workstation into any switch port and have access to network resources. The
administrator controls each port and whatever resources it is allowed to use.
tion of any unauthorized access to network resources. If inter-VLAN com-
munication needs to take place, restrictions on a router can also be
implemented. Restrictions can also be placed on hardware addresses, proto-
cols, and applications.
the users you want in the broadcast domain regardless of their physical loca-
tion. Layer 2 switches read frames only for filtering; they do not look at the
Network layer protocol. This can cause a switch to forward all broadcasts.
However, by creating VLANs, you are essentially creating separate broad-
cast domains. Broadcasts sent out from a node in one VLAN will not be for-
warded to ports configured in a different VLAN. By assigning switch ports
or users to VLAN groups on a switch--or group of connected switches
(called a switch-fabric)--you have the flexibility to add only the users you
want in the broadcast domain regardless of their physical location. This can
stop broadcast storms caused by a faulty network interface card (NIC) or an
application from propagating throughout the entire internetwork.
VLAN, the fewer are affected by broadcasts.
looking at a traditional collapsed backbone. Figure 3.2 shows a collapsed
backbone created by connecting physical LANs to a router.