How can you secure VLANs?

1 Use strong passwords and encryption

The first step to secure VLANs is to use strong passwords and encryption for your network devices and protocols. This will prevent unauthorized access and tampering with your VLAN configuration and data. For example, you should use SSH instead of Telnet for remote management, and enable HTTPS for web-based interfaces. You should also use a secure protocol such as SNMPv3 for network monitoring and management, and encrypt your trunk links with 802.1AE (MACsec) or IPSec.

2 Implement VLAN access control lists

VLAN access control lists (VACLs) are a way to filter traffic within a VLAN or between VLANs. They are similar to router access control lists, but they operate at layer 2 of the OSI model. You can use VACLs to restrict the types of traffic that can enter or leave a VLAN, such as ICMP, ARP, or specific TCP or UDP ports. You can also use VACLs to block traffic from specific MAC addresses or IP addresses, or to enforce security policies based on time or user identity.

3 Use private VLANs and isolated ports

Private VLANs (PVLANs) are a special type of VLANs that allow you to isolate hosts within the same VLAN. PVLANs have three types of ports: promiscuous, isolated, and community. Promiscuous ports can communicate with any other port in the PVLAN, isolated ports can only communicate with promiscuous ports, and community ports can communicate with promiscuous ports and other ports in the same community. PVLANs can help you prevent host-to-host attacks, such as ARP spoofing or MAC flooding, within a VLAN.

Isolated ports are another way to isolate hosts within a VLAN. They are similar to isolated ports in PVLANs, but they do not require a special VLAN type. You can configure any switch port as an isolated port, and it will only be able to communicate with the switch itself. Isolated ports can help you protect sensitive hosts, such as servers or network devices, from unauthorized access or scanning.

4 Use dynamic VLAN assignment and 802.1X

Dynamic VLAN assignment is a way to assign hosts to VLANs based on their identity or attributes, rather than their switch port. This can help you simplify your VLAN management and enforce security policies based on user roles or groups. For example, you can assign employees, guests, and contractors to different VLANs based on their authentication credentials or network profiles.

802.1X is a protocol that enables dynamic VLAN assignment and port-based authentication. It uses a three-party model: the supplicant (the host that wants to access the network), the authenticator (the switch port that controls the access), and the authentication server (the server that validates the credentials and assigns the VLAN). 802.1X can help you prevent unauthorized or rogue devices from joining your VLANs and accessing your network resources.

5 Use VLAN hopping prevention techniques

VLAN hopping is a type of attack that allows an attacker to access or spoof a different VLAN than the one assigned to their switch port. There are two primary methods of VLAN hopping: switch spoofing and double tagging. Switch spoofing involves deceiving the switch into believing that the attacker's device is another switch, and negotiating a trunk link that carries multiple VLANs. Double tagging requires sending a packet with two VLAN tags, one for the attacker's VLAN and one for the target VLAN, and exploiting a vulnerability in the switch's tag processing. To prevent such attacks, it is recommended to disable unused switch ports and put them in a shutdown or unused VLAN, enable port security and limit the number of MAC addresses per port, use 802.1Q tagging for trunk links and disable DTP (dynamic trunking protocol), set the native VLAN to a different VLAN than the default VLAN 1, enable BPDU guard and root guard to prevent rogue switches from becoming part of the spanning tree, and enable DHCP snooping and IP source guard to prevent ARP spoofing and IP spoofing.

6 Use VLAN monitoring and auditing tools

The last step to secure VLANs is to use VLAN monitoring and auditing tools to detect and respond to any anomalies or threats in your VLAN environment. These tools can collect and analyze VLAN information, such as configuration, membership, traffic, performance, and security events. They are also useful for identifying and troubleshooting any misconfigurations, errors, or violations in your VLAN policies. Examples of VLAN monitoring and auditing tools include Cisco Network Assistant (CNA), SolarWinds Network Configuration Manager (NCM), Wireshark, and Nmap. CNA provides a graphical view of your VLAN topology, configuration, and status. NCM automates and centralizes your VLAN configuration management, backup, and restoration. Wireshark captures and analyzes VLAN traffic and packets, while Nmap scans and maps your VLAN network and devices while detecting any open ports, services, or vulnerabilities.

7 Here’s what else to consider

This is a space to share examples, stories, or insights that don’t fit into any of the previous sections. What else would you like to add?