In this design VLANs are used to logically separate the traffic of multiple
user groups within a single physical network
. A typical
example of such a design would be an application service provider data center
or different departments within a single corporate enterprise that require data
segregation.
Vulnerabilities
The primary layer 2 vulnerabilities of this
design include the following:
- MAC spoofing
- CAM table overflow
- VLAN hopping
Mitigation
If the security zone is small enough, use port
security to help mitigate the CAM table overflow vulnerability as well as the
MAC spoofing vulnerability. Additionally, mitigation of VLAN hopping can be
accomplished by using the following VLAN best practices as guidelines:
- Use dedicated VLAN IDs for all trunk ports.
- Disable all unused switch ports and place them in an unused VLAN.
- Set all user ports to non-trunking mode by explicitly turning off DTP on
those ports.
As with the previous cases, the switches must be managed as securely as
possible and tested on a regular basis.