About Me
MikroTik Certified Switching Engineer (MTCSWE)
1 Introduction to Networking
1-1 Basic Networking Concepts
1-2 OSI Model
1-3 TCPIP Model
1-4 Network Devices
2 MikroTik RouterOS Basics
2-1 Introduction to RouterOS
2-2 RouterOS Interface Types
2-3 Basic Configuration
2-4 User Management
2-5 System Logging
3 Switching Fundamentals
3-1 Introduction to Switching
3-2 MAC Addresses
3-3 Ethernet Frame Structure
3-4 VLAN Basics
3-5 Trunking and Inter-VLAN Routing
4 MikroTik SwitchOS Basics
4-1 Introduction to SwitchOS
4-2 SwitchOS Interface Types
4-3 Basic Configuration
4-4 User Management
4-5 System Logging
5 VLAN Configuration
5-1 VLAN Creation and Configuration
5-2 VLAN Trunking Protocol (VTP)
5-3 Inter-VLAN Routing
5-4 VLAN Security
6 Spanning Tree Protocol (STP)
6-1 Introduction to STP
6-2 STP Operation
6-3 Rapid Spanning Tree Protocol (RSTP)
6-4 Multiple Spanning Tree Protocol (MSTP)
6-5 STP Configuration
7 Link Aggregation
7-1 Introduction to Link Aggregation
7-2 Link Aggregation Control Protocol (LACP)
7-3 Static Link Aggregation
7-4 Link Aggregation Configuration
8 Quality of Service (QoS)
8-1 Introduction to QoS
8-2 QoS Models
8-3 Traffic Shaping and Policing
8-4 QoS Configuration
9 Security Features
9-1 Introduction to Network Security
9-2 Port Security
9-3 Access Control Lists (ACLs)
9-4 DHCP Snooping
9-5 Dynamic ARP Inspection (DAI)
10 Advanced Switching Topics
10-1 Layer 3 Switching
10-2 Multicast Routing
10-3 Link Layer Discovery Protocol (LLDP)
10-4 Power over Ethernet (PoE)
11 Troubleshooting and Maintenance
11-1 Common Switching Issues
11-2 Troubleshooting Tools
11-3 Switch Maintenance
11-4 Backup and Restore
12 MikroTik Certification Exam Preparation
12-1 Exam Overview
12-2 Study Tips
12-3 Practice Questions
12-4 Exam Registration and Scheduling
5.4 VLAN Security Explained

5.4 VLAN Security Explained

Key Concepts of VLAN Security

VLAN (Virtual Local Area Network) security is crucial for maintaining network integrity and preventing unauthorized access. Key concepts include:

VLAN Tagging

VLAN tagging ensures that only traffic with the correct VLAN tag is allowed on a VLAN interface. This prevents unauthorized devices from sending traffic to unintended VLANs. Proper tagging is enforced through strict configuration of trunk and access ports.

Example: In a corporate network, all traffic destined for the HR VLAN (VLAN 10) must be tagged with VLAN ID 10. Any untagged or incorrectly tagged traffic is dropped, ensuring that only authorized devices can communicate within the HR VLAN.

Access Control Lists (ACLs)

ACLs are used to filter traffic based on predefined rules. They can be applied to VLAN interfaces to control which types of traffic are allowed or denied. ACLs enhance security by restricting access to sensitive VLANs and preventing malicious traffic.

Example: An ACL might be configured to allow only HTTP and HTTPS traffic on the Marketing VLAN (VLAN 20) while blocking all other types of traffic. This ensures that only web-related activities are permitted, reducing the risk of unauthorized access or attacks.

Port Security

Port security limits the number of MAC addresses allowed on a switch port. This prevents unauthorized devices from connecting to the network and helps mitigate MAC address spoofing attacks. Port security can be configured to allow a specific number of MAC addresses or to learn and lock the MAC addresses dynamically.

Example: A switch port connected to a server might be configured to allow only one MAC address. If a different MAC address attempts to connect, the port is automatically disabled, preventing unauthorized access to the server.

Dynamic Trunking Protocol (DTP) Security

DTP is a Cisco protocol used to negotiate trunk links between switches. However, it can be exploited by attackers to create unauthorized trunk links. To enhance security, DTP should be disabled on all non-trunking ports and trunk ports should be manually configured.

Example: In a network where trunking is not required on certain ports, disabling DTP prevents attackers from negotiating trunk links and potentially gaining access to multiple VLANs through a single compromised port.

VLAN Hopping Prevention

VLAN hopping is an attack where an unauthorized device gains access to multiple VLANs by exploiting misconfigurations. Prevention techniques include disabling DTP, configuring trunk ports correctly, and using 802.1Q tagging. Additionally, ensuring that all access ports are configured as access ports and not as trunk ports helps prevent VLAN hopping.

Example: A network administrator ensures that all access ports are configured as access ports and not as trunk ports. This prevents an attacker from connecting a device to an access port and gaining access to multiple VLANs through VLAN hopping attacks.

© 2024 Ahmed Baheeg Khorshid. All rights reserved.