Protecting the Management VLAN from customers
Posted on 2014-08-23
We are setting up a shared office that has 10 rooms, each room has a single Cat5e cable going to it. Each room is used by a different tenant and the networks need to stay segregated. We provide the tenants with shared Internet access and VOIP Phones.
We have our main 26-port smart switch (Cisco SG200-26) in the server room, and we have installed an 8-port PoE smart switch (Cisco SG200-08P) in each of the tenant's rooms. The tenant can have up to 3x VOIP phones and up to 4x PCs in the room, plugged into each port on the switch.
We're planning on using tagged VLANs to keep things secure. The idea is that we'll set up:
VLAN 1 - default VLAN, management traffic only (e.g. access points, routers, switches etc), subnet will be 10.0.0.0/24
VLAN 2 - voice VLAN for voip traffic only, subnet will be 10.0.25.0/24
VLAN 10-19 - customer VLANs, one for each room
So for each of the SG200-08P switches in the tenant's rooms we are configuring them like this, (this example is for the switch that will use VLAN 10 for customer traffic):
Port 1 - trunk port, 1U, 2T, 10T
Port 2 - access port, 2U
Port 3 - access port, 2U
Port 4 - access port, 2U
Port 5 - access port, 10U
Port 6 - access port, 10U
Port 7 - access port, 10U
Port 8 - access port, 10U
The "port 1" on the customer SG200-08P switch will go to, say, port 15 on the main SG200-26 switch, set up like this:
Port 15 - trunk port, 1U, 2T, 10T
So that's all great, but I've got a problem - I need to protect the management and voice VLANs from unauthorized traffic.
What stops a customer from unplugging the switch, plugging a PC into the wall jack and gaining access to the 10.0.0.0/24 management subnet? Or plugging a PC into one any of the PoE ports and gaining access to the 10.0.25.0/24 voice subnet?
I'm playing around in the "Port Security" and 802.1X section of the Cisco SG200... but I'm totally confused.
Can anyone help?