Danny Rose posted

Why VLAN?

Virtual Local Area Networks (VLAN)are logically connected, organizing the network by limiting broadcast traffic and increasing security by separating traffic by a VLAN-capable switch (Lammle, 2015). The primary function of VLANs is to house subnetworks that contain specific IP addresses (Mitchell, 2021). VLANs are necessary even in small organizations due to potential growth or simply to have a separate guest network (Mitchell, 2021). The switch, a connectivity device at layer two that associates MAC addresses to specific ports, is the critical component of VLAN that segments the network into subnetworks by designating particular ports (Lammle, 2015). Regarding increasing security through segmentation, there can be traffic congestion and security concerns if there is only one broadcast domain (Lammle, 2015). However, the separate networks can be set up to communicate by trunking, i.e., adding a router or multilayer switch (Lammle, 2015). Regarding organization, segmentation has the added benefit of isolating problems and thus facilitating troubleshooting (Lammle, 2015).

How to Implement VLAN

A specified number of local area networks (LAN), segments, are separated through a VLAN capable switch (a multilayer switch would allow interdepartmental traffic or the addition of router capability) so that network traffic is isolated between departments (Lammle, 2012). Specific ports on the switch are assigned to specific segments. Each host will need to be connected to their designated segment through cabling, i.e., a point-to-point connection traveling from each device to the central switch. Regarding cabling, different cable types are more appropriate in different contexts, environmental, distance, cost, security, and transmission requirements (Lammle, 2012). If conduit is used for the cabling (e.g., electrical metallic conduit), the conduit will need to be run to a central telecommunication room to facilitate connection to the switch. The conduit will need to be terminated in separate boxes near host devices.

VLAN Attacks

Of course, VLAN security is not foolproof and has corresponding VLAN hopping attacks. Two separation attacks of VLANs occur through switch spoofing or double packing. In switch spooking, ports can be “access” or “trunked” interface. In trunk access, all VLANs can be sent over one connection (What, n.d.). Thus, an attacker can plugin with a lab top and configure the switch as a trunk. This attack requires physical access (What, n.d.). In double packing, A VLAN tag is normally added on a frame when it goes down a trunk for identification purposes (VLAN, n.d.). When an additional tag is added to the same frame, the first switch interprets the first tag and sends the packet to the second switch, i.e., the fake tag reroutes traffic (VLAN, n.d.).

References

Lammle, T. (2015). Comptia Network+ Study Guide. Sybex, a Wiley brand.

Mitchell, B. (2021, June 5). What a VLAN can do for you and your Business Computer Network. Lifewire. Retrieved April 24, 2022, from https://www.lifewire.com/virtual-local-area-networ…

VLAN-based network attacks. VLAN-Based Network Attacks :: Chapter 9. Switching Security :: LAN switching first-step :: Networking :: eTutorials.org. (n.d.). Retrieved April 24, 2022, from https://etutorials.org/Networking/lan+switching/Ch…

What is switch spoofing attack and how to prevent switch spoofing attack. (n.d.). Retrieved April 24, 2022, from https://www.omnisecu.com/ccna-security/what-is-swi…