Basic networking/subnetting question.
-
A VLAN is (theoretically) equivalent to a physically separated layer 2 domain. The only way for machines to communicate between vlans is via a gateway interface.
If you don't trust the operating system, then you don't trust that it won't change it's IP/subnet to just hop onto the other network. Or even send packets with the other network's header and spoof packets onto the other subnets.
It's trivially easy to malform broadcast traffic and hop subnets, or to use various arp table attacks to trick the switching device. If you need to segregate traffic, you need a VLAN.
Thank you for the great comment.
This line cleared it up for me:
802.1q aware switch and gateway to use VLANs effectively.
It is indeed as you say. VLANs on a trunk port wouldn't really work for security either. This is making me reconsider my entire networking infrastructure since when I started I wasn't very invested in such things. Thanks for giving me material to think about
-
As others have said: It will work as you've planned it. The subnetting will keep these two PCs separated (If they still need internet, just add a second IP in your router-PC to allow for communication with this subnet).
VLANs aren't required, but are more relevant when you want to force network segregation based on individual ports. If you really want to, you can add tagged virtual interfaces on these two separated hosts so that the others hosts aren't able to simply change the address to reach these. The switch should ignore the VLAN tag and pass it through anyway. But again, it's not really needed, just something you can do if you really want to play with tagged VLAN interfaces
Thank you. In theory, is there a mechanism which will prevent other hosts from tagging the interface with a VLAN ID common with another host and spoof traffic that way? Sorry, I need to study more about this stuff
-
Sorry for being such a noob. My networking is not very strong, thought I'd ask the fine folks here.
Let's say I have a Linux box working as a router and a dumb switch (I.e. L2 only). I have 2 PCs that I would like to keep separated and not let them talk to each other.
Can I plug these two PCs into the switch, configure their interfaces with IPs from different subnets, and configure the relevant sub-interfaces and ACLs (to prevent inter-subnet communication through the router) on the Linux router?
What I'm asking is; do I really need VLANs? I do need to segregate networks but I do not trust the operating systems running on these switches which can do L3 routing.
If you have a better solution than what I described which can scale with the number of computers, please let me know. Unfortunately, networking below L3 is still fuzzy in my head.
Thanks!
Yes you need vlans
Technically there would be some isolation at layer 3 but they would all still be in the same layer 2 network.
-
Thank you. In theory, is there a mechanism which will prevent other hosts from tagging the interface with a VLAN ID common with another host and spoof traffic that way? Sorry, I need to study more about this stuff
Usually you would configure that on the switch
-
Could you elaborate why the question of trust invalidates using just subnets?
Subnets are on layer 3 not layer 2. You can easy access other devices on layer 3 by finding the right subnet on layer 2. ARP is used to resolve IP addresses into MAC addresses and vis versa.
-
Usually you would configure that on the switch
I see, I was completely off-track lol. But isn't this really for a setup where each computer is connected to an individual port of the switch? I.E. this won't work if to one port of an L3 switch one were to attach a dumb 5 port switch and plug 4 computers in
-
Subnets are on layer 3 not layer 2. You can easy access other devices on layer 3 by finding the right subnet on layer 2. ARP is used to resolve IP addresses into MAC addresses and vis versa.
Thanks, but isn't ARP contained inside a subnet? I guess you could find everything if you inspected the MAC table of the main switch
-
Thank you. In theory, is there a mechanism which will prevent other hosts from tagging the interface with a VLAN ID common with another host and spoof traffic that way? Sorry, I need to study more about this stuff
Yes, but that's done on the switch. Basically VLAN tags are applied in one of two ways:
Untagged (sometimes called Access) is something you apply on a switch port. For example, if you assign a port to Untagged VLAN 32, anything connected to that port will only be able to connect to port 32.
Tagged (sometimesreferred to as Trunk), on the other hand, is for traffic that is already assigned a VLAN tag. For example Tagged 32 means that it will allow traffic that already has a VLAN tag of 32. It is possible to assign multiple VLANs to a Tagged port. Whatever is connected to that port will need to be able to talk to the associated VLAN(s).
In your particular case, the best practice would be to assign two ports (One for each host, obviously) to Untagged 32 (arbitrarily chosen number, any VLAN ID will do, as long as you're consistent), and all the other ports as Untagged to a different VLAN ID. That way the switch will effectively contain two segments that cannot talk to each other.
-
Thanks, but isn't ARP contained inside a subnet? I guess you could find everything if you inspected the MAC table of the main switch
no. Arp bridges layer 1 and 2. It's switch local. With a VLAN, it becomes VLAN local, in the sense that 802.1q creates a "virtual" switch.
-
Yes, but that's done on the switch. Basically VLAN tags are applied in one of two ways:
Untagged (sometimes called Access) is something you apply on a switch port. For example, if you assign a port to Untagged VLAN 32, anything connected to that port will only be able to connect to port 32.
Tagged (sometimesreferred to as Trunk), on the other hand, is for traffic that is already assigned a VLAN tag. For example Tagged 32 means that it will allow traffic that already has a VLAN tag of 32. It is possible to assign multiple VLANs to a Tagged port. Whatever is connected to that port will need to be able to talk to the associated VLAN(s).
In your particular case, the best practice would be to assign two ports (One for each host, obviously) to Untagged 32 (arbitrarily chosen number, any VLAN ID will do, as long as you're consistent), and all the other ports as Untagged to a different VLAN ID. That way the switch will effectively contain two segments that cannot talk to each other.
Thank you so much for the explanation. I followed everything but:
Untagged (sometimes called Access) is something you apply on a switch port. For example, if you assign a port to Untagged VLAN 32, anything connected to that port will only be able to connect to port 32.
I couldn't really understand what you meant here. Did you mean VLAN 32 in the last line?
-
no. Arp bridges layer 1 and 2. It's switch local. With a VLAN, it becomes VLAN local, in the sense that 802.1q creates a "virtual" switch.
Sorry, I'm not sure what you mean by "ARP bridges L1 and L2". I'll have to read more about this. Other than that, I understand what you said.
-
Thank you so much for the explanation. I followed everything but:
Untagged (sometimes called Access) is something you apply on a switch port. For example, if you assign a port to Untagged VLAN 32, anything connected to that port will only be able to connect to port 32.
I couldn't really understand what you meant here. Did you mean VLAN 32 in the last line?
Derp, yes. Corrected.
-
Thanks, but isn't ARP contained inside a subnet? I guess you could find everything if you inspected the MAC table of the main switch
ARP is in the broadcast domain (otherwise known as a lan)
Vlans create multiple lans
-
no. Arp bridges layer 1 and 2. It's switch local. With a VLAN, it becomes VLAN local, in the sense that 802.1q creates a "virtual" switch.
ARP is in a single broadcast domain which can span multiple switches.
-
I see, I was completely off-track lol. But isn't this really for a setup where each computer is connected to an individual port of the switch? I.E. this won't work if to one port of an L3 switch one were to attach a dumb 5 port switch and plug 4 computers in
https://en.wikipedia.org/wiki/IEEE_802.1Q
Vlans are simply a tag on a frame. You can set what if any tags are allowed and you can set the switch to tag untagged traffic. You can can limit Mac addresses with port security.
-
ARP is in the broadcast domain (otherwise known as a lan)
Vlans create multiple lans
Ah, I see. Thanks
-
https://en.wikipedia.org/wiki/IEEE_802.1Q
Vlans are simply a tag on a frame. You can set what if any tags are allowed and you can set the switch to tag untagged traffic. You can can limit Mac addresses with port security.
Thank you. Now I just need to learn to do all of this on Linux/BSD lol
-
Thanks, but to make that work I would need a managed switch running a proprietary OS can I cannot trust.
Or a openwrt to make it L3
-
Or a openwrt to make it L3
True, a commodity all-in-one-box running OpenWRT, or an SBC that supports it would work perfectly, except maybe for a lack of ports
-
Sorry for being such a noob. My networking is not very strong, thought I'd ask the fine folks here.
Let's say I have a Linux box working as a router and a dumb switch (I.e. L2 only). I have 2 PCs that I would like to keep separated and not let them talk to each other.
Can I plug these two PCs into the switch, configure their interfaces with IPs from different subnets, and configure the relevant sub-interfaces and ACLs (to prevent inter-subnet communication through the router) on the Linux router?
What I'm asking is; do I really need VLANs? I do need to segregate networks but I do not trust the operating systems running on these switches which can do L3 routing.
If you have a better solution than what I described which can scale with the number of computers, please let me know. Unfortunately, networking below L3 is still fuzzy in my head.
Thanks!
I've done this. I have 3 subnets on a single L2 switch without vlans, and the device isolation works. There's a few caveats:
- I used a 4-port NIC on my router so I could have each subnet on its own interface. They all go directly into the L2 switch.
- You can only have one DHCP server broadcasting. If you have two, there is no way of predicting which subnet you land on.
- My guest subnet is only accessible via Wifi. I have specifically set up my access points so that a particular SSID is assigned to a particular subnet. The access point can broadcast DHCP on a single SSID.
- My third subnet is for my security cameras. It's IPv6-only, and each camera has a static IP address. There is no DHCP. It means my cameras never physically use the same cables as my primary LAN, although they are on the same L2 switch.
All traffic between subnets seems to go through the router, so I have some nftables rules to ensure my guest wifi can only see its own subnet and the public internet.
