VLAN SECURITY

Virtual Local Area Network (VLAN) SECURITY

In the begin I want to say that VLANs are not secure .Using Virtual LANs it is now possible to make isolated traffic .Which mean the traffic that share the same switch or even group of switches can be isolated .The designer of this isolation had other issues in mind rather than the security problem. VLANs allow sharing a switch among more than one LAN by filtering and limiting broadcast traffic. But this form of isolation relies on software and configuration, not the physical isolation.

In the last few years, some firewalls have become VLAN aware; you can make policies to identify a packet and also identify the VLAN that is belonging to. By firewalls that are VLAN aware add a lot of flexibility useful to Web hosting sites, the tags that these firewalls rely on were not designed with security in mind. VLAN tags can be created by devices other than switches, and valid tags that will fool the firewall can easily be added to packets.

Attacks:

Several ways your network can be attacked at Layer 2. Many of these aren't nearly as intuitively obvious as the higher-level attacks we witness daily; so many administrators think that it's impossible to attack VLANs, which is of course, absurd.

So here are a few key points to remember when configuring your network:
VLAN 1 (on Catalyst switches) is the default for both ports and the "Native" VLAN on 802.1Q trunks, which is precisely why you should NEVER use it.

Don't allow dynamic protocols to talk to untrusted devices. Many administrators don't realize there are a lot of these operating around Layer 2, such as VTP, PAgP, CDP, DTP, UDLD and of course STP.
If at all possible, authenticate all hosts and/or limit their connectivity. Port Security, 802.1x and Dynamic VLANs are three methods mentioned in this article you can use.