I'm trying to understand vlans and security and I'm hoping people can correct my explanation of my understanding if I get something wrong.
- At the purest level VLANs are separate virtual networks that switch prevents from communicating
- This isn't always that great, so a switch can enable VLANs to effectively "peer" with each other, letting traffic transit back and forth to each other, but in this way there is no security between the VLANs.
- In order to control how network traffic flows, one has to enable ip level firewall rules between vlans.
So for example.
one might have an IOT vlan, a home vlan, a guest vlan, a management network vlan, and lets say the router vlan (unsure this is necessary?)
the router vlan will be peered with all of them (minus management) (though with caveat above, my assumption is some way to provide internet connectivity to the ones that need it).
the home vlan might be additionally peered with the IOT vlan, but with firewall rules dropping all syn packets from the IOT vlan (so one can initiate connections to the IOT vlan, but the IOT vlan cannot initiate connections to it.
the management network vlan might be peered (yes, not as secure) to the home vlan, but only allow syn packets from a specific machine and drop syn packets from the rest (so only that machine can initiate connections to it).
wondering if I'm not quite understanding how this all gets setup / pointers to plain language explanations / examples to understand this bettter if so.
thanks
- At the purest level VLANs are separate virtual networks that switch prevents from communicating
- This isn't always that great, so a switch can enable VLANs to effectively "peer" with each other, letting traffic transit back and forth to each other, but in this way there is no security between the VLANs.
- In order to control how network traffic flows, one has to enable ip level firewall rules between vlans.
So for example.
one might have an IOT vlan, a home vlan, a guest vlan, a management network vlan, and lets say the router vlan (unsure this is necessary?)
the router vlan will be peered with all of them (minus management) (though with caveat above, my assumption is some way to provide internet connectivity to the ones that need it).
the home vlan might be additionally peered with the IOT vlan, but with firewall rules dropping all syn packets from the IOT vlan (so one can initiate connections to the IOT vlan, but the IOT vlan cannot initiate connections to it.
the management network vlan might be peered (yes, not as secure) to the home vlan, but only allow syn packets from a specific machine and drop syn packets from the rest (so only that machine can initiate connections to it).
wondering if I'm not quite understanding how this all gets setup / pointers to plain language explanations / examples to understand this bettter if so.
thanks