Networking

Isolated VLANs: Use sparingly or common practice?

When does it make sense to use an isolated VLAN? IT pro Rick Vanover showcases some criteria that can be used to determine when to clip any links to other networks.

When it comes to designing a network, server administrators and network administrators may not always see eye to eye on what needs to be provided. I mentioned in a previous blog how security zones are key to designing effective networks, but what about fully isolated VLANs?

Security zones can be made by putting network firewalls up in front of a network that is routed or by using a slew of operating system approaches. Two of the most popular practices would be to use IPSec rules or a firewall (such as Windows firewall) on the operating system within the security zone. Yet another approach to protecting the security zone is to make the VLAN fully isolated.

A fully isolated VLAN, in most situations, is Layer 2 (L2) connectivity without access via a route to devices on other TCP/IP networks from the network switching perspective. A fully isolated network can be set up with dedicated interfaces and switching, but in many cases this becomes cost-prohibitive and difficult to obtain the required ports. For a fully isolated L2 VLAN, I’ve found a number of configurations that make sense for this level of protection.

The primary use case is for systems that have multiple interfaces to which you can dedicate certain roles to the security zone associated with the fully isolated VLAN. Of course, there are risks and concerns associated with a system connected to multiple security zones. It is important to make sure there is no bridging or routing functionality provided by these systems, or the effort becomes moot.

Practically speaking, if a specific role is configured to only use the dedicated interfaces, this practice will satisfy most situations. One frequent use case for an isolated security zone is to protect data in motion for virtual machine migration. For VMware installations, this best practice post outlines how to protect the unencrypted nature of virtual machine migration. Other use cases are easy to find, basically protecting against any man-in-the-middle style attack. The issue becomes whether or not to route these L2 networks to other resources on the larger network environment.

How frequently do you use fully isolated L2 VLANs? Are they too far of a step to go to protect certain tiers of traffic? Share your comments below.

About

Rick Vanover is a software strategy specialist for Veeam Software, based in Columbus, Ohio. Rick has years of IT experience and focuses on virtualization, Windows-based server administration, and system hardware.

19 comments
plymouth
plymouth

As stated in other posts, I have deployed isolated VLANS for backups and for storage access. Isolated in the context of no routers or switches being able to grant access to other VLANs or the WAN. But still "connected" in the sense one server on the isolated VLAN will have an additional NIC to another VLAN for IP access. Unless your server is connected via KVM or serial console access. In the end, an isolated VLAN is an excellent way to garantee bandwidth to applications which are either gluttons like backups or more sensitive like database facilities where truly private access is desired.

Anderson.David
Anderson.David

Is this what you would use if you wanted to grant outside users internet access, and wanted to keep the traffic totally separate?

arnaud16571542
arnaud16571542

It took me time to understand we're speaking of this king of isolated vlans !...because Isolated VLAN is also a term of Cisco's Private VLAN, where isolated ports can only exchange traffic with the special promiscious port (a isolated ports can't exchange data with another isolated port). We use isolated VLANs for iSCSI, or really private networks where peoples need to stay away from sysadmin's rules, so they don't mess the LAN's security and the boss is satisfy because he doesn't have to pay new equipments.

mondalvi
mondalvi

I used to work for a tech appliance company and I used isolated vlans to separate Dev and Test. Also used it for Customer Support since they would receive customer system images.

Rs0stmmgt
Rs0stmmgt

Due to the nature of our business and the individual divisions, we use fully isolated VLANS as a standard both at the firewall and remote sites. Routing is only done by routes, all access is allowed or denied by firewalls that the VLANS teminate on.

jdavis
jdavis

On the networks that I manage the only "fully isolated" Vlans in use are iSCSI Vlans used exclusively to carry data between DB servers and storage arrays. We do employ separate security zones for other types of networks - general business Vlan is unprotected while vlans that control machinery reside behind a firewall. In no case do I allow systems to have multiple interfaces connected to multiple security zones. I am responsible for the security of the protected networks, and allowing that type of connectivity on systems that I do not manage opens doors over which I have no control of or visibility into.

rwparks.it
rwparks.it

One company setup a VLAN hooked to the ISP for Internet Kiosks. This totally isolated Internet from the company's internal network. Pretty simple... VLAN 99 - Switch Ports 1 - 6 for Internet PCs; VLAN 10 - All remaining ports on switch for inside LAN.

alan_stiver
alan_stiver

We have a lot of tenant office spaces in our hospital, which are not always contiguous. Also, some have their own internet service. We use isolated VLANs to give tenants connectivity to their vlans without their traffic touching each other or our enterprise network In these cases, the vlans may span multiple switches, but there is no router connection between vlans.

bstiff929
bstiff929

The best example I've ever seen for justification of an isolated VLAN (beyond the mention of a VMWare backend) is a SAN.

jdavis
jdavis

Unless I am missing something, Vlans that are accessible through a firewall don't qualify as isolated Vlans.

Tonie16
Tonie16

Another good reason to use Isolated VLANs, is so that you can split your data traffic from your VOIP traffic. You need to do this on L2, if you do it on L3 (IP addressing) you still have a lot of L2 frames. What do you think? Regards,

speculatrix
speculatrix

when using a cisco be careful to ensure the port is set to nonegotiate, different versions of IOS have different defaults. this feature ensures that a connected host can't start sending tagged frames and cause the port to switch to a "trunk"/.1q, and thus bypass any vlan security you may have!!

david.g.white
david.g.white

In many contexts the use f a truly isolated VLAN sounds ideal, until you examine the issues associated with maintenance of service levels. It would be secure to insert in the VLAN the NIC of a device (such as a Firewall or Router) and configure NAT on the Interface. In this way Management systems can gain access to monitor the ports in question, while the equipment does not need any route table amendments (as the Management device appears to be on local subnet to the managed systems).

dmarin
dmarin

but you would have to create access list on this interfaces correct ? or create a private vlan but then you lose other features if you go this route

digitalb
digitalb

If the VLAN is isolated that means there is no Layer 3 gateway associated with it regardless of FW or routes. An isolated VLAN is often a back end private network associated with a secondary NIC on a systems that communicates privately with other members of that VLAN. If the systems need to communicate to something off of their VLAN than the primary NIC would presumably route that traffic to it's gateway. There is or should never be a GATEWAY on NICS configured for an isolated VLAN. Hope this helps.

b4real
b4real

The boundaries need to be set. If the server team is responsible for the traffic on the isolated networks, then it is their burden not to configure any routing or NAT. It is also the network teams burden to check to see if that is being done.

Juan C Sanchez
Juan C Sanchez

We run the backup network on an isolated vlan, servers can talk to the SAN and that's it. The second NIC is configured for backup services only.

randyjcress
randyjcress

This will seem obvious, but an isolated vlan is only as secure at the switch that has the non-routable vlan defined. If this isolated-vlan spans multiple switches and is carried over a trunk then there are even more attack vectors. Is the management of the switch only out-of-band? If not, one could configure a SPAN port and the traffic is not wrapped with IPSEC encryption then game over. So for pure isolated protection, don't make it a vlan, make it an isolated physical LAN on separate switches with OOB management via console or aux ports. If you don't want to go that route, just use IPSEC with server and domain isolation, MS has some great white-papers on this and use it internally.. really messes up netflow traffic when all you see alot of ESP packets!

david.g.white
david.g.white

The point I was making was that Network people need to monitor critical Network equipment (and in some cases services). Server people do not usually monitor network equipment and very rarely trouble shoot network problems. When a service supported by a switch fails or worse has unpredictable problems, then it is always Network people who are expected to deal with it. Isolation = no management = no visibility = problems with trouble shooting. I would recommend that any switch should be connected (on a management VLAN) - 'out of band' such that port level monitoring from a Netman system and remote trouble shooting are available.