GarrettCom OSI manual Virtual Lan Vlan Support

interface (CLI) sent to the target component. Using the Secure Socket Layer (SSL) protocol over HTTPS connections provides the same level of security enjoyed by Web-based financial transactions.

Simple Network Management Protocol version 3 (SNMPv3) limits access to sensitive Ethernet switches that feature SNMPv3 agent software/firmware. Data and operational control functions require user authentication, with access only permitted by specific IP addresses. Each IP address is configured during initial set-up.

The User-based Security Model (USM) of the SNMPv3 standard specifies the use of the Data Encryption Standard (DES-CBC), using a 56-bit key. Each manager must know the privacy key of each agent with which it communicates. Any Ethernet switches employed should provide remote access security for Telnet (CLI) communication, SNMP management, and Web-interface access.

Ethernet, because of its high bandwidth, is also the best protocol for deploying physical security devices at remote and peripheral sites. Power over Ethernet (PoE) adds ease of supplying power to remote security devices.

VIRTUAL LAN (VLAN) SUPPORT

VLANs are widely used today for reducing broadcast traffic by limiting the size of a collision domain. Since crossing a collision domain involves a routing decision, the security of a given domain can be assured. A VLAN creates separate collision domains or network segments that can span multiple Ethernet switches. A VLAN is a group of ports designated by the switch as belonging to the same broadcast domain. The IEEE 802.1Q specification establishes a standard method for inserting VLAN membership information into Ethernet frames.

VLANs provide the capability of defining two or more Ethernet segments that co-exist on common hardware. The reason for creating multiple segments in Ethernet is to isolate collision domains. A collision domain includes all the cabling and hubs or repeaters supporting attached users, but excluding bridges or routers. Reducing the number of users per collision domain also reduces the chance of a collision and its recovery. VLANs can isolate groups of users, or divide up traffic for security or bandwidth management. VLANs need not be in one physical location; they can be spread across geography or topology.

VLANs, as the name suggests, create virtual LANs administratively. Instead of going to the wiring closet to move a cable to a different LAN segment, the same task can be accomplished remotely by configuring a port on an 802.1Q-compliant switch to belong to a different VLAN. The ability to move end stations to different broadcast domains by setting membership profiles for each port on centrally managed switches is one of the main advantages of 802.1Q VLANs.

Distributed with permission of author by ISA 2006

Presented at ISA EXPO 2006