Page 897 - (ISC)² CISSP Certified Information Systems Security Professional Official Study Guide
P. 897
(specifically a layer 3 switch). As networks are being crafted in virtual
environments or in the cloud, software switches are often used. In
these situations, VLANs are not hardware-based but instead are
switch-software-based implementations.
VLANs let you control and restrict broadcast traffic and reduce a
network’s vulnerability to sniffers because a switch treats each VLAN
as a separate network division. To communicate between segments,
the switch must provide a routing function. It’s the routing function
that blocks broadcasts between subnets and VLANs, because a router
(or any device performing layer 3 routing functions such as a layer 3
switch) doesn’t forward layer 2 Ethernet broadcasts. This feature of a
switch blocks Ethernet broadcasts between VLANs and so helps
protect against broadcast storms. A broadcast storm is a flood of
unwanted Ethernet broadcast network traffic.
Another element of some VLAN deployments is that of port isolation
or private ports. These are private VLANs that are configured to use a
dedicated or reserved uplink port. The members of a private VLAN or
a port-isolated VLAN can interact only with each other and over the
predetermined exit port or uplink port. A common implementation of
port isolation occurs in hotels. A hotel network can be configured so
that the Ethernet ports in each room or suite are isolated on unique
VLANs so that connections in the same unit can communicate, but
connections between units cannot. However, all of these private
VLANs have a path out to the internet (i.e., the uplink port).
VLANs work like subnets, but keep in mind that they are not
actual subnets. VLANs are created by switches at layer 2. Subnets
are created by IP address and subnet mask assignments at layer 3.
VLAN Management for Security
Any network segment that does not need to communicate with
another to accomplish a work task/function should not be able to
