here in my company the management decided to use VLANs to separate nets of different security levels. (Not implemented yet) Therefore i would very much like to get you started on VLANs... ;-)

Did you have security-related problems with VLAN?

Not myself, no, I have been blissfully spared VLANs up to now except for the CCNA course and exam. ;-) However, VLAN capability is quite obviously (IMHO) a feature slapped onto big switches to justify their price. If you've paid big money for a switch with a gazillion ports, you don't want to have to buy another few while having half a gazillion ports free on the expensive machine. Where security is concerned, I am more in favour of very simple layer 2 devices, such as hubs or dumb, unmanaged switches. Sure, traffic can be sniffed off a hub, but switches don't give good enough protection against that either, while the proper thing to do is to use cryptographic means to ensure data integrity and confidentiality. However, the intelligence of switches, especially managed ones, can quite easily be used against them and defending against that can be quite a challenge. If you need the throughput, go for a switch. On a backbone, you may even want to use managed switches, perhaps even those completely misnomered 'layer 3 switches'. On a DMZ or otherwise security-critical segment, however, security is very important and should have a higher factor associated with it than on a (busy) backbone, for example, where almost nothing but speed counts. I have found the original link, though, it was the first one on the Google list I just posted: http://www.sans.org/newlook/resources/IDFAQ/vlan.htm The following link looks interesting as well: http://rr.sans.org/switchednet/switch_security.php You may also want to search the firewall mailing list archives for the term 'vlan', it's been discussed a couple of times before: http://www.nextrieve.com/cgi-bin/firewalls Tobias