At 01:02 PM 9/28/97, steven.j.schulze wrote:
>I have a client who is running VLANs on Cisco switches, mostly for convenience
>and flexibility reasons. This client is wondering if any level of security
>is achieved due to this "virtual" network segmentation. I realize that VLANs
>are not firewalls, strong encryption+authentication, etc. however, to achieve
>separation and prevent snooping / interception, do the VLANs in effect take
>each node out of eachother's "Collision Domain" (to use the Ethernet term)?
>Assume the worst-- competing clients on the network, with NICs in promiscuous
>mode (trivial to do today), what would that PC / Unix box see?
VLAN's segregate switch ports into segments. In other words, once
you have created three VLAN's, you can think of it as three
separate physical switches.
Now, within each switched VLAN:
- Broadcasts are forwarded to each port (within same VLAN)
- A packet is only forwarded from one port to another if
the switch determines that the destination is reachable
via another switch port
- a PC in promiscuous mode would be able to sniff:
- Broadcasts within same VLAN
- Packets being sent across a hub connected to s single
switch port
Typically you would use a router to route between VLAN's.
You can connect an ethernet interface to each VLAN
or you can create a global port and put multiple addresses
on the interface. That's a design issue. Some switches
now have routing capability built in.
To answer your question:
- Switching with no VLAN's provides protection because not all
users see all packets (each switch port is it's own collision
domain).
- Switching with no VLAN's provides no protection in sniffing
for broadcast packets
- Switching with VLAN's provides some protection against broadcast
sniffing as long as the offending PC is not within the same
VLAN.
Mike
+----------------------------------------------------------+
| Michael D. Ferioli ferioli @
comnet .
com .
tr |
| Comnet A.S. http://www.comnet.com.tr |
+----------------------------------------------------------+
|
|
