help me with understanding vlan's and security

thetoad

Active Member
Feb 10, 2021
236
97
28
I'm trying to understand vlans and security and I'm hoping people can correct my explanation of my understanding if I get something wrong.

- At the purest level VLANs are separate virtual networks that switch prevents from communicating
- This isn't always that great, so a switch can enable VLANs to effectively "peer" with each other, letting traffic transit back and forth to each other, but in this way there is no security between the VLANs.
- In order to control how network traffic flows, one has to enable ip level firewall rules between vlans.

So for example.

one might have an IOT vlan, a home vlan, a guest vlan, a management network vlan, and lets say the router vlan (unsure this is necessary?)

the router vlan will be peered with all of them (minus management) (though with caveat above, my assumption is some way to provide internet connectivity to the ones that need it).

the home vlan might be additionally peered with the IOT vlan, but with firewall rules dropping all syn packets from the IOT vlan (so one can initiate connections to the IOT vlan, but the IOT vlan cannot initiate connections to it.

the management network vlan might be peered (yes, not as secure) to the home vlan, but only allow syn packets from a specific machine and drop syn packets from the rest (so only that machine can initiate connections to it).

wondering if I'm not quite understanding how this all gets setup / pointers to plain language explanations / examples to understand this bettter if so.

thanks
 

Drewy

Active Member
Apr 23, 2016
208
56
28
53
You have a few misconceptions.
There will be no connection between the vlans by default. You need to route traffic between the vlans if you want it to pass. This is done either with a router or a layer 3 switch. A normal layer 2 switch will not ever pass traffic between vlans..
if you use a router to route between the vlans then providing the router provides a firewall, you can use that to control what gets to connect to what. If you use a L3 switch you’re generally going to use acl’s or extended acl’s which can act like or similar to a simple firewall.
A port can carry traffic for multiple vlans but only one vlan will be untagged and natively visible by a nic connected to it. All other vlans on that port would be tagged vlans. A nic can access multiple of these but would have to be configured and each vlan would be presented to the os as a separate network.
There are or least used to be switches/routers (I’m thinking draytek) that allowed physical tagging of ports to kinda vlans. Not entirely sure how that worked, it was a proprietary thing.
When you start playing with vlans you will quickly learn that you need to plan back out plans. If you make a mistake you’ll lock yourself out of the network. Often a switch will make changes live but won’t save them to flash until you tell it to. So you can make the change, test it and worse case reboot the switch to back it out and try again.
 
  • Like
Reactions: desidude