Mixing public and private networks on the same switch

Jason Flory · ‎10-24-2012

Hello Everyone,

I know this may get some security engineers in frenzy but wanted to know if there is a safe way to mix public and private networks on the same switch.

We have many remote offices that we want to add public wifi and a couple of other services that would be completely outside of our internal network. Each office has a 3750 with plenty of open ports. How can I safely create a vlan for public access on these switches which currently have our internal network on. I have read that people are doing this to save on the cost of purchasing a dedicated switch. Some people are using access lists and one person mentioned creating a private vlan for the public network. I looked up private vlan and it seemed bit confusing.

Is this recommended? If not what would be the safest way to do this?

Thanks Everyone

fsebera · ‎10-24-2012

Hey Jason,

It is possible to setup your environment as you describe, just like driving without insurance. You are taking your chances. It sounds like you don't wanna spend more money of hardware because you have free ports on your production switch. I do this soft of thing in my lab environment daily but I don't have the public hacking away at my lab 24x7. Perhaps you could consider e-bay for the public facing switch, cheap and solves the issue completely. If the e-bay switch dies, just spend another 10 bucks and your back in business.

No matter which method you choose, ACLs, private Vlans, Vlans, anyone overloading the cam table with bogus MAC addresses will turn your switch into a useless hub. And remember, in a hub environment, everyone get all traffic.

There are several free programs on the web to perform this MAC overloading task.

Hope this helps

Frank

Leo Laohoo · ‎10-24-2012

We have many remote offices that we want to add public wifi and a couple of other services that would be completely outside of our internal network.

You just solved your answer in this statement.

Nowadays, it is absolutely UN-NECESSARY to provide guest/public WIRED network. You want guest Wi-Fi access because you don't have to provide expensive cabling infrastructure to clients which cannot move. Next, have you seen the latest generation of laptops? They are so thin you need a separate adaptor for RJ45. Alot of people don't carry this around because of Wi-Fi.

If you want to save money, implement guest wi-fi. This is the trend.

djohle · ‎01-17-2014

Your post is not very helpful.

The WiFi Access Point still has to be connected to the wired network at some point, and that goes right back to the original question...can that be on the same physical switch that serves the internal LAN as well?

It is totally possible to "share" the switch for public & internal LANs, and keep them separated by using VLANs. There are pros and cons to doing this, mainly centering around security. When properly set up, it is very unlikely that you will have any issues, but that low probability is still technically greater than it would be vs. using two separate physical switches.

If you are going to go this route, just ensure that ...

1) Use VLAN IDs higher than 1 for all public & internal ports

2) Ensure that all public ports are set up in "switchport mode access" and have the same navtive VLAN ID set

3) Ensure that all internal ports that are are set up in "switchport mode access" and have the same navtive VLAN ID set that is not the same one of #2

4) Set up ACLs to limit management VLAN (Vlan1 interface on the switch) access to specific internal hosts

Also, if you want to have multiple internal VLANs, all of the above applies, except for additional considerations:

Replace #3 above with:

3a) Ensure that all internal ports that are not going to other switches are set up in "switchport mode access" and have the necessary navtive VLAN ID set that is not the same one of #2

3b) Ensure that all internal ports going to other switches use the "switchport trunk allowed vlan" command to limit to the set of internal VLANs

Jeff Van Houten · ‎10-24-2012

Other than the 3750 is there a router in this picture? I've done this lots of times with a separate vlan for the public and pbr on the router.

Sent from Cisco Technical Support iPad App

ccip4911z · ‎01-14-2018

i realize this post is about 6 years old, but do you have a config example how you got this to work? Im trying to accomplish the same thing, but have had no luck yet.

عڪنابيل · ‎01-22-2018

if you download the CISCO NETWORK ASSISTANT, the setup would be very easy.

I used it, it helps me a lot to add, separate mix... VLANs in my network without any issues.

take a look here:

https://www.cisco.com/c/en/us/products/collateral/cloud-systems-management/network-assistant/prod_white_paper0900aecd802d1b95.html

Regards.

Aknabyl

Joseph W. Doherty · ‎01-17-2014

Disclaimer

The Author of this posting offers the information contained within this posting without consideration and with the reader's understanding that there's no implied or expressed suitability or fitness for any purpose. Information provided is for informational purposes only and should not be construed as rendering professional advice of any kind. Usage of this posting's information is solely at reader's own risk.

Liability Disclaimer

In no event shall Author be liable for any damages whatsoever (including, without limitation, damages for loss of use, data or profit) arising out of the use or inability to use the posting's information even if Author has been advised of the possibility of such damage.

Posting

How "safe" is relative. If your running just one VLAN on a switch, that's would be the safest (basically the same as mixing traffic on the same wire - separation is done else where).

If you multiple VLANs on a switch, then you need to determine how likely someone might figure out a way to breach the VLAN barriers. (This isn't so easy on newer switches.) If the VLAN isolation is breeched, then you need to examine what does that imply from a security perspective (for example can someone now inject or receive other VLAN traffic).

For most purposes, I don't see mixing public and private VLANs, alone, on the same switch as much of a risk. More of a concern is what can be reached on either VLAN and how well it's protected.