Default State of Managed Switch - Secure or Insecure



  • In purchasing a managed switch, I would be inclined to believe that all ports would be pre-configured to be in their own VLAN (or simply disabled) in the switch's factory default settings. This is more secure than the alternative: having all ports in a single large (enabled) VLAN.

    1. Are there any managed switches whose factory defaults set all of the ports in one enabled VLAN?

    2. Has anyone ever had a situation in which a managed switch failed in a way that caused a loss of security because VLAN configuration was lost?

    3. Assuming the answer to question 1 is "yes", is there an easy way to tell which switches have these defaults and which do not?


  • Rebel Alliance Developer Netgate

    Personally I've never seen a switch ship in any other way than having all ports untagged on vlan 1 and having no other VLANs defined.

    I have not seen a switch fail in such a way to make it insecure, but I have seen on more than one occasion an admin who neglected to fully save the running configuration on a switch so that the state of the switch after a power outage was incorrect. Some switches (e.g. Cisco) you have to be careful with that, others commit the changes as you make them. Both methods have their advantages and disadvantages but either way it's on the admin to be sure their changes are not only applied but permanently saved. (And while they're at it, backed up)


  • Netgate Administrator

    Exactly.

    1. All switches default to one VLAN across all ports, almost (?) always VLAN1.

    2. Nope but this is the reason some people don't trust VLANs for separating network segments especially, say, WAN and LAN. That and the possibility that your switch firmware has some exploitable bug allowing packets to change VLAN, never seen that either.

    3. Some switches have an unmanaged mode they default to that is indicated somehow. The Dell PowerConnect range, for example, have a managed mode LED on the front that tells you the switch has been configured away from it's default state. If it did default back to unmanaged mode the LED would go out, you would know.

    Steve


Log in to reply