Virtual LAN otherwise known as VLAN, is used to segment networks locally instead of physically regardless of their geographical location. Networks utilizing VLANs are flexible, scalable, and most importantly secure.
MSPs who know how to configure a VLANs properly can leverage this powerful network segmentation for faster more secure networks while giving them the physical flexibility they desire.
Configuring VLANs can be complex and must be done correctly to achieve desired results. Below we have outlined industry best practices to consider when configuring secure VLANs:
- By default, ports are assigned to Default VLAN (VLAN 1), but when considering best security practices, you should always assign ports to VLANs other than VLAN 1.
- It is always a good practice to separate management VLAN with user data traffic. Hence, VLAN 1 should be kept for management purposes only.
- Management VLANs must have an IP address configured so that the users in other VLANs cannot establish remote access unless routed into the management VLAN, thus adding an extra layer of security.
- Unused ports on cisco devices should not be left as they are. Each port should be kept in a separate VLAN and when possible, not have DHCP, Inter-VLAN routing, or device management enabled on that VLAN.
- Inter-VLAN routing is used to route traffic between different VLANs (though not recommended) should be used with ‘Access control lists (ACLs)’ to restrict traffic to servers that contain confidential information.