage the network more efficiently, and contribute to improved performance.
From a Security Perspective:
VLANs: As part of a layered security strategy, VLANs can contribute to network security by segregating traffic and reducing the potential attack surface. For example, sensitive systems can be isolated into separate VLANs, limiting their exposure to the rest of the network.
However, VLANs alone do not provide robust security. They do not inherently prevent attacks between VLANs or protect against attacks like VLAN hopping. There are several ways to prevent attacks with VLANs. The SVI and Firewall option is the recommended way to go. I’ve implemented this with Palo Alto Firewalls by moving the SVI’s from the Cisco switches up the Firewalls.
SVIs and Firewalls: A Switch Virtual Interface (SVI) is a virtual interface that provides layer 3 routing service to VLANs. When combined with firewalls, SVIs can help to manage and control inter-VLAN traffic based on specified security policies, thereby enhancing security.
Cisco Options:
Cisco provides several features that can be used to control packets both within a VLAN and between different VLANs.
1. Access Control Lists (ACLs): ACLs are the most common way to control packets on Cisco devices. They can be used to filter traffic based on IP addresses, protocols, port numbers, and more. You can apply ACLs to interfaces to control packets going in and out of a VLAN.
(config)# access-list 1 permit 192.168.1.0 0.0.0.255 (config)# interface GigabitEthernet0/1 (config-if)# ip access-group 1 in
In the example above, ACL 1 permits traffic from the IP range 192.168.1.0/24, and it is applied to the incoming direction of GigabitEthernet0/1 interface.
2. VLAN Access Control Lists (VACLs): VACLs, also known as VLAN maps, are used to filter traffic within the same VLAN. Regular ACLs can’t do this because they’re typically applied on a router interface and only impact inter-VLAN traffic.
(config)# vlan access-map MYVACL 10 (config-access-map)# match ip address 1 (config-access-map)# action drop (config)# vlan filter MYVACL vlan-list 10
In this example, a VACL named MYVACL is created with sequence number 10. It matches traffic defined by ACL 1 and drops the matching packets. Then, the VACL is applied to VLAN 10 using the “vlan filter” command.
3. Private VLANs: Private VLANs (PVLANs) provide isolation at Layer 2 by segregating ports within the same VLAN. This means you can control traffic between hosts in the same VLAN.
(config)# vlan 100 (config-vlan)# private-vlan primary (config-vlan)# exit (config)# vlan 200 (config-vlan)# private-vlan community (config-vlan)# exit (config)# vlan 300 (config-vlan)# private-vlan isolated (config-vlan)# exit (config)# interface GigabitEthernet0/1 (config-if)# switchport mode private-vlan host (config-if)# switchport private-vlan host-association 100 200 (config-if)# exit (config)# interface GigabitEthernet0/2 (config-if)# switchport mode private-vlan host (config-if)# switchport private-vlan host-association 100 300 (config-if)# exit
In this example, VLANs 100, 200, and 300 are created with different PVLAN types. Ports GigabitEthernet0/1 and GigabitEthernet0/2 are configured as PVLAN hosts and associated with the appropriate primary and secondary VLANs.
4. Layer 3 functionality on switches: Many Cisco switches, especially those in the Catalyst series, offer Layer 3 functionality, including routing between VLANs on the switch itself. By using ACLs and other security features, you can control packets going between VLANs without the need for a separate router.
5. Security Group Tagging (SGT): If you’re using Cisco’s TrustSec solution, SGT allows you to apply tags to packets as they enter the network. These tags are then used by the infrastructure to enforce access policies throughout the network, controlling where packets can go.
Remember that the best practices for controlling packets in a network can vary based on the specific requirements and architecture of your network. It’s important to understand the capabilities of your devices and design a strategy that provides the needed level of security while maintaining network performance. Therefore, a robust network security strategy typically involves the combined use of these elements. It’s also crucial to stay current with security best practices, given the evolving nature of network security threats.