Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
992
Views
0
Helpful
7
Replies

Vlan is all insure ?

Go to solution
Natha340Mai340
Level 1
Level 1

‎01-03-2012 09:58 AM - edited ‎03-07-2019 04:09 AM

Hello everone, I wonder if VLAN is all insure. for exemplo, I wish  add a new VLAN for my DMZ network. but I'm afraid there will be others  VLAN traffic these VLAN DMZ. I think that sometimes the Switch makes  broadcast flow traffic to all ports regardless what VLAN the port  belong.

I'm mistaken ?? it is possible confirm that every VLAN is independent and never receive any type traffic from others VLANs ??

any tips about traffic forwarding between  VLANs is welcome.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Peter Paluch
Cisco Employee
Cisco Employee
In response to Natha340Mai340

‎01-03-2012 04:29 PM

Maicon,

If a switch is indeed leaking one VLAN into another, then adding yet another VLAN will not solve things for you. In fact, one VLAN leaking into another without routing is always a sign of an incorrect network operation, wheter caused by incorrect configuration, cabling or physical topology issues that cause the two VLANs be physically interconnected, MAC table overflow on the switch, firmware errors, hardware issues etc.

So my personal suggestion would be to double-check the claim that frames from one VLAN are somehow leaking into another VLAN. If that is confirmed, I would then research the physical topology, cabling and configuration to eliminate all possibilities of a miscabling or a misconfiguration, and then check to see if the switch is not being attacked (CAM table overflow). If no problem is found and the leaking is still present, then the switch is faulty. I repeat that again: under no circumstances should a traffic from one VLAN ever leak into a different VLAN without a Layer3 device (i.e. a router).

Best regards,

Peter

View solution in original post

0 Helpful
7 Replies 7

Go to solution
cadet alain
VIP Alumni
VIP Alumni

‎01-03-2012 10:04 AM

Hi,

a VLAN is a L2 broadcast domain so no you can't have traffic from one VLAN at Layer 2 going to another . To communicate between VLANs you must route between them.

Regards.

Alain

Don't forget to rate helpful posts.
0 Helpful

Go to solution
darren.g
Level 5
Level 5

‎01-03-2012 02:01 PM 

Maicon Pereira wrote:
Hello everone, I wonder if VLAN is all insure. for exemplo, I wish  add a new VLAN for my DMZ network. but I'm afraid there will be others  VLAN traffic these VLAN DMZ. I think that sometimes the Switch makes  broadcast flow traffic to all ports regardless what VLAN the port  belong. 
I'm mistaken ?? it is possible confirm that every VLAN is independent and never receive any type traffic from others VLANs ??
any tips about traffic forwarding between  VLANs is welcome.

On Cisco switches, VLAN's are a logically isolated layer 2 domain - so, unless you have some form of routing device (which could be a switch virtual interface (SVI) on the switch itself or an external router of some kind) you will NOT have traffic from one VLAN mixing with traffic from another VLAN.

Provided there is no SVI on the switch for a given VLAN, you can happily have the same IP range on devices in twi different VLAN's and still no be able to communicate between the VLAN's.

*Only* if you have some form of layer 3 device (router) moving traffic between the different VLAN's will traffic between them work.

So yes, every VLAN is independant and will never receive traffic from another UNLESS there is a router involved. If you want to forward traffic between VLAN's you must have either an external router or an SVI (if you have a layer-3 capable switch).

Cheers

0 Helpful

Go to solution
Natha340Mai340
Level 1
Level 1

‎01-03-2012 04:09 PM

Ok guys, but is very strange because I have ever seen situation on switch layer 2 ( by ethereal sniffer ) that there is traffic from VLAN_X on VLAN_Y. I don't know if that switch was damaged but there was traffic from an VLAN to other.

so...I would like know if vlan is all insure way to add an DMZ network for exemplo.

thanks

0 Helpful

Go to solution
Peter Paluch
Cisco Employee
Cisco Employee
In response to Natha340Mai340

‎01-03-2012 04:29 PM

Maicon,

If a switch is indeed leaking one VLAN into another, then adding yet another VLAN will not solve things for you. In fact, one VLAN leaking into another without routing is always a sign of an incorrect network operation, wheter caused by incorrect configuration, cabling or physical topology issues that cause the two VLANs be physically interconnected, MAC table overflow on the switch, firmware errors, hardware issues etc.

So my personal suggestion would be to double-check the claim that frames from one VLAN are somehow leaking into another VLAN. If that is confirmed, I would then research the physical topology, cabling and configuration to eliminate all possibilities of a miscabling or a misconfiguration, and then check to see if the switch is not being attacked (CAM table overflow). If no problem is found and the leaking is still present, then the switch is faulty. I repeat that again: under no circumstances should a traffic from one VLAN ever leak into a different VLAN without a Layer3 device (i.e. a router).

Best regards,

Peter

0 Helpful

Go to solution
darren.g
Level 5
Level 5
In response to Natha340Mai340

‎01-03-2012 06:35 PM 

Maicon Pereira wrote:
Ok guys, but is very strange because I have ever seen situation on switch layer 2 ( by ethereal sniffer ) that there is traffic from VLAN_X on VLAN_Y. I don't know if that switch was damaged but there was traffic from an VLAN to other.
so...I would like know if vlan is all insure way to add an DMZ network for exemplo.
thanks

I second what Peter said here - if you're seeing frames from one VLAN appearing in another VLAN, then there has to be *some* kind of interconnection - and it's most likely bad cabling somewhere (some physical link between two different VLAN ports), or some device which is connected to both VLAN's in bridging mode somehow.

You say you're seeing "traffic" from VLAN_X on VLAN_Y - how are you determining this traffic is present? Are you seeing packets actually tagged with different VLAN numbers at layer 2, or are you seeing some kind of IP or layer 3 protocol getting between the two VLAN's? If it's some form of layer 3 leakage, then there is possibly some form of router present which is moving tyraffic between the two segments.

Cheers.

0 Helpful

Go to solution
Natha340Mai340
Level 1
Level 1

‎01-15-2012 03:06 PM

Thanks everyone, I saw VLAN_X IP address on the VLAN_Y segment. it' was very estrange. but I'm not more administrator that environment.

I posted this question here because  I would like know if anybody have ever seen these before. currently I'm  add an DMZ network in an customer so I wonder if vlan it's a way all  secure even use it for DMZ network.

Thanks

0 Helpful

Go to solution
darren.g
Level 5
Level 5
In response to Natha340Mai340

‎01-17-2012 06:13 PM 

Maicon Pereira wrote:
Thanks everyone, I saw VLAN_X IP address on the VLAN_Y segment. it' was very estrange. but I'm not more administrator that environment.

That could be as simple as someone plugging a PC which has an IP address for VLAN_X into a VLAN_Y port - especially if you use fixed IP addressing and not DHCP allocations.

Cheers.

0 Helpful
Customers Also Viewed These Support Documents