user! The days where users could just plug their workstations into any switch
port and gain access to network resources are history, because the adminis-
trator is now awarded control over each port and whatever resources that
port could access.
management station of any unauthorized access to network resources. And
if you need inter-VLAN communication, you can implement restrictions on
a router to achieve it. You can also place restrictions on hardware addresses,
protocols, and applications--now we're talking security!
layer-2 switches only read frames for filtering--they don't look at the
Network layer protocol. And by default, switches forward all broadcasts.
But if you create and implement VLANs, you're essentially creating smaller
broadcast domains at layer-2.
ports or users to VLAN groups on a switch or group of connected switches
(called a
also work to block broadcast storms caused by a faulty network interface card
(NIC), as well as prevent an application from propagating the storms through-
out the entire internetwork. Those evils can still happen on the VLAN where
the problem originated, but the disease will just be quarantined to that one
ailing VLAN.
fewer users in a VLAN, the fewer users affected by broadcasts. This is well
and good, but you absolutely need to keep network services in mind and
understand how the users connect to these services when you create your
VLAN. It's a good move to try and keep all services, except for the e-mail
and Internet access that everyone needs, local to all users when possible.
created by connecting physical LANs using hubs to a router.