apologies for all the questions but trying to get this VLAN stuff sorted in my head (Yes I've read two Cisco press books, and the stuff on this website 'which is incidently better than the cisco books!'.).
Now for my question? With vlan routing via a layer 3 switch surely the security reasons for using VLAN's become a bit pointless. [apart from removing broadcasts that it.]
In other words once the layer 3 'routing' part of the layer 3 switch routes traffic between all VLAN's unless you have decent ACL's in place on this layer 3 switch surely all machines can connect to each other anyway? i.e. host a (10.20.50.218/16) can happily connect to host b (10.21.50.17/16) as the layer 3 switch will just route traffic between the different VLAN's and ultimately hosts?
Am I missing something here or is this a correct assumption?
As you said, members of different VLANs can talk to eachother only if routing is enabled between them. if u look at it differently, its entirely for the administrator to decide whether to enable routing between them. even with routing, a simple ACL can futher drill down as to what each host can reach.
Other advatage is broadcast control. It might not make a difference in a 20-50 user office but when it comes to 500-1000 people / location, you will appreciate what VLAN's can do for you.
I agree with all it was mentioned, and yes, by default if you only enter the "ip routing" command in the multilayer switch, you can route between subnets of each different vlan without restrictions.
Another way to control bridgeg and routed traffic is to use VLAN ACLS or VLAN MAPS, so you can control bridgeg traffic that is crossing the vlan or the switch where the VLAN MAP is configured.
when setting up the vlan acl, it is quite different to teh traditional router acls, so in a router acls, you define direction, either in or out, with vlan acl, it is definded in the traffic that is crossing the switch or the vlan.
You can either apply the same vlan map, to only one or the vlans you want.