Header Only - DO NOT REMOVE - Extreme Networks

VLAN Security

  • 10 September 2019
  • 9 replies

Hi Team,

We have multiple VLANs I want to know what security feauters we can use to block traffic between two VLANs i.e. Admin VLAN should not able to communicate with IT VLAN?


9 replies

Userlevel 3
Unless you are using a router to communicate between those VLANs there won't be any traffic between them anyway.
We have Core switches which are doing all the routing and currently I can ping and connect to all hosts? Both VLANs are on different IP ranges.
Userlevel 3
I hope they are ;-)
Well then you need to either configure ACLs on your routers or purchase a firewall.
We have firewalls however they are edge firewall and Cores are doing the all routing. Do we need to add ACLs on the Cores if yes do you have a guide for the ACLs?
Userlevel 3
You could use separate VRs (virtual routers). Depending on which routers you have, those are the ones that need to support VRs. A typical scenario is to have management (in-band and out-of band) in a separate VR and have all other VLANs in another VR. What switches/routers do you have in your core?

Ah yes we could use different VR. Currently we are using 1 VR.

Core: x670g2
Edge : x460 & x440

Userlevel 3
Ok, the X670G2 will handle multiple VRs just fine. Get back if you need help with that.
Userlevel 6
Umar, I would also add that you may want to reach out to your local support engineer from your re-seller and let them work with you =on the best way to secure your systems. As stated before layer 2 vlans have zero cross talk or leakage between them. When you add an ip address to the vlan and enable IP forwarding you have opened those two vlans to be able to route traffic back and forth between vlans via the layer 3 interfaces.
A good SE should be able to guide you with the best way to proceed with the least amount of impact on you users. There are many ways to do what you are trying to do and the key is fully understanding your network and who and what needs access to what segments of the network.

Good luck
Sure thanks guys 🙂