Can anyone tell me what some of the implications of having two different subnets on the same switch would be if VLANs are not being used?
-
In this case, the risk of spoofing isn't an issue I am worried about. – Kyle Brandt Jun 15 '09 at 14:49
-
2This is also useful information for admins migrating a network to a new IP range. – Terence Johnson Feb 13 '12 at 02:37
-
One thing to note, that is hit on a bit in some of the answers below, is that unless you use VLAN or static IP addressing on your clients, they will all pull DHCP from sort of the "default" scope. – Adam Nofsinger Jul 20 '17 at 21:45
5 Answers
A host will send ARP requests for address(es) in subnet(s) local to its interface(s). Typically this would be the subnet (or subnets, if multiple addresses are assigned to interfaces) in which the interfaces' IP address (or addresses) are located. You can add routing table entries to make other subnets appear local to the host's interface(s) as well.
Two hosts, each configured with a single IP address assigned, and each in different subnets, will not make ARP requests for the other's IP address.
Assuming the hosts have a gateway specified (either a default gateway or a specific gateway to the other subnet) they will make ARP requests for the applicable gateway and send traffic for the other subnet to that gateway for routing.
Configuring two hosts in this manner will provide a logical isolation. Because the hosts share a broadcast domain, however, no isolation (as there would be if you were using VLANs) is really achieved. It would be easy to ARP and MAC spoof hosts in either subnet from the attached hosts.
If you're doing this in a lab scenario it's a fine configuration. If you truly need isolation, though (as in a production deployment) you should use VLANs or separate physical switches.
- 141,071
- 19
- 191
- 328
-
It is a production environment, but spoofing isn't really an issue in this case. – Kyle Brandt Jun 15 '09 at 14:50
-
2You say that until it is. Either upgrade to switches that do VLANs or buy another switch. Really. – Matt Simmons Jun 17 '09 at 03:12
-
-
re: the edit that @Christoph Lameter placed on here on 2021-10-21 that I rejected on 2021-10-24 - There was no mention of computers with multiple network interfaces in the question and adding details re: multihomed hosts is irrelevant in the context of my answer. If you want to talk about multihomed hosts add your own answer rather than editing mine. Further, I wouldn't say that computers with multiple network interfaces "can ARP across-subnet". They ARP on the interfaces they have. If they have interfaces in two different subnets they'll ARP in those subnets. – Evan Anderson Oct 24 '21 at 12:38
-
@EvanAnderson I've locked the post to your most recent version because you're right that the edits that you rolled back were inappropriate. Flag if you'd prefer that it be locked on a previous revision. – Ward - Reinstate Monica Oct 26 '21 at 04:29
If you don't use VLANs a person could easily just add 2 IPs to their interface say 192.182.0.1/24
and 172.16.0.1/24
so that he or she could access both networks.
By using VLANs you can tag the switchports so that any computer configured to only receive traffic from the VLAN will not be able to get any traffic (except the one directed to it and having the correct VLAN) regardless of how the local interface is configured (how many IPs there are on the interface).
In essence:
- if you trust your users there's no reason at all to use VLANs (from a security point of view).
- if you don't trust your users VLANs will keep certain groups of users seperated from each other
- 6,428
- 2
- 24
- 42
-
8VLANs shouldn't be used for security. They're for management purposes only. Cisco has an excellent white paper discussing the security implications of VLANs. See: http://www.cisco.com/en/US/products/hw/switches/ps708/products_white_paper09186a008013159f.shtml#wp39054 – Joseph Kern Jun 15 '09 at 15:17
-
2
-
3@KevinWheeler VLAN offers zero authentication mechanisms. Here's a SANS paper with a longer explanation: https://www.sans.org/reading-room/whitepapers/networkdevs/virtual-lan-security-weaknesses-countermeasures-1090 – Joseph Kern Nov 03 '15 at 11:54
- if you have untrusted users - some of them might spoof ip addresses of those from other subnet. if there are some address rules - they might bypass them. some users from subnet1 might spoof address of router in network b - and eavesdrop into [at least part of ] the communication.
- you'll have more broadcast 'garbage' [ arp packets ] - but that should not be your concern if you have few dozens of users and 100 or 1000 Mbit/s link.
- 29,561
- 5
- 64
- 106
First, I'm not sure why you would do this for users. The one scenario I can think of is that you are out of IPs in your current user subnet and can't easily extend you current subnet. In this case I think it would be fine to add another subnet. The spoofing thing becomes a non-issue when you are using the IPs this way because both subnets are equal, so you have the same spoofing risk whether using a single subnet or multiple. One question I have here is how DHCP would work. If your DHCP scopes aren't contiguous, and the DHCP server serves IPs based on the "helper" address of the router, wouldn't all the requests go to one scope or the other? I suppose this might become a non-issue if your DHCP server is sitting directly in the broadcast domain, but it's still something to explore.
All that said, I actually do this in production for one of my apps. I have an app that has geographically diverse silos, each silo has its own /27. Those IPs are what I consider to be infrastructure IPs. They belong to those servers. Then I route an additional /29 to the same broadcast domain. This subnet belongs to the application. When I next upgrade hardware, I will build out an entirely new silo with a new /27, then change the route for the application /29 onto it. Since this /29 handles communication with network elements, this allows me to not have to reprogram all the NEs if we get new hardware or new software, and using the same broadcast domain allows me to do it without a dedicated NIC.
- 11,038
- 1
- 36
- 50
-
The 'why' is that our crappy old pos ERP system that is being moved can't change IPs without reinstalling every single client (and other AD issues). Thank you for the DHCP idea, I will have to explore that issue. – Kyle Brandt Jun 15 '09 at 15:05
We implemented this in our school because we were running out of ip addresses and gave a new subnet to the wireless section, works fine on a 3000 users network, for a quick solution is a plus, I agree we have to create vlans in order to preserve security.
DHCP server (Windows) must have two nic cards connected to the same switch (our is virtual so it doesn't matter) in order to give out ips to the wireless network, you will have to use static IPs on the "old network", it will not work serving two dhcp scopes over the same switch.
- 11
- 1