4
2
Using subnet masks: IP 10.15.1.1 with mask 255.255.0.0 will not be able to see IP 10.17.1.1 with mask 255.255.0.0, correct?
So why would I ever want to VLAN a switch unless if I needed to separate two servers plugged into the same switch with the same IP address?
I don't see the point of VLAN switches.
John
Posted 2015-08-10T21:16:35.843
Reputation: 41
3
Because systems can modify their IP and/or subnet to see broadcast traffic on other networks on the same switch.
As a practical example: Imagine that in your scenario 10.17.0.0 is the high value network, and an attacker controls a system on the switch which currently has IP 10.15.1.96
The attacker sets up a network alias for 10.17.1.96 and proceeds to perform an ARP poisoning attack to MiTM all your traffic.
It would not have been possible for them to pivot to the 10.17.0.0 network if you had used vlans instead of a switch.
ssnobody
Posted 2015-08-10T21:16:35.843
Reputation: 2 510
3
The machines on each subnet won't be able to directly "see" each other at layer 3 (IP), but will be able to see each other at layer 2 (Ethernet).
L3 or L2 traffic that floods (broadcast, multicast, unknown unicast) will light up all the ports. The machines in different subnets may not respond to the flooded traffic, but they can be affected by it, especially if there is enough to congest an interface. You have one broadcast domain and a bigger collision domain.
A machine can have its address/mask changed and talk to a subnet it was not intended to, which might have security implications.
Other layer 2 or non-IP layer 3 protocols will pass between devices fine even if they are on different subnets.
VLANs are for when you need layer 2 separation (lower level and impermeable by layer 3 config changes), usually for reasons of performance or security.
If you trust every machine on the network and you aren't worried about an L2 domain getting flooded, you can just use subnets to segment your network if you find it simpler.
Steven K
Posted 2015-08-10T21:16:35.843
Reputation: 323