VLANS don't really increase security as much as they increase manageability. The truly secure the switches you should implement port level security and limit the number of mac addresses allowed per port. This prevents someone from plugging in a cheap wireless access point and opening your network to the world. It also prevents someone from being able to flood the switch with mac addresses and filling up the mac cache, thus turning your switch into a hub and enabling them to run a man a in the middle attack.
On the catalyst OS the command is: set port security 2/1-48 enable age 10 maximum 2 shutdown 10 violation shutdown This sets the mac address age to 10 minutes, the maximum addresses per port to 2, a violation will shut the port down for 10 minutes. Precaution: do not do this on your trunk ports and if you have other switches or WAPs hanging off of ports, increase the max variable accordingly. Smith -----Original Message----- From: Naman Latif [mailto:[EMAIL PROTECTED] Sent: Thursday, February 06, 2003 12:00 PM To: [EMAIL PROTECTED] Subject: VLAN Security Hi, We have different Cisco Catalyst switches configured for VLANS. With the current configuration 1. All trunks have a native VLAN, which is not used by any User. 2. Management VLAN is other than VLAN 1. We have different VLANs in place, however these are only used for different Servers ,And all Users are only members of VLAN-1 Does it make sense to have all the user ports migrated to a Different VLAN (other than VLAN 1) ? Is there a security advantage in this ? Regards \\ Naman
