1

From my understanding vlans create separate networks. If that is the case can you simply add routes manually and access those other networks?

Basically, I've always been under the impression that vlans were designed for seperating networks to keep them isolated and secure from more public access.

Jason
  • 3,086
  • 4
  • 20
  • 24
  • 1
    I'm not sure what you're really asking here. Could you add some more detail? In general, VLANs are a less-ideal solution for network segregation because it's too easy to get the implementation wrong. – Iszi Feb 19 '14 at 23:06

1 Answers1

3

VLANs allow the logical division of a physical device into multiple logical devices. If you are not connected to both VLANs in some fashion, then adding routes locally doesn't change anything since your routes would still need to point at another router or gateway device. On most VLANs, the only router/gateway device is already the configured as the default route/gateway on your system.

It is the router/gateway that makes decisions on what to route between VLANs/subnets. At this point, access can be controlled on what resources and types of traffic are allowed in and/or out of the VLAN.

VLANs can help to improve security in a number of ways, but they are not security all by themselves. There are also exploits that can allow VLAN hopping if your network is not configured correctly.

Here are a couple non-exhaustive ways that VLANs can be used to improve security:

  1. They limit the scope of where broadcast traffic or flooded unicast traffic is transmitted. If Host A is not on the same VLAN as Host B, it will not see any information that Host B may broadcast.
  2. You can create VLANs with no gateway at all, which limits a device to access only other devices in that VLAN. It also prevents access to those devices from outside the VLAN.
YLearn
  • 3,967
  • 1
  • 17
  • 34