Comment

Comment on Basic networking/subnetting question.

What you are asking will work. That’s the whole point of subnets. No you don’t need a VLAN to segregate traffic. It can be helpful for things like broadcast control.

However, you used the word “trust” which means that this is a security concern. If you are subnetting because of trust, then yes you absolutely do need to use VLANs.

source

Sort:hotnew top

marauding_gibberish142@lemmy.dbzer0.com ⁨1⁩ ⁨week⁩ ago
Could you elaborate why the question of trust invalidates using just subnets?

source
- possiblylinux127@lemmy.zip ⁨1⁩ ⁨week⁩ ago
  Subnets are on layer 3 not layer 2. You can easy access other devices on layer 3 by finding the right subnet on layer 2. ARP is used to resolve IP addresses into MAC addresses and vis versa.
  
  source
  - marauding_gibberish142@lemmy.dbzer0.com ⁨1⁩ ⁨week⁩ ago
    Thanks, but isn’t ARP contained inside a subnet? I guess you could find everything if you inspected the MAC table of the main switch
    
    source
    possiblylinux127@lemmy.zip ⁨1⁩ ⁨week⁩ ago
    ARP is in the broadcast domain (otherwise known as a lan)
    
    Vlans create multiple lans
    
    source
    -> View More Comments
    nottelling@lemmy.world ⁨1⁩ ⁨week⁩ ago
    no. Arp bridges layer 1 and 2. It’s switch local. With a VLAN, it becomes VLAN local, in the sense that 802.1q creates a “virtual” switch.
    
    source
    -> View More Comments
- nottelling@lemmy.world ⁨1⁩ ⁨week⁩ ago
  A VLAN is (theoretically) equivalent to a physically separated switch. The only way for machines to communicate between vlans is via a gateway interface.
  
  If you don’t trust the operating system, then you don’t trust that it won’t change it’s IP/subnet to just hop onto the other network. Or even send packets with the other network’s header and spoof packets onto the other subnets.
  
  It’s trivially easy to malform broadcast traffic and hop subnets, or to use various arp table attacks to trick the switching device. If you need to segregate traffic, you need a VLAN.
  
  source
  - marauding_gibberish142@lemmy.dbzer0.com ⁨1⁩ ⁨week⁩ ago
    Thank you for the great comment.
    
    This line cleared it up for me:
    
    802.1q aware switch and gateway to use VLANs effectively.
    
    It is indeed as you say. VLANs on a trunk port wouldn’t really work for security either. This is making me reconsider my entire networking infrastructure since when I started I wasn’t very invested in such things. Thanks for giving me material to think about
    
    source