Protecting the Management VLAN from customers

We are setting up a shared office that has 10 rooms, each room has a single Cat5e cable going to it. Each room is used by a different tenant and the networks need to stay segregated. We provide the tenants with shared Internet access and VOIP Phones.

We have our main 26-port smart switch (Cisco SG200-26) in the server room, and we have installed an 8-port PoE smart switch (Cisco SG200-08P) in each of the tenant's rooms. The tenant can have up to 3x VOIP phones and up to 4x PCs in the room, plugged into each port on the switch.

We're planning on using tagged VLANs to keep things secure. The idea is that we'll set up:

   VLAN 1 - default VLAN, management traffic only (e.g. access points, routers, switches etc), subnet will be
   VLAN 2 - voice VLAN for voip traffic only, subnet will be
   VLAN 10-19 - customer VLANs, one for each room

So for each of the SG200-08P switches in the tenant's rooms we are configuring them like this, (this example is for the switch that will use VLAN 10 for customer traffic):

Port 1 - trunk port, 1U, 2T, 10T
Port 2 - access port, 2U
Port 3 - access port, 2U
Port 4 - access port, 2U
Port 5 - access port, 10U
Port 6 - access port, 10U
Port 7 - access port, 10U
Port 8 - access port, 10U

The "port 1" on the customer SG200-08P switch will go to, say, port 15 on the main SG200-26 switch, set up like this:

Port 15 - trunk port, 1U, 2T, 10T

So that's all great, but I've got a problem - I need to protect the management and voice VLANs from unauthorized traffic.

What stops a customer from unplugging the switch, plugging a PC into the wall jack and gaining access to the management subnet? Or plugging a PC into one any of the PoE ports and gaining access to the voice subnet?

I'm playing around in the "Port Security" and 802.1X section of the Cisco SG200... but I'm totally confused.

Can anyone help?
LVL 31
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

If each customer has his own VLAN, plugging a PC directly into the wall jack will still only allow him access to his own VLAN; the 8-port switch merely allows that VLAN to be shared between multiple devices.

As for protecting the VoIP VLAN, either create a separate one for each tenant, or use QoS on his existing VLAN to ensure that the phones get enough bandwidth. Three VoIP phones will use around 512KB of bandwidth, if I remember correctly, so internet access shouldn't grind to a halt even if all three are in use at the same time.
If you can't control physical access to ports, you can still use security on the management and VoIP VLANs to make messing around not worth the effort.
i.e. on management VLAN, no DHCP, or if DHCP needed for access points, then static IP reservations for them an no "spare" IPs in the pool. Make sure all switches have good passwords and telnet disabled (use SSH). You can also block access from Mgt VLAN to the gateway (Internet).

On VoIP VLAN, if separate VLANs for each client's VoIP are not possible, then do similar as on the Mgt VLAN, either static IPs or IP reservations. You can use access lists on the core switch to block port 80 (web) traffic on  VLAN 2, and again, you'll remove the fun from any hacker's efforts. You could actually probably get best practice security information from whatever phone vendor you're using. They should be able to tell you exactly how to secure their VoIP devices.

As for anyone being able to plug a PC into the wall jack and get untagged VLAN 1 access, a best practice is to disable VLAN 1, then use a different, random port for your managment traffic, i.e. VLAN 101, and tag the uplink/trunk port to all your client office switches. This is not foolproof, an ace hacker still might be able to set a PC NIC appropriately to access the Management VLAN, but without passwords to access anything, there's going to be little he/she can do.

Ultimately, using port security protocols is ideal, but in the real world, in a small network like yours, it might not be worth the effort when the risk is very very low using common sense security methods outlined above.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
FrankCrastCo-founder and CEOCommented:
In regards to preventing potential rogue or malicious actors from connecting into the network, you could also consider a Network Access Control (NAC) solution, sometimes known as "Network Admission Control."

Many vendors offer NAC solutions, although I've mainly been involved with enterprise deployments. So I have not done any in depth research on best NAC solutions available for SMBs.

Long story short, NAC is a security control used to authenticate authorized devices to allow network access. NAC consists of a network and host-based agent solution used to allow authorized devices onto the network based on a predefined set of rules that each device or endpoint must have (e.g. machine certificate, NAC agent, Anti-virus, current patches). Unauthorized devices would be denied access to the network and/or quarantined.  You most likely can also apply rules to deny access to any device that tries to connect to unauthorized networks, as mentioned above.
Frosty555Author Commented:
I think that making the tenants have separate VoIP VLANs was the missing piece for me. That stops the tenants from being able to access each other's phones.

The management VLAN is still open to anyone who is willing to fiddle with the switch or connect directly to the wall jack,  but as schaps said, it can be made to be not worth the effort for an attacker - no DHCP, strong passwords on everything, and monitoring the network for rogue devices.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Network Security

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.