I'm exploring alternate multiplicities between IP subnets and VLANs, outside the recommended 1-to-1 implementation. My understanding is as follows:
Multiple subnets to a single VLAN (connected via a switch):
Hosts across both subnets would receive layer 2 broadcasts (such as ARP), but would ignore traffic lacking an IP that targets them.
Question: Would I be able to communicate across subnets without a layer 3 device if I could manually insert a destination MAC address in the frame header? My understanding is that the layer 2 switch is oblivious to the differing subnets, and assuming it knows the location of the destination MAC address, would forward the packet in its direction. The destination PC, seeing its IP and MAC addresses, would accept the packet, effectively letting it cross subnets without ever being routed.
A single subnet across multiple VLANs:
Broadcast traffic would be isolated to the individual VLANs. This would break ARP, as a host targeting another machine in the same subnet (but unknowingly in another VLAN) would send out an ARP request that would never be responded to.
This would effectively create separate, identical address pools for each of the VLANs, though I'm not sure how a router would differentiate between the two when interVLAN communication is attempted. I'm a little bit unsure about the pros/cons of this configuration..
Why would we ever want to do this?
Multiple subnets to a single VLAN (connected via a switch):
Hosts across both subnets would receive layer 2 broadcasts (such as ARP), > but would ignore traffic lacking an IP that targets them.
This actually has it's use case in modern DCs. Not in a way you suggest it (w/o a L3 device), but with a VEPA switch.
A single subnet across multiple VLANs:
Broadcast traffic would be isolated to the individual VLANs. This would break ARP, as a host targeting another machine in the same subnet (but unknowingly in another VLAN) would send out an ARP request that would never be responded to. This would effectively create separate, identical address pools for each of the VLANs, though I'm not sure how a router would differentiate between the two when interVLAN communication is attempted. I'm a little bit unsure about the pros/cons of this configuration..
A single subnet across multiple VLANs, also called Transparent subnet gatewaying (RFC 1027) is a somehow archaic approach. It uses Proxy ARP, but proxy ARP has it's own set of problems.
Multiple subnets to a single VLAN (connected via a switch):
Hosts across both subnets would receive layer 2 broadcasts (such as ARP), but would ignore traffic lacking an IP that targets them.
Question: Would I be able to communicate across subnets without a
layer 3 device if I could manually insert a destination MAC address in
the frame header?
You will need to replace the MAC address, and need to recalculate FCS over the whole frame, else the switch will reject it as a damaged frame. This must happen after your ethernet driver does this.
A single subnet across multiple VLANs:
Broadcast traffic would be isolated to the individual VLANs. This would break ARP, as a host targeting another machine in the same
subnet (but unknowingly in another VLAN) would send out an ARP
request that would never be responded to. This would effectively
create separate, identical address pools for each of the VLANs,
though I'm not sure how a router would differentiate between the two
when interVLAN communication is attempted. I'm a little bit unsure
about the pros/cons of this configuration..
Why would we ever want to do this?
Hosts in the same subnet would not be able to communicate with each other. Most routers will not let you assign the same network to multiple interfaces, unless they are bridged interfaces, in which case, you haven't accomplished anything except sending the traffic the long way around.
Some switches have something similar to this, called Private VLANs, where hosts can only communicate with a gateway. This is a security feature used in some situations.
Related
In a global internet, for two machines on the same subnet to communicate, they need to know each other's physical address. So, the source machine has to map the internet address of the destination into a physical address. Why is this address mapping important? Couldn't the two machines just communicate using their internet addresses?
Because the goal of the Internet is to connect different types of subnets together. It is local decision of each subnet how to organize addressing on this subnet and how to deliver packets on it. Thus layer 3 (that uses IP addresses) delivers packets up to the subnet, and then the subnet (layer 2) decides how to deliver packets within itself.
Mapping, that you are describing is done for Ethernet-type subnets. One can potentially have different types of subnet protocols which do addresses differently. Although, now, almost everyting falls under Ethernet-family.
I am facing a problem with IBM Datapower XG45.7.0.0.0.
When I am connecting to an external service using DP, the source IP of DP is being picked up randomly among the 3 available eth interfaces. I know this has performance and stability benefits. However, this is causing great deal of pain in the firewall config. As a tactical solution, is there a way to ensure that the traffic is send from any one fixed eth interface?
Sure, normally you should make sure only one NIC has a default gateway (and that would in most cases be the NIC facing the Internet).
The two other NIC's should only have static routes and set for the various subnets they should serve.
If you don't have a need for different IP addresses for outbound (egress) traffic you might want to use only one NIC and set two additional Secondary IP addresses instead.
That way you have three working IP address for ingress (inbound) traffic but only one IP will be used for egress.
We have two subnets
Router 1
192.168.2.1
255.255.254.0
Router 2
192.168.1.1
255.255.255.0
Modem >> switch
>> router1 wan port >> from lan port to switch >> Different computers
>> router2 wan port >> from lan port to switch >> Different computers
Please note two different static public ips(of same subnet) for both routers.
I would like to know how I can access a host from Router 1 to a host in Router 2 or vice-versa.
use a single router:
Modem >> router >> switch >> lan1 >> computers in lan1
>> lan2 >> computers in lan2
You don't even need two LANs formally, since the PCs don't need a special routing rule to reach all local systems in this case.
You use two address sets: 192.168.1.xxx and 192.168.2.xxx and a network mask of /23 or even /16, no difference there. This way all PCs know they can simply send out packages to everything inside 192.168... Whereas for packages outside they need a rule routing those packages through the router. The routing of packages between the two areas on the LAN side is done automatically by the switch. That is what a switch is build for.
This is an explanation of how you would do it assuming that you must keep these as two separate subnets!
That is, you'll have to set up access for each IP address in the other router's firewall, and then specify to which internal system it will connect.
Note: It's only safe to do this because you have two static IP addresses! There really isn't an easy, safe way to do this with dynamic IPs.
In that case, Router 1 will have to grant access to Router 2's public IP address and vice versa. How you do this completely dependent on the make and model of the router.
The routers will know how to route to each other, because they'll be using the public IPs.
So, the data path will be: System1 (subnet1)->Router1->Internet->Router2->System2
Since different routers have you specify addresses in different ways, make sure you know how yours expects you to input the address or range of addresses.
However, that's not enough. Because you have multiple systems on each subnet, all sharing the same public IP address, you also have to specify which inbound traffic goes to what subnet host.
That is, you start on System1 in the above data path. The data goes out Router1 and back into Router2. How does Router2 know where to send it? It only has ONE external IP address.
Again, there are different ways of doing this for different routers. On some, you can specify that data on certain ports gets sent to certain systems. (Port Forwarding)
Using Telnet as an example (you shouldn't! Telnet isn't secure. It's just easy to use as an example)...
You want to get from System1 (on subnet1) to System3 (subnet2).
On Router1 you specify that incoming data on Port 23 (Telnet port) should go to System1. On Router2 you send all Port 23 data to System3.
Port Forwarding, however, is somewhat limited insofar as, in the setup above, only System1 and System3 can receive Telnet data.
The other common way to do this is to have all data from a particular IP sent to one particular system on your subnet. That won't work for you, because you have multiple systems on each subnet!
I hope this isn't too non-specific! (Or too rambling! :-) ) I'm trying to be as non-specific as possible, but it makes it difficult to explain things! Unfortunately, since each company's routers use different interfaces, it's impossible for me to exactly what you need to do!
Let us know what your routers are. Then I can possibly be more specific.
In the meantime, however, look for the sections in your router to 1) the other router's data in, and 2) specify what data goes to which system on the subnet!
I hope this helps!
can one location have more than 1 IP address? I have 2 IP addresses and need to know if they originate from the same source. Thanks
You're missing clear definitions of "location" and "source" in your question but lets go with the assumption that you mean "physical machine" for both (as it's obvious that multiple machines will have different addresses and that a single machine can change its IP address over time).
In that case, the answer is yes. The operating system may bind as many IP addresses to a physical network port (and a single MAC -- the physical addressing used by Ethernet) as it wishes.
Binding multiple IP addresses was the standard way of doing "virtual web hosting" before HTTP/1.1 arrived with the "Host" header. The provider would use DNS to map different host names to different IPs on the same network (usually the same subnet as well) and then assign all of them to the same interface. The webserver would get address information from an incoming connection and based on the local IP address would know which virtual host was being accessed.
This led to a higher-than-typical use of public IP addresses but the practice is now gone with the proliferation of HTTP/1.1.
I'm not sure how Windows presents it, but Linux will present a physical interface with multiple IP addresses as multiple logical interfaces such as "eth0", "eth0:1", "eth0:2", etc. Each logical interface has a unique IP address even though they share the same physical interface.
This is hard to tell. Especially it is hard to tell if these IP addresses are from different times. Today I may have a different IP address than tomorrow.
Even they are from the same time, a load balancer im my internal equipment might send my packets over the fail-over line if the 1st one is overloaded or broken down.
One network adapter normally has only one IP address at once and a typical end user only has one network connection active, but even then the IP address can change. The user could switch from wireless to wired and back or a power outage might reset the ISP's DHCP server (assigning everyone a new IP address).
If you want to identify the user even if his IP address changes, you need to identify the user by his session id, stored in cookies. As two users can have the same IP address (a whole company could be behind a NAT), you should never rely on IP addresses for identification.
Is there an elegant way to make a program detect a new computer that is connected to the network?
I would like my program to "auto-sense" a new computer being connected on the network (they're on the same network). Like a USB device being connected to the computer.
What I'm doing now is to save a list of all computers in the network from time to time. Another approach is to PING all available IPs on the subnet.
Are there any other elegant approaches?
Thanks!
Listening for ARP requests is the canonical way to do this. Independent of DHCP or not, any connected computer that wishes to communicate with the outside world will have to make an ARP request for the address of the default router. This request will go out as a broadcast, and contain the source interface's MAC and IP adresses.
If the other computer uses DHCP, it will make an ARP request for it's own address as part of duplicate address detection, which is also a broadcast you can snoop on.
(This works more or less the same way for IPv6, except you need to look for neighbor discovery or router soliciation packets instead.)
Like the answer alluded to, if you have a switch to which you can telnet or use SNMP on, you can extract the MAC table. That will give you a list of MAC adresses on each port in the switch. If you want the IP addresses however, you still need to listen for ARP:s.
On the other hand, if you have access to the default gateway on the network, you can also look at the ARP table there. That will give you MAC and IP addresses for anyone that has recently (for different values of recently...) communicated with it.
If you have a managed switch of some kind, you could probably connect to that, that would be a fairly elegant method.
If you're on a domain, you can can get a list of all the machines joined to the domain from the domain controller.
Failing that, all I can think of is either a challenge/response thing (e.g. pinging them) or by detecting traffic sent from them (see this question maybe as a starting point?), neither of which strike me as an elegant approach.