Broadcast Domain - Broadcast Domain Control

Broadcast Domain Control

With a sufficiently sophisticated switch, it is possible to create a network in which the normal notion of a broadcast domain is strictly controlled. One implementation of this concept is termed a "private VLAN". Another implementation is possible with Linux and ebtables. One helpful analogy is that by creating multiple VLANs, the number of broadcast domains increases, but the size of each broadcast domain decreases. This is because a virtual LAN (or VLAN) is technically a broadcast domain.

This is achieved by designating one or more "server" or "provider" nodes, either by MAC address or switch port. Broadcast frames are allowed to originate from these sources, and are sent to all other nodes. Broadcast frames from all other sources are directed only to the server/provider nodes. Traffic from other sources not destined to the server/provider nodes ("peer-to-peer" traffic) is blocked.

The result is a network based on a nominally shared transmission system; like Ethernet, but in which "client" nodes cannot communicate with each other, only with the server/provider. A common application is Internet providers. Allowing direct data link layer communication between customer nodes exposes the network to various security attacks, such as ARP spoofing. Controlling the broadcast domain in this fashion provides many of the advantages of a point-to-point network, using commodity broadcast-based hardware.