Sorry for being such a noob. My networking is not very strong, thought I’d ask the fine folks here.
Let’s say I have a Linux box working as a router and a dumb switch (I.e. L2 only). I have 2 PCs that I would like to keep separated and not let them talk to each other.
Can I plug these two PCs into the switch, configure their interfaces with IPs from different subnets, and configure the relevant sub-interfaces and ACLs (to prevent inter-subnet communication through the router) on the Linux router?
What I’m asking is; do I really need VLANs? I do need to segregate networks but I do not trust the operating systems running on these switches which can do L3 routing.
If you have a better solution than what I described which can scale with the number of computers, please let me know. Unfortunately, networking below L3 is still fuzzy in my head.
Thanks!
What you are asking will work. That’s the whole point of subnets. No you don’t need a VLAN to segregate traffic. It can be helpful for things like broadcast control.
However, you used the word “trust” which means that this is a security concern. If you are subnetting because of trust, then yes you absolutely do need to use VLANs.
Could you elaborate why the question of trust invalidates using just subnets?
Subnets are on layer 3 not layer 2. You can easy access other devices on layer 3 by finding the right subnet on layer 2. ARP is used to resolve IP addresses into MAC addresses and vis versa.
Thanks, but isn’t ARP contained inside a subnet? I guess you could find everything if you inspected the MAC table of the main switch
no. Arp bridges layer 1 and 2. It’s switch local. With a VLAN, it becomes VLAN local, in the sense that 802.1q creates a “virtual” switch.
Sorry, I’m not sure what you mean by “ARP bridges L1 and L2”. I’ll have to read more about this. Other than that, I understand what you said.