Protecting the Management VLAN from customers

Posted on 2014-08-23
Last Modified: 2014-09-01
We are setting up a shared office that has 10 rooms, each room has a single Cat5e cable going to it. Each room is used by a different tenant and the networks need to stay segregated. We provide the tenants with shared Internet access and VOIP Phones.

We have our main 26-port smart switch (Cisco SG200-26) in the server room, and we have installed an 8-port PoE smart switch (Cisco SG200-08P) in each of the tenant's rooms. The tenant can have up to 3x VOIP phones and up to 4x PCs in the room, plugged into each port on the switch.

We're planning on using tagged VLANs to keep things secure. The idea is that we'll set up:

   VLAN 1 - default VLAN, management traffic only (e.g. access points, routers, switches etc), subnet will be
   VLAN 2 - voice VLAN for voip traffic only, subnet will be
   VLAN 10-19 - customer VLANs, one for each room

So for each of the SG200-08P switches in the tenant's rooms we are configuring them like this, (this example is for the switch that will use VLAN 10 for customer traffic):

Port 1 - trunk port, 1U, 2T, 10T
Port 2 - access port, 2U
Port 3 - access port, 2U
Port 4 - access port, 2U
Port 5 - access port, 10U
Port 6 - access port, 10U
Port 7 - access port, 10U
Port 8 - access port, 10U

The "port 1" on the customer SG200-08P switch will go to, say, port 15 on the main SG200-26 switch, set up like this:

Port 15 - trunk port, 1U, 2T, 10T

So that's all great, but I've got a problem - I need to protect the management and voice VLANs from unauthorized traffic.

What stops a customer from unplugging the switch, plugging a PC into the wall jack and gaining access to the management subnet? Or plugging a PC into one any of the PoE ports and gaining access to the voice subnet?

I'm playing around in the "Port Security" and 802.1X section of the Cisco SG200... but I'm totally confused.

Can anyone help?
Question by:Frosty555
    LVL 15

    Assisted Solution

    If each customer has his own VLAN, plugging a PC directly into the wall jack will still only allow him access to his own VLAN; the 8-port switch merely allows that VLAN to be shared between multiple devices.

    As for protecting the VoIP VLAN, either create a separate one for each tenant, or use QoS on his existing VLAN to ensure that the phones get enough bandwidth. Three VoIP phones will use around 512KB of bandwidth, if I remember correctly, so internet access shouldn't grind to a halt even if all three are in use at the same time.
    LVL 10

    Accepted Solution

    If you can't control physical access to ports, you can still use security on the management and VoIP VLANs to make messing around not worth the effort.
    i.e. on management VLAN, no DHCP, or if DHCP needed for access points, then static IP reservations for them an no "spare" IPs in the pool. Make sure all switches have good passwords and telnet disabled (use SSH). You can also block access from Mgt VLAN to the gateway (Internet).

    On VoIP VLAN, if separate VLANs for each client's VoIP are not possible, then do similar as on the Mgt VLAN, either static IPs or IP reservations. You can use access lists on the core switch to block port 80 (web) traffic on  VLAN 2, and again, you'll remove the fun from any hacker's efforts. You could actually probably get best practice security information from whatever phone vendor you're using. They should be able to tell you exactly how to secure their VoIP devices.

    As for anyone being able to plug a PC into the wall jack and get untagged VLAN 1 access, a best practice is to disable VLAN 1, then use a different, random port for your managment traffic, i.e. VLAN 101, and tag the uplink/trunk port to all your client office switches. This is not foolproof, an ace hacker still might be able to set a PC NIC appropriately to access the Management VLAN, but without passwords to access anything, there's going to be little he/she can do.

    Ultimately, using port security protocols is ideal, but in the real world, in a small network like yours, it might not be worth the effort when the risk is very very low using common sense security methods outlined above.
    LVL 4

    Expert Comment

    In regards to preventing potential rogue or malicious actors from connecting into the network, you could also consider a Network Access Control (NAC) solution, sometimes known as "Network Admission Control."

    Many vendors offer NAC solutions, although I've mainly been involved with enterprise deployments. So I have not done any in depth research on best NAC solutions available for SMBs.

    Long story short, NAC is a security control used to authenticate authorized devices to allow network access. NAC consists of a network and host-based agent solution used to allow authorized devices onto the network based on a predefined set of rules that each device or endpoint must have (e.g. machine certificate, NAC agent, Anti-virus, current patches). Unauthorized devices would be denied access to the network and/or quarantined.  You most likely can also apply rules to deny access to any device that tries to connect to unauthorized networks, as mentioned above.
    LVL 31

    Author Comment

    I think that making the tenants have separate VoIP VLANs was the missing piece for me. That stops the tenants from being able to access each other's phones.

    The management VLAN is still open to anyone who is willing to fiddle with the switch or connect directly to the wall jack,  but as schaps said, it can be made to be not worth the effort for an attacker - no DHCP, strong passwords on everything, and monitoring the network for rogue devices.

    Featured Post

    How your wiki can always stay up-to-date

    Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
    - Increase transparency
    - Onboard new hires faster
    - Access from mobile/offline

    Join & Write a Comment

    AWS has developed and created its highly available global infrastructure allowing users to deploy and manage their estates all across the world through the use of the following geographical components   RegionsAvailability ZonesEdge Locations  Wh…
    The use of stolen credentials is a hot commodity this year allowing threat actors to move laterally within the network in order to avoid breach detection.
    After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
    After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

    755 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    19 Experts available now in Live!

    Get 1:1 Help Now