Announcement

Collapse
No announcement yet.

VLAN1 Best Practice

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • VLAN1 Best Practice

    I'm working with a client to redesign his very simple network infrastructure and I have a question about using VLAN1.

    My client has a single Dell PowerConnect 5324 switch connected to the Trusted and Optional interfaces on a Watchguard Firebox X1000 firewall. The switch has been configured with three VLAN's: VLAN1, VLAN2 and VLAN3. The Firebox Trusted interface connects to a port in VLAN1 and the Firebox Optional interface connects to a port in VLAN2. VLAN1 is for backend servers, VLAN 2 is for an NLB TS cluster and VLAN3 is for an Exchange 2010 DAG replication network.

    This design allows the client to have three internal subnets, one for the backend, one for the NLB TS cluster and the third for DAG replication. This provides Layer 2 separation of the three subnets and the Firebox handles the routing of traffic to VLAN1 and VLAN2.

    The clients ISP is recommending that the client not use VLAN1 and they've given somewhat unclear reasons for it. They've stated that using VLAN1 could create a VLAN "conflict" with their network. Now I've read about VLAN hopping and switch spoofing due to the use of VLAN1 but I've never heard of a VLAN "conflict". I don't believe that the usual concerns regarding VLAN1 security are valid here as we're talking about a single switch. Since VLAN's are a Layer 2 construct and the Firebox External interface connects to the upstream router I don't believe there's any such thing as a VLAN "conflict", and even if there is it's not applicable here because our switches aren't connected to the upstream providers switches. Our Firebox WAN interface connects to an Ethernet port on their router.

    So my questions are: Is there really an issue with using VLAN1 in this scenario and is there such a thing as a VLAN "conflict"?
    Last edited by joeqwerty; 30th September 2013, 07:05.

  • #2
    Re: VLAN1 Best Practice

    Presumably the client is using a private address scheme, rather than public IP addresses everywhere, so the Firebox (or the upstream router) is providing NAT as well as filtering. If so, how could any VLAN issues affect the ISP?

    The only way it could possibly be an issue is if the client is using public (or at least routable to the ISP) IPs

    (note this is with no knowledge of the Firebox, and not a lot about VLANs)
    Tom Jones
    MCT, MCSE (2000:Security & 2003), MCSA:Security & Messaging, MCDBA, MCDST, MCITP(EA, EMA, SA, EDA, ES, CS), MCTS, MCP, Sec+
    PhD, MSc, FIAP, MIITT
    IT Trainer / Consultant
    Ossian Ltd
    Scotland

    ** Remember to give credit where credit is due and leave reputation points where appropriate **

    Comment


    • #3
      Re: VLAN1 Best Practice

      I think they may be worried about 'vlan mis-match', which can happen between devices where the default vlan on one switch is different than the default vlan on the second. Ossian is right that it shouldn't be an issue since Layer 3 NAT is between the 2 systems (if the IPs are private).

      From a security standpoint, it's best practice to disable Vlan 1 completely, because that's most commonly used to put servers/network management on. Shutting it down reduces the attack surface available to anyone up to no good.
      *RicklesP*
      MSCA (2003/XP), Security+, CCNA

      ** Remember: credit where credit is due, and reputation points as appropriate **

      Comment


      • #4
        Re: VLAN1 Best Practice

        Originally posted by RicklesP View Post
        I think they may be worried about 'vlan mis-match', which can happen between devices where the default vlan on one switch is different than the default vlan on the second. Ossian is right that it shouldn't be an issue since Layer 3 NAT is between the 2 systems (if the IPs are private).

        From a security standpoint, it's best practice to disable Vlan 1 completely, because that's most commonly used to put servers/network management on. Shutting it down reduces the attack surface available to anyone up to no good.
        OK, a VLAN mismatch makes sense, but since our switch doesn't connect to the ISP switch this shouldn't be an issue.

        Since we're talking about a single, physically secured switch, I don't think the typical VLAN1 security concerns are relevant. Yes or No?

        Thanks much.

        Comment


        • #5
          Re: VLAN1 Best Practice

          Hi, I can only find this. It's not very detailed, maybe that's why they gave you a vague response, you could contact them to clarify.

          About VLAN ID Numbers

          By default, each interface on most new, unconfigured switches belongs to VLAN number 1. Because this VLAN exists on every interface of most switches by default, the possibility exists that this VLAN can accidentally span the entire network, or at least very large portions of it.

          We recommend you use a VLAN ID number that is not 1 for any VLAN that passes traffic to the Firebox or XTM device.

          http://www.watchguard.com/help/docs/...s_about_c.html
          (at the bottom of the link)

          With a router between each network, I can't see how it would cause any issue, as ossian said the router would be performing nat and strip out all the vlan data.
          Last edited by uk_network; 30th September 2013, 22:18.
          Please remember to award reputation points if you have received good advice.
          I do tend to think 'outside the box' so others may not always share the same views.

          MCITP -W7,
          MCSA+Messaging, CCENT, ICND2 slowly getting around to.

          Comment

          Working...
          X