Virtual LANs

Recall from Chapter 8 that a virtual LAN, or VLAN, is a group of computers, network printers, network servers, and other network devices behaving as if they were connected to a single, network segment.

Network attackers or malicious users often seek to gain access to the management console of a networking device, because if they are successful, they can easily alter the network configuration to their advantage.

In a VLAN switch, in addition to having a direct connection to an out-of-band management port (a port not used for user traffic), the network management station can use one or more VLANs for in-band management. The network management station can also use one or more VLANs to exchange protocol traffic with other networking devices.

Basic physical security guidelines require networking equipment to be in a controlled or locked space, such as a telephone room or communications closet. VLAN-based security's primary rule is confining in-band management and protocol traffic to a logically controlled environment, by implementing the following tools and best practices:

  • Using traffic and protocol access control lists (ACLs) or filters preventing untrusted traffic from being filtered, or passed, through the switch

  • Disabling Layer 2 protocols on untrusted ports, such as disabling the Cisco Dynamic Trunking Protocol (DTP) on switch access ports

  • Configuring in-band management switch ports only in dedicated and trusted VLANs

  • Not using VLAN 1 to carry user or network data traffic

There is a VLAN used for special requirements within your switch network: VLAN 1.

VLAN 1 Precautions

VLAN 1 is special because switches need to have a default VLAN to assign to their ports, including management ports, and VLAN 1 is the default VLAN. In addition, many Layer 2 protocols need to send their information across a specific VLAN on trunk links. It was for these purposes that VLAN 1 is used, and therefore VLAN 1 should not be used for user-related traffic.

As a result of this selection, VLAN 1 can sometimes end up spanning the entire network if not appropriately configured. If the diameter of VLAN 1 is large enough, the risk of instability significantly increases. Using a universal VLAN for management purposes puts trusted network devices, such as workstations and servers, at higher risk of security attacks from untrusted network devices. These untrusted network devices might gain access by switch misconfiguration, or accidentally gain access to VLAN 1 and then try to exploit this unexpected security hole in your network.

At present VLAN 1 has a bad reputation to overcome; with a little bit of help, however, VLAN 1 can redeem itself. To redeem VLAN 1, a simple security principle should be used: As a rule, the network administrator should prune any VLAN, most notably VLAN 1, from all the ports where that VLAN is not strictly needed.



VLAN Trunking Protocol (VTP) pruning is disabled by default.

The rule of VLAN pruning means four things to you:

  • Do not use VLAN 1 for in-band or out-of-band management traffic. Instead, use a different dedicated VLAN, thereby keeping management traffic separate from user data and other necessary network protocol traffic.

  • Prune VLAN 1 from all VLAN trunks and from all access ports that do not require participation in VLAN 1, including switch ports that are not connected or shut down. If a switch port is not being used for any reason, move it to a new VLAN created for this purpose. This VLAN should also be pruned.

  • Do not configure the management VLAN on any trunk or access port not requiring participation in the management VLAN. This includes switch ports not connected to any network segments and ports that are shut down and not in use.

  • When feasible, for near-foolproof security, use an out-of-band network management platform, separating your network management traffic from your network user, or data, traffic.

  • If VLANs other than VLAN 1 or the management VLAN represent a security concern, automatic or manual VLAN pruning should be applied. When a VLAN is automatically pruned, the VLAN must be manually enabled.

Trusted and Untrusted Ports

Apart from VLAN pruning in your network, another security principle you should put into practice is this: Connect untrusted (nonsecured) devices to untrusted ports, trusted (secured) devices to trusted ports, and disable all remaining ports.

This security principle means four things to you:

  • If a switch port is connected to an unknown, or foreign, device, do not try to speak the language of this unknown device because doing so could be turned to an attacker's advantage and used against you. On the switch port in question, disable any unnecessary network management protocols, such as the DTP, because you do not want to risk potentially dangerous communication with an untrustworthy neighbor.

  • To prevent undesirable protocol interactions within the network-wide VLAN configuration in your network, configure VTP domains appropriately or turn off VTP. This precaution limits or prevents the risk of human error, in the form of mistakes made by a network administrator, from spreading throughout the network. Because the switch with this error would have a newer VTP revision number, the entire domain's VLAN configuration is at risk of being reconfigured with the error. Oops.

  • By default, only switch ports known to be trusted should be treated as such and all other ports should be configured as untrusted. There is an adage that fits here: We trust, but verify.

  • Create a VLAN to collect unused switch ports, and disable unused switch ports and put them in this unused VLAN. By not granting connectivity to this VLAN, or by placing a device into a VLAN not in use, unauthorized network access can be stopped through physical and logical barriers. In other words, while Patches (physical barrier) is enjoying his steak, the home burglar is contained in the garage because of an alarm system on the house door (logical barrier).