vlan segmentation help

tsrader · ‎01-09-2007

Assumptions:

group 1 owns C2950 in lab and require mgmt access to switch

group 2 owns C2950 in lab and require mgmt access to switch

each dept creates their own vlan's on their respective switches

production C3750 switches are corp managed only w/ defined VLANs for entire network

task:

- group 1 req's access to their test lab equipment from 2nd floor dept lan

- group 1 req's access to general network from w/in lab environment (http, file access, etc)

-group 2 has same req's as group 1

- general users in lab (not in group 1/2) req regular network access but MUST NOT be able to see any private traffic from group 1/2.

--** dept managed switches must NOT propogate VLAN info to production network in the event of switch misconfig **--

key is to keep production switch configs as simple as possible but still maintain security policy.

sbilgi · ‎01-15-2007

VLANs allow logical network topologies to overlay the physical switched infrastructure such that any arbitrary collection of LAN ports can be combined into an autonomous user group or community of interest. The technology logically segments the network into separate Layer 2 broadcast domains whereby packets are switched between ports designated to be within the same VLAN. By containing traffic originating on a particular LAN only to other LANs in the same VLAN, switched virtual networks avoid wasting bandwidth, a drawback inherent to traditional bridged and switched networks in which packets are often forwarded to LANs with no need for them. Implementation of VLANs also improves scalability, particularly in LAN environments that support broadcast- or multicast-intensive protocols and applications that flood packets throughout the network.