Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
851
Views
0
Helpful
5
Replies

VLAN security question for 3 different networks

Go to solution
MichaelCassidy42728
Level 1
Level 1

‎01-09-2023 02:13 PM

I am working on a new project for my company and I will be dealing with 3 different networks and each network will have 1 router and 1 switch. Lets say 1 network will have sensitive data running through it while the other networks do not. My team and I have to configure the devices and I am arguing with my co-workers about how to set up the VLAN names for each switch. The networks are different but very similar. My co-workers want to name each VLAN that is configured on 1 switch to have the same names for the other switches. Even though this is on a different switch and network, I do not think this is a good practice because if a hacker gains access to one switch or network, he or she can then use that information to know more about the other networks and possible gain access to them. It may seem easy and convenient, but I do not think that it is very smart. 

My question to everyone that reads this is there any documentation, best practices or guidelines that state that having the same VLAN names for different switches on different networks should NOT be used because it could compromise the other networks? My manager asked me find any documentation that backs up this claim. I have looked at Cisco, NIST, DoD Cyber and keep finding the same information but not what I am looking for. Any help would be appreciated. Thank you. 

 

Is there any documentation or best practices stating why I should not use the same VLAN names for a switch 

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
MichaelCassidy42728
Level 1
Level 1
In response to MHM Cisco World

‎01-10-2023 05:20 AM

Thank you friend for reply and update on the VLAN-ID instead of VLAN name. I should have said that in the original question. I think I have found what I was looking for. I found a document that deals with Cyber Security Solutions that was by the NSA stating why it should be distinct as in everything, even something simple as a VLAN-ID which is local to that switch. I am aware it is local, but in the context of networks, when you have multiple networks in an organization, each should be distinct from each other so that it will raise the security posture of the network or organization as a whole. It is more of a defense in depth approach as well. Thanks again. 

View solution in original post

0 Helpful
5 Replies 5

Go to solution
MichaelCassidy42728
Level 1
Level 1

‎01-09-2023 02:25 PM

I found "Practice Dangerous to Security" that this seems to follow under. Will look more into it

 

0 Helpful

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame

‎01-10-2023 12:08 AM

As per the VLAN Name concern, if the VLAN 10 all over the switch, you need to maintain the same VLAN name for easy understanding when troubleshooting. if this is a different VLAN you can name anything you like.

when the Attack vector occurs in the VLAN Segment, it does not matter what VLAN name and number, the Attacker is already in the VLAN segment and he knows all the information already. (Name not make any difference here)

the best practice is to Segment the network in such a way, when the Public Exposed services vs Lan segment, so that is reason FW comes in to place to validate or audit the traffic before passing between VLAN.

You can also do same using ACL if you have Router (if you do not have FW in place)

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

Go to solution
MichaelCassidy42728
Level 1
Level 1
In response to balaji.bandi

‎01-10-2023 04:21 AM

Thank you for the reply, but you seem to be missing the point I was trying to make. Lets say you have 2 networks. When One network has sensitive or confidential information in it and the other does not. Do you make both networks nearly the same? As in same routing, same vlans, same Subnets, ACL's? If so, if the network that does NOT have sensitive information on it is compromised, will the attacker be able to gain access to the Confidential network much easier knowing what he or she knows about the Non-sensitive network? The answer is yes in my opinion. Also, I am looking for documentation that will back that up? What documents or references did you lookup to validate your response? 

0 Helpful

Go to solution
MHM Cisco World
VIP
VIP
In response to MichaelCassidy42728

‎01-10-2023 04:33 AM - edited ‎01-10-2023 04:43 AM

friend, I dont have full answer but you must know that VLAN name is local to SW, it never use any frame, 
your Q must be change to be 
VLAN-ID not VLAN name, 
VLAN-ID can use in some L2 attack but VLAN Name never. 

0 Helpful

Go to solution
MichaelCassidy42728
Level 1
Level 1
In response to MHM Cisco World

‎01-10-2023 05:20 AM

Thank you friend for reply and update on the VLAN-ID instead of VLAN name. I should have said that in the original question. I think I have found what I was looking for. I found a document that deals with Cyber Security Solutions that was by the NSA stating why it should be distinct as in everything, even something simple as a VLAN-ID which is local to that switch. I am aware it is local, but in the context of networks, when you have multiple networks in an organization, each should be distinct from each other so that it will raise the security posture of the network or organization as a whole. It is more of a defense in depth approach as well. Thanks again. 

0 Helpful
Customers Also Viewed These Support Documents