Basic networking/subnetting question.
-
Thank you so much for the explanation. I followed everything but:
Untagged (sometimes called Access) is something you apply on a switch port. For example, if you assign a port to Untagged VLAN 32, anything connected to that port will only be able to connect to port 32.
I couldn't really understand what you meant here. Did you mean VLAN 32 in the last line?
Derp, yes. Corrected.
-
Thanks, but isn't ARP contained inside a subnet? I guess you could find everything if you inspected the MAC table of the main switch
ARP is in the broadcast domain (otherwise known as a lan)
Vlans create multiple lans
-
no. Arp bridges layer 1 and 2. It's switch local. With a VLAN, it becomes VLAN local, in the sense that 802.1q creates a "virtual" switch.
ARP is in a single broadcast domain which can span multiple switches.
-
I see, I was completely off-track lol. But isn't this really for a setup where each computer is connected to an individual port of the switch? I.E. this won't work if to one port of an L3 switch one were to attach a dumb 5 port switch and plug 4 computers in
https://en.wikipedia.org/wiki/IEEE_802.1Q
Vlans are simply a tag on a frame. You can set what if any tags are allowed and you can set the switch to tag untagged traffic. You can can limit Mac addresses with port security.
-
ARP is in the broadcast domain (otherwise known as a lan)
Vlans create multiple lans
Ah, I see. Thanks
-
https://en.wikipedia.org/wiki/IEEE_802.1Q
Vlans are simply a tag on a frame. You can set what if any tags are allowed and you can set the switch to tag untagged traffic. You can can limit Mac addresses with port security.
Thank you. Now I just need to learn to do all of this on Linux/BSD lol
-
Thanks, but to make that work I would need a managed switch running a proprietary OS can I cannot trust.
Or a openwrt to make it L3
-
Or a openwrt to make it L3
True, a commodity all-in-one-box running OpenWRT, or an SBC that supports it would work perfectly, except maybe for a lack of ports
-
Sorry for being such a noob. My networking is not very strong, thought I'd ask the fine folks here.
Let's say I have a Linux box working as a router and a dumb switch (I.e. L2 only). I have 2 PCs that I would like to keep separated and not let them talk to each other.
Can I plug these two PCs into the switch, configure their interfaces with IPs from different subnets, and configure the relevant sub-interfaces and ACLs (to prevent inter-subnet communication through the router) on the Linux router?
What I'm asking is; do I really need VLANs? I do need to segregate networks but I do not trust the operating systems running on these switches which can do L3 routing.
If you have a better solution than what I described which can scale with the number of computers, please let me know. Unfortunately, networking below L3 is still fuzzy in my head.
Thanks!
I've done this. I have 3 subnets on a single L2 switch without vlans, and the device isolation works. There's a few caveats:
- I used a 4-port NIC on my router so I could have each subnet on its own interface. They all go directly into the L2 switch.
- You can only have one DHCP server broadcasting. If you have two, there is no way of predicting which subnet you land on.
- My guest subnet is only accessible via Wifi. I have specifically set up my access points so that a particular SSID is assigned to a particular subnet. The access point can broadcast DHCP on a single SSID.
- My third subnet is for my security cameras. It's IPv6-only, and each camera has a static IP address. There is no DHCP. It means my cameras never physically use the same cables as my primary LAN, although they are on the same L2 switch.
All traffic between subnets seems to go through the router, so I have some nftables rules to ensure my guest wifi can only see its own subnet and the public internet.
-
Thank you. Now I just need to learn to do all of this on Linux/BSD lol
https://openwrt.org/docs/guide-user/network/vlan/switch_configuration
You create an device called interface.vlanid
Something like eth0.1
-
https://openwrt.org/docs/guide-user/network/vlan/switch_configuration
You create an device called interface.vlanid
Something like eth0.1
Ooh, would it be similar on other Linux distros/Unixes? I'm trying to decide between Debian, VyOS, Alpine and OpenBSD for my main firewall. All of them have strengths but I think it'll be between VyOS and OpenBSD for me.
-
Ooh, would it be similar on other Linux distros/Unixes? I'm trying to decide between Debian, VyOS, Alpine and OpenBSD for my main firewall. All of them have strengths but I think it'll be between VyOS and OpenBSD for me.
Anything that uses the Linux kernel
I would strongly suggest OpenWRT
-
Sorry for being such a noob. My networking is not very strong, thought I'd ask the fine folks here.
Let's say I have a Linux box working as a router and a dumb switch (I.e. L2 only). I have 2 PCs that I would like to keep separated and not let them talk to each other.
Can I plug these two PCs into the switch, configure their interfaces with IPs from different subnets, and configure the relevant sub-interfaces and ACLs (to prevent inter-subnet communication through the router) on the Linux router?
What I'm asking is; do I really need VLANs? I do need to segregate networks but I do not trust the operating systems running on these switches which can do L3 routing.
If you have a better solution than what I described which can scale with the number of computers, please let me know. Unfortunately, networking below L3 is still fuzzy in my head.
Thanks!
You don't have to apologize for being a noob, we were all once noobs (& we still are to some extent)
-
System shared this topic on
