4.1 VLAN Basics
4.1.3 VLANs and network security

The first issue is the shared-media nature of legacy networks. Whenever a station transmits in a shared network such as a legacy half-duplex 10BASE-T system, all stations attached to the segment receive a copy of the frame, even if they are not the intended recipients. This does not prevent the network from functioning. There are, however, readily available software packages that monitor network traffic. Anyone with such a package can capture passwords, sensitive e-mail, and any other traffic on the network.

If the users on the network belong to the same department, this might not be disastrous, but when users from mixed departments share a segment, undesirable information captures can occur. If someone from human resources or accounting sends sensitive data such as salaries, stock options, or health records on the shared network, anyone with a network monitoring package can decode the information.

Neither of these scenarios is constrained to a single segment. These problems can occur in multisegment environments interconnected with routers. In Figure , the accounting department resides on two isolated segments. For users on one segment to transmit to users on the other segment, the frames must cross the engineering network. When they cross the engineering segment, it is possible that they can be intercepted and misused.

One way to eliminate the problem is to move all accounting users onto the same segment. However, this is not always possible because there might be space limitations that prevent all accountants from sharing a common part of the building. Another reason may deal with the geographical makeup of the company - users on one segment might be a considerable distance from users on the other segment.

Another approach is through the use of VLANs, which enable you to contain all process-related users in the same broadcast domain and isolate them from users in other broadcast domains. You can assign all accounting users to the same VLAN, regardless of their physical location in the facility. You no longer have to place them in a network based upon their location. You can assign users to a VLAN based upon their job function. Keep all the accounting users on one VLAN, the marketing users on another VLAN, and engineering in yet a third.

By creating VLANs with switched network devices, you create another level of protection. Switches bridge traffic within a VLAN. When a station transmits, the frame goes to the intended destination. As long as it is a known unicast frame, the switch does not distribute the frame to all users in the VLAN .

Station A in Figure transmits a frame to Station B attached to another Catalyst® Switch. Although the frame crosses through a Catalyst Switch, only the destination receives a copy of the frame. The switch filters the frame from the other stations, whether they belong to a different VLAN or the same VLAN. This switch feature limits the opportunity for someone to capture packets with a network analyzer.

Although these security methods may seem like overkill, in the corporate network they are crucial. Consider the data transferred among the accounting department. This department has salary information, stock-option information, personal information, and other sensitive and personal material. It is very important to protect the privacy of the users and the integrity of the data. As you can see, VLANs greatly assist in this endeavor.