What are the implications of having two subnets on the same switch?
Can anyone tell me what some of the implications of having two different subnets on the same switch would be if VLANs are not being used?
A host will send ARP requests for address(es) in subnet(s) local to its interface(s). Typically this would be the subnet (or subnets, if multiple addresses are assigned to interfaces) in which the interfaces' IP address (or addresses) are located. You can add routing table entries to make other subnets appear local to the host's interface(s) as well.
Two hosts, each configured with a single IP address assigned, and each in different subnets, will not make ARP requests for the other's IP address.
Assuming the hosts have a gateway specified (either a default gateway or a specific gateway to the other subnet) they will make ARP requests for the applicable gateway and send traffic for the other subnet to that gateway for routing.
Configuring two hosts in this manner will provide a logical isolation. Because the hosts share a broadcast domain, however, no isolation (as there would be if you were using VLANs) is really achieved. It would be easy to ARP and MAC spoof hosts in either subnet from the attached hosts.
If you're doing this in a lab scenario it's a fine configuration. If you truly need isolation, though (as in a production deployment) you should use VLANs or separate physical switches.
If you don't use VLANs a person could easily just add 2 IPs to their interface say 192.182.0.1/24
and 172.16.0.1/24
so that he or she could access both networks.
By using VLANs you can tag the switchports so that any computer configured to only receive traffic from the VLAN will not be able to get any traffic (except the one directed to it and having the correct VLAN) regardless of how the local interface is configured (how many IPs there are on the interface).
In essence:
- if you trust your users there's no reason at all to use VLANs (from a security point of view).
- if you don't trust your users VLANs will keep certain groups of users seperated from each other
First, I'm not sure why you would do this for users. The one scenario I can think of is that you are out of IPs in your current user subnet and can't easily extend you current subnet. In this case I think it would be fine to add another subnet. The spoofing thing becomes a non-issue when you are using the IPs this way because both subnets are equal, so you have the same spoofing risk whether using a single subnet or multiple. One question I have here is how DHCP would work. If your DHCP scopes aren't contiguous, and the DHCP server serves IPs based on the "helper" address of the router, wouldn't all the requests go to one scope or the other? I suppose this might become a non-issue if your DHCP server is sitting directly in the broadcast domain, but it's still something to explore.
All that said, I actually do this in production for one of my apps. I have an app that has geographically diverse silos, each silo has its own /27. Those IPs are what I consider to be infrastructure IPs. They belong to those servers. Then I route an additional /29 to the same broadcast domain. This subnet belongs to the application. When I next upgrade hardware, I will build out an entirely new silo with a new /27, then change the route for the application /29 onto it. Since this /29 handles communication with network elements, this allows me to not have to reprogram all the NEs if we get new hardware or new software, and using the same broadcast domain allows me to do it without a dedicated NIC.
- if you have untrusted users - some of them might spoof ip addresses of those from other subnet. if there are some address rules - they might bypass them. some users from subnet1 might spoof address of router in network b - and eavesdrop into [at least part of ] the communication.
- you'll have more broadcast 'garbage' [ arp packets ] - but that should not be your concern if you have few dozens of users and 100 or 1000 Mbit/s link.
We implemented this in our school because we were running out of ip addresses and gave a new subnet to the wireless section, works fine on a 3000 users network, for a quick solution is a plus, I agree we have to create vlans in order to preserve security.
DHCP server (Windows) must have two nic cards connected to the same switch (our is virtual so it doesn't matter) in order to give out ips to the wireless network, you will have to use static IPs on the "old network", it will not work serving two dhcp scopes over the same switch.