VLAN isolation test

I have setup several VLANs, each with its own port, ip scheme and firewall. They should be isolated. How do I test this at the layer 2 level. I have tested it at the layer 3 level via ping and looking at the OpenWrt interface.

What do you want to test at MAC level?
The main part of a VLAN is done at layer 3. Respectively for testing layer 4 also.
If you want to look into deeper you could use tcpdump instead ping.
E.g.: tcpdump -n -i ethx.xx -e | grep "vlan xx"

1 Like

Yes. I am trying to test to verify that I have the networks properly isolated. I was thinking that meant that MAC addresses and ip addresses a not known to the "other" network. I used ping to test ip isolation and was wonder the best technique to verify MAC isolation. Any other suggestions for verification?

I will look at that command.

Peter G. Ten Eyck III
Gmail (personal)

VLAN is just a part of isolating networks. The main part is still the firewall. In case of OpenWrt mainly firewall zone setup.

The main tools to test a network are tcpdump and nmap.

If you test on your router then your router has to be aware of any MAC hitting the device itself to make traffic decisions. Each switch or device operating at layer 2 is communicating over MAC addresses only. Don't forget VLAN is "virtual". There is no real isolation like a seperate LAN.

You can see your MAC's your router knows with "arp list". Then you can analyse traffic flow with tcpdump listening on certain interfaces.

If you can see other devices from e. g. LAN2 if you are on LAN1 then then sth. is wrong with your VLAN setup.

1 Like

Just look at the ARP table. Verify MACs are on the proper VLAN. Simple.


This raises an interesting observation/question...

On my IOT VLAN, I see several devices attached using the OpenWRT status screen... ip and macs etc.

These devices do not show up using a arp -a command on the IOT VLAN. After I ping one of the ip addresses, then that device shows up in the arp -a command output?

Yes, this is correct. ARP tables timeout.