background image
102
Chapter 3
VLANs
services are used. VLANs can define smaller broadcast domains, which
means that it is possible to stop application broadcasts to segments that do
not use the application.
Although some older applications have been rewritten to reduce their
bandwidth needs, there is a new generation of applications that are band-
width greedy,
consuming all they can find. These are multimedia applica-
tions that use broadcasts and multicasts extensively. Faulty equipment,
inadequate segmentation, and poorly designed firewalls can also add to the
problems of broadcast-intensive applications.
These bandwidth-gobbling applications have added a new factor to net-
work design because broadcasts can propagate through the switched net-
work. Routers, by default, send broadcasts only within the originating
network, but layer 2 switches forward broadcasts to all segments. This is
called a flat network because it is one broadcast domain.
As an administrator, you must make sure the network is properly seg-
mented to keep problems on one segment from propagating through the
internetwork. The most effective way of doing this is through switching and
routing. Since switches have become more cost effective, a lot of companies
are replacing the hub-and-router flat network with a pure switched network
and VLANs. The largest benefit gained from switches with defined VLANs
is that all devices in a VLAN are members of the same broadcast domain and
receive all broadcasts. The broadcasts, by default, are filtered from all ports
that are on a switch and are not members of the same VLAN.
To stop broadcasts from propagating through the entire internetwork,
either a router, layer 3 switches, or Route Switch Modules (RSMs) must be
used in conjunction with switches to provide connections between networks
(VLANs).
Security
In a flat internetwork, security is implemented by connecting hubs and
switches together with routers. Security is then maintained at the router, but
this causes three serious security problems:
Anyone connecting to the physical network has access to the network
resources on that physical LAN.
A user can plug a network analyzer into the hub and see all the traffic
in that network.
Users can join a workgroup by just plugging their workstation into the
existing hub.
Copyright ©2000 SYBEX , Inc., Alameda, CA
www.sybex.com