VLAN Security – Main VLAN reason

In short, implementation of VLANs is in a way like breaking switches in more parts. When we take a normal switch, let’s say cisco one, it has all the ports configured in a way that every computer from one port can connect to any other computer connected to any other port on that switch. If we implement two VLANs on the switch, the computers connected to ports that are in the same VLANs will function normally and will be able to communicate without knowing that the VLANs are existing on the switch. But if we connect one computer to the port in VLAN 1 and some other computer to port in VLAN 90 these two computers will act like they are connected to different switches.

VLANs

They will be completely separated and will not be able to communicate in any way. Only way to make the communication possible is to route the traffic from one VLAN to other. This can be done using a router whose interfaces are connecting different VLANs or by implementing Router on a Stick. The best way to route VLANs, the way that is in use today is by implementing the routing directly into the switch. This is possible only on new and very popular L3 switches.

Now, let’s discuss the security issues, we spoked in the post before about some general VLAN stuff but the main reason of VLAN implementation these days is Security. In case of flat internetwork (network where every host is in the same sobnet with all other hosts), the security issues used to be dealt by linking together the hubs as well as switches with the routers. In other words, router actually manages and maintains the security. There are some drawbacks related to this arrangement as it is not effective: The first drawback is that when anyone connects to the physical network then he could easily access the resources of network that are situated on that whole physical LAN. The second thing was that anyone could easily monitor the traffic happening in that network simply by connecting into the hub a network analyzer. The users could also join a workgroup by simply connecting their workstations into the present hub. And, this is not secured! For this reason VLANs are considered best. Simply by establishing them and by creating multiple broadcast groups it is quite easy now for the administrators to control the users and each port. Now it’s a history when users could easily gain access to network resources simply by connecting their workstations into any switch port, as now the administrators have authority to control all the ports and the resources each port can access. One more advantage is that the VLANs can be created as per the network resources requirement of a user, also the configuration of the switches can be done in such a way so that it can inform a network management station about any illegal/unauthorized access to resources of network. Those who need inter-VLAN communication, then this can be done by implementing limitations on a router. Even the limitations can be implemented on applications, hardware addresses as well as protocols.

 

Leave a Reply