cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Community Helping Community

3376
Views
10
Helpful
10
Replies
Beginner

VLAN basic security best practice question

Just curious.  I've read that a common best practice with switched networking is to put unused switch ports into an unused VLAN so they're kept away from vlans in use. 

Again this is just a basic question because I haven't thought through nor know of all variables but why not just put each unused port in its own unused vlan (one port per vlan) so that you can also seperate each port from each other?  A scenario I picture is where somebody gets physical access to the switch, and they want to attack the server, so they unplug the server cat6 cable and plug it into one of those unused vlan ports, then plug their laptop also into one of those ports in that unused vlan.  In theory then you have just two hosts on a vlan.  But by having each port be also in it's own vlan, you remove the ability for two ports to talk to each other by default. 

I'm certain there are all klinds of flaws in this thinking of mine but I just wanted to get some input onto what works and why, or why this approach is bad, etc.  Much appreciated and thank you. 

Everyone's tags (1)
2 ACCEPTED SOLUTIONS

Accepted Solutions
Hall of Fame Guru

Two things -

Two things -

1) if someone has phyiscal access to your servers you have a lot more problems than them just switching over the cables

2) the best practice is not just to put unused ports into an unused vlan which does not have an SVI but also to administratively shut those ports as well.

Jon

View solution in original post

Hall of Fame Cisco Employee

Hi ValleyITPC,

Hi ValleyITPC,

But by having each port be also in it's own vlan, you remove the ability for two ports to talk to each other by default. 

That is true but this would be an extremely heavyweight solution to a simple problem - making sure that two unused ports do not communicate together if they are inadvertently connected.

Switches have a limited number of VLANs you can create. Some switches support only up to 255 or 1005 VLANs. Creating a separate VLAN for each unused port would be wasting this limit, not even talking about possible issues if particular VLAN IDs happen to be used on other switches as regular VLANs. Especially in a larger deployment, finding a set of unused VLANs and keeping it unused would be a hard task. Also note that you would either need to have a unique set of unusable VLANs per switch, or you would need to very diligently filter out these VLANs on trunks. Last but not least, for every VLAN, a separate STP instance is being run (if MSTP is not deployed). Many switches support only up to 128 STP instances, and if this number is larger, remaining VLANs are not protected against switching loop. With possibly tens of VLANs for unused ports, plus your production VLANs, you could overstep this limit and end up in heavy trouble.

In my opinion, the easiest way of solving the task of preventing unused ports from communicating with each other is by putting them into a single standalone VLAN and declaring that VLAN as a suspended VLAN:

vlan 999
name ParkingVLAN
state suspend

Any access port in VLAN 999 would be automatically blocked - essentially, all traffic would be blackholed. That's exactly what you need to protect unused ports from talking to each other.

Best regards,
Peter

View solution in original post

10 REPLIES 10
Hall of Fame Guru

Two things -

Two things -

1) if someone has phyiscal access to your servers you have a lot more problems than them just switching over the cables

2) the best practice is not just to put unused ports into an unused vlan which does not have an SVI but also to administratively shut those ports as well.

Jon

View solution in original post

Hall of Fame Cisco Employee

Hi Jon and ValleyITPC,

Hi Jon and ValleyITPC,

Ad 2) - I would even suggest suspending the VLAN that holds the unused ports. It is meant as an additional protective measure to make sure that simply having a port active won't make it automatically capable of communicating with someone (anyone) else.

Best regards,
Peter

Beginner

Thanks very much guys I

Thanks very much guys I appreciate the info.  I didn't know you could suspend a vlan and also didnt' know about the STP instance limit but also I just am thankful for the expereienced input. 

Hall of Fame Cisco Employee

Hi ValleyITPC,

Hi ValleyITPC,

But by having each port be also in it's own vlan, you remove the ability for two ports to talk to each other by default. 

That is true but this would be an extremely heavyweight solution to a simple problem - making sure that two unused ports do not communicate together if they are inadvertently connected.

Switches have a limited number of VLANs you can create. Some switches support only up to 255 or 1005 VLANs. Creating a separate VLAN for each unused port would be wasting this limit, not even talking about possible issues if particular VLAN IDs happen to be used on other switches as regular VLANs. Especially in a larger deployment, finding a set of unused VLANs and keeping it unused would be a hard task. Also note that you would either need to have a unique set of unusable VLANs per switch, or you would need to very diligently filter out these VLANs on trunks. Last but not least, for every VLAN, a separate STP instance is being run (if MSTP is not deployed). Many switches support only up to 128 STP instances, and if this number is larger, remaining VLANs are not protected against switching loop. With possibly tens of VLANs for unused ports, plus your production VLANs, you could overstep this limit and end up in heavy trouble.

In my opinion, the easiest way of solving the task of preventing unused ports from communicating with each other is by putting them into a single standalone VLAN and declaring that VLAN as a suspended VLAN:

vlan 999
name ParkingVLAN
state suspend

Any access port in VLAN 999 would be automatically blocked - essentially, all traffic would be blackholed. That's exactly what you need to protect unused ports from talking to each other.

Best regards,
Peter

View solution in original post

Participant

Is state suspend the same

Is state suspend the same thing as shutdown under the vlan? It appears both are present. 

vlan 999
 name ParkingVLAN
 shutdown

from the help file

shutdown      Shutdown VLAN switching
  state         Operational state of the VLAN

Hall of Fame Cisco Employee

Hi David,

Hi David,

There is a difference between shutting down a VLAN and suspending a VLAN. Suspending a VLAN would have a VTP domain-wide effect, precisely as Joseph has mentioned: It would suspend the VLAN on all switches in the VTP domain, if VTP was used. In other word, the state of a VLAN, either active or suspend, is propagated via VTP to all other switches in the VTP domain. Shutting down a VLAN has only a local effect - the VLAN will be suspended on the local switch but this change will not be propagated to any other switch, even if VTP was in use.

Please do not confuse suspending or shutting down a VLAN with shutting down the interface VLAN. The interface VLAN is a connection of the internal CPU in the switch to a particular VLAN so that the CPU can behave like an end host in that VLAN. A VLAN (without saying interface) is a virtual broadcast domain. Shutting down an interface VLAN will disconnect the CPU in the switch from the particular VLAN. Shutting down a VLAN will prevent any  member of that VLAN (as a broadcast domain) from sending and receiving data in that VLAN.

Best regards,
Peter

Participant

So if VTP is not in use, then

So if VTP is not in use, then it would essentially do the same thing on a local switch.  It would only be locally significant for disabling the VLAN?

Hall of Fame Cisco Employee

David,

David,

So if VTP is not in use, then it would essentially do the same thing on a local switch.  It would only be locally significant for disabling the VLAN?

Exactly right.

Best regards,
Peter

VIP Expert

Disclaimer

Disclaimer

The Author of this posting offers the information contained within this posting without consideration and with the reader's understanding that there's no implied or expressed suitability or fitness for any purpose. Information provided is for informational purposes only and should not be construed as rendering professional advice of any kind. Usage of this posting's information is solely at reader's own risk.

Liability Disclaimer

In no event shall Author be liable for any damages wha2tsoever (including, without limitation, damages for loss of use, data or profit) arising  out of the use or inability to use the posting's information even if Author has been advised of the possibility of such damage.

Posting

If someone has physical access to the switch's ports, then you have a security issue, that alone, is difficult to address with just the switch configuration.  For example, consider I bring my own little 4 port unmanaged switch to get two hosts on the same wire.

Practices such as shutting down unused ports, or creating a parking VLAN, are more oriented to preclude accidental mistakes.  I.e. you need to configure a port from its shut, parking VLAN status, to what you really want to use it for.

BTW, if you're using VTP, what Peter described I believe applies to other switches within the same VTP domain.  I believe the VLAN shutdown command only applies to the local switch (VTP server mode).

Highlighted
Beginner

I don't know much about VTP

I don't know much about VTP yet but that'll come in time (pre-CCNA here).  The solution to the unmanged switch problem is simple:  only have enough power outlets for the # of devices in use, with the other power outlets all administratively shut down and assigned to a parking virtual power-bar. :) Just messing around, though I wonder if that thing exists in data centers...

CreatePlease to create content
Content for Community-Ad