RE: VLAN Question

["David Gillett" <gillettdavid () fhda edu>]

> Originally, VLANs were created solely to help mitigate the very high
> cost of early switches. Switches were being sold in multiples of 16
> or 32 ports, and they were vastly more expensive than hubs. To help
> people get the most out of their switch investments, VLANs allowed
> partitioning broadcast domains, to buy the performance advantages of
> switch isolation while allowing multiple smaller networks to be
> implemented on the same expensive switch. 

  I can't buy this.  Although several cascaded hubs get you the 
equivalent of one big hub, switches do not combine the same way.
I don't think there was ever a time when a chassis switch with four
12-port cards cost less than four separate 12-port switches.
  And if all VLANs did was allow your one big expensive switch to
emulate a stack of cheap little switches, almost nobody would ever
use them.

  Where partitioning of switches into VLANs starts to pay off is 
where you have (a) trunking of multiple VLANs from switch to switch,
and (b) router blades for switch chasses, to route between VLANs.
Now you can deploy a layer 3 topology that doesn't look anything 
like your layer 2 topology, and you can provide redundant linkage
via spanning tree instead of HSRP or even OSPF.

David Gillett


> -----Original Message-----
> From: Bennett Todd [mailto:bet () rahul net]
> Sent: August 20, 2003 09:51
> To: Steven Williams
> Cc: Security-basics () securityfocus com
> Subject: Re: VLAN Question
>
>
> 2003-08-20T03:09:24 Steven Williams:
> > I'm after some opinions of yours and your companies policy
> > regarding the use of VLAN's as a method of isolating the internet
> > to internal VLAN's on the same physical layer 2 / 3 switch and
> > access controlled by ACL's or firewalls.
>
> There are several sides to this question.
>
> Originally, VLANs were created solely to help mitigate the very high
> cost of early switches. Switches were being sold in multiples of 16
> or 32 ports, and they were vastly more expensive than hubs. To help
> people get the most out of their switch investments, VLANs allowed
> partitioning broadcast domains, to buy the performance advantages of
> switch isolation while allowing multiple smaller networks to be
> implemented on the same expensive switch. In this context, leakage
> between vlans wasn't an issue as long as the amount of leakage
> didn't cause a performance impact. vlans leaked. Minor leakage was
> not considered a problem by the vendors. They weren't designed as
> security partitions.
>
> Customers started pressing vendors, and they've responded. I've
> spoken with a Cisco engineer who said that properly, carefully
> configured, current switches with current CatOS were not believed to
> leak between vlans, and a finding that they could so leak would be
> treated as a priority security bug. Cool says I, this enables
> something I've wanted to have for some time. Combine switches with
> vlans that are secure and 802.1q trunking, and you can have a
> firewall with a ludicrous number of firewall ports --- it becomes
> practical to consider building a fully-firewalled fully-routed
> network, where every host has its own dedicated firewall port. Not
> for everybody, perhaps, but I can think of places where it'd be
> worth doing. Say, hotels offering network jacks in the rooms.
>
> But there's another issue to consider. Even if the vlan
> implementation is truly secure in the switch, sharing multiple vlans
> representing different security domains on the same switch means
> that a config error on that switch could compromise your isolation.
> Config errors happen. Config errors that don't overtly break
> anything are often not detected for a long time.
>
> Switches are cheap. Use multiple switches unless there's a really
> compelling engineering requirement to use multiple vlans on the same
> switch.
>
> -Bennett

---------------------------------------------------------------------------
----------------------------------------------------------------------------