I am evaluating subneting our network with a Layer 2 switch and VLAN. From what I know, VLAN only works on broadcast domain, and if I know the MAC address of a remote computer on the same switch, I can bypass the VLAN security entirely by mapping the MAC address to my own ARP table. Is that correct?
Thanks
You are not correct. When a switch creates a VLAN, it is effectively the same as if you created two separate networks connected with their own switches. A person can no more bypass the VLAN using a direct MAC address than you could gain access to your neighbor across the street if you knew his MAC address.
Think of it as two physically separated networks.
No, it isn't. This may have been possible in some of the earliest implementations of VLANs (20 years ago...) but on any modern switch, once a port is tagged with an 802.1q VLAN, that's it. The switching engine won't allow VLAN hopping. Of course, if you have an insecure configuration (say, a host with interfaces on more than one network, with IP forwarding enabled...) you could have some security issues.
I work at a rather large university (we have two Class B's, and still need most of a Class A for NATted clients). Our network is run on Cisco, Foundry, and Juniper hardware, and everything is VLANed. We've never had any issues with it, security or otherwise.
There are some techniques to bypass VLAN tagging, but they only apply for some switches and in some configurations. If you have Cisco switches that have VLAN 1 on a trunk, you can send packets to machines in another VLAN (but not get anything back) if you send a .1q-encapsulated frame with the target VLAN as the VLAN tag.
There are two techniques for vlan hopping. Take advantage of auto trunking by making the router think you are another router and then you have access to all vlans. Artificially create double tagged packets and take advantage of backward comparability to hop to the target vlan.
Generally, no, you will not be able to do this.
Updating your arp table means that packets sent to the remote computer would make it as far as the switch. However, the switch still won't do anything with them, since your port on the switch is still part of a different network. With the arp update, the packets wouldn't even leave your computer. The update means packets can make it a little further down the road, but still won't reach the destination.
If you want to create an exception to a vlan membership, the best way I've seen to do it is with a layer-3 switch (so really it's a router now) at the core of your network that also supports ACLs (access control lists) for routing security. You set up this switch with a route between the two vlan's, have the ACL set up with a default deny rule, and add your exceptions as allow rules in front of the deny rule.