Re: Preventing Vlan Hopping or inter vlan communication

Gerard Roy · ‎08-05-2011

What would be the best method to prevent vlan hopping or inter vlan communication? I have an 881 router with a trunk port that is connected to a 2960 which has a additional trunk port connected to a 2nd 2960 switche and then it is trunked to a third 2960 (see attached drawing). I created a vtp domain and brodcast the vlans across the links so all switches are aware of all vlans (8 vlans). I created the vlan interfaces 7 AND 8 on the 881 and dhcp scopes per vlan and all is working well. Now I want to add security so access between vlans is impossible (if that IS possible). Besides acl's on the router that prevent access between subnets, what else can I apply on the router and what would you recommend on the switches?

Reza Sharifi · ‎08-05-2011

Here is a good document regarding securing Cisco devices.

http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080120f48.shtml

HTH

Jon Marshall · ‎08-05-2011

Gerard

Unfortunately cannot read visios but vlan hopping etc. is tied to the native vlan concept and vlan 1. Hopefully you aren't using vlan 1 for anything but if you are you should look to change it.

Attached is a link to a white paper on vlan security. It is written for the 6500 but a lot of it is relevant to all Catalyst switches -

http://www.cisco.com/en/US/customer/products/hw/switches/ps708/products_white_paper09186a008013159f.shtml

Jon

Somasundaram Jayaraman · ‎08-05-2011

Hi,

Could you please refer the below link for configuring Private vlans & VACL

http://www.cisco.com/en/US/products/hw/switches/ps700/products_tech_note09186a008013565f.shtml

Supported platforms:

================

http://www.cisco.com/en/US/products/hw/switches/ps708/products_tech_note09186a0080094830.shtml

Hope this helps

Cheers

Somu

Pls rate the answer if the content was found useful