3

I was reading a VLAN setup walkthrough, and the author had an interesting idea for setting up VLANs without a router (which you don't normally see). At first glance, this doesn't seem like it actually works how the author expected it to, but, I've been wrong before.

  • In the switch, he set up three VLANs (2, 3, and 4).
  • Then he assigned one group of ports to VLANs 2 and 3, with a (untagged) PVID of 3.
  • The second group of ports was assigned to VLANs 2 and 4, with an (untagged) PVID of 4.
  • The port out to the router was then assigned to all three VLANs (2, 3, and 4), with an (untagged) PVID of 2.

This setup supposedly separated the network traffic from VLAN 3 and VLAN 4. It does prevent pings or direct network traffic from one router to another. The problem that I see, however, is that all packets coming from the router will be sent out to both groups of devices (VLANs 3 and 4). This seems to, at least partially, defeat the security, since any packets from the router will go out to all the devices.

Is the author's solution valid, security-wise, or is it, in fact, routing reply packets from the WAN into both VLANs?

Improve this question
1
  • Did any answer help you? If so, you should accept the answer so that the question doesn't keep popping up forever, looking for an answer. Alternatively, you could provide and accept your own answer.
    – Ron Maupin
    Commented Apr 1, 2018 at 19:49

1 Answer 1

Reset to default
3
  • Then he assigned one group of ports to VLANs 2 and 3, with a (untagged) PVID of 3.
  • The second group of ports was assigned to VLANs 3 and 4, with an (untagged) PVID of 4.

Most hosts will not recognize tagged frames, and will discard tagged frames, so the hosts will only use the untagged VLANs. Packets from the router will only be addressed for the network of one VLAN, and the router will only use the MAC address of the destination host, so the frames will still only be delivered to a single host.

Switches also will build MAC address tables, and they will then only deliver frames to the interface where the MAC address was last seen.

This is really a security problem because some hosts, e.g. servers, can be configured to trunk, and this allows them to send and receive traffic on multiple VLANs. Also, broadcasts, e.g. ARP, may be leaked to other VLANs, allowing an attacker to see and spoof a MAC address.

This configurations is really goofy, and you should have a really good reason to do it.

Improve this answer
7
  • I'm sorry, I just noticed that I made an error: the second group had VLAN 2 and 4 instead of 3 and 4. I don't know if that affects your answer at all.
    – tech4him
    Commented Jan 19, 2018 at 0:39
  • No. As I wrote, the traffic on the tagged VLAN will probably be dropped by hosts.
    – Ron Maupin
    Commented Jan 19, 2018 at 0:40
  • And agreed, it's a really goofy setup.
    – tech4him
    Commented Jan 19, 2018 at 0:40
  • OK. The main thing I was wondering about was about having the port from the router set up as an untagged port assigned to a specific VLAN instead of a trunk port. I'm assuming that's a really bad idea as well?
    – tech4him
    Commented Jan 19, 2018 at 0:43
  • A trunk is a link with multiple VLANs, each, but one (the native VLAN), is tagged. The tags simply allow the device on the other end (the switch) separate the VLANs. One VLAN can be untagged, and have its traffic still separated because all the other VLANs are tagged. This is a normal situation for a trunk.
    – Ron Maupin
    Commented Jan 19, 2018 at 0:46

Not the answer you're looking for? Browse other questions tagged or ask your own question.