Page 462 - StudyBook.pdf
P. 462

446    Chapter 7 • Topologies and IDS

             each department within a company could comprise a separate VLAN, regardless of
             whether or not the department’s users are located in physical proximity).This
             allows administrators to manage these virtual networks individually for security and
             ease of configuration.
                 Let’s look at an example of using VLANs.There is an Engineering section con-
             sisting of 14 computers and a Research section consisting of 8 computers, all on
             the same physical subnet. Users typically communicate only with other systems
             within their respective sections. Both sections share the use of one Cisco Catalyst
             2924 XL switch.To diminish the size of the necessary broadcast domain for each
             section, the administrator can create two VLANs, one for the Engineering section
             and one for the Research section.After creating the two VLANs, all broadcast
             traffic for each section will be isolated to its respective VLAN. But what happens
             when a node in the Engineering section needs to communicate with a node in the
             Research section? Do the two systems connect from within the Catalyst 2924 XL
             switch? No; this cannot occur since the two sections have been set up on two dif-
             ferent VLANs. For traffic to be passed between VLANs (even when they are on the
             same switch) a router must be used.
                 Figure 7.10 graphically depicts the previous example of splitting one switch
             into two VLANs. Note that two switches can also be split into two VLANs or
             more, depending on the need.The following example shows how to split two
             switches into multiple VLANs with each VLAN acting as its own physically sepa-
             rated network segment. In reality, many more VLANs can be created; they are only
             limited by port density (the number of ports on a switch) and the feature set of the
             switch’s software.

             Figure 7.10 Using VLANs to Segment Network Traffic






                                                                        Other Network
                                                                         Segments
                                                Router
                        VLAN 10  VLAN 20
                       Engineering  Research



                 Each VLAN functions like a separate switch due to the combination of hard-
             ware and software features built into the switch itself.Thus, the switch must be



          www.syngress.com
   457   458   459   460   461   462   463   464   465   466   467