Is there anyway to isolate devices that belong to the same subnet ?
In other words, isolate some devices in the subnet from the broadcast domains.
I was thinking of using vlans but I guess it is not functional.
I'm using SF200 cisco switch
my english is not very well
but i think vlan is a good way to solve you problem.
you can bulit two vlan in switch. and put the devices in different vlans.
communication with different vlans you can use some devices worked in 3 layer.
Related
I have some questions about vlan's. I know that this forum is more for programming than for networking but this is the best forum that I could think of.
So all my questions are about vlan's. Here they come:
Can one vlan have a different beginning of a ip adress as the other one's (e.g. vlan 1=192.168.2.xx, vlan 2=10.0.0.x)?
Can devices have the same ipadress when they're in different vlan's?
Can you make a "hole" between the vlan's so that a few devices (chosen by you, for example using static ip adresses) can still talk with each other (e.g. a file server on vlan 1 can still talk to the printer on vlan 2)?
Can you have different dns servers for different vlan's?
Can you have different firewall settings for different vlan's? How do you "choose" which firewall you want to change as an admin?
Can you have wifi vlan's (like a vlan for your home wifi and a vlan for your guest wifi)
Can you access the routers settings (192.168.1.1) from every vlan?
When I connect to a network, how do I get assigned to a vlan? Is there like a "If someone connects to the network, it automatically goes to vlan 1 until the admin moves them to a different vlan"?
Can you put a password on a vlan so that you have to put in a password to change vlan's?
Can a user (so not a network admin) choose to change from vlan's (because then question 8 would be relevant)?
How does portforwarding work with vlan's?
If you access the network from outside (e.g. a hacker or just someone else), do you automatically get "redirected" to the standard vlan (1) or do you end up in a "intersection" where you first have to choose the vlan you want to go to?
Can you make a port on a switch that has special access to every vlan at the same time (Only for the network admin)(So for that ethernet port, the network is just one big network instead of divided vlan's)(This would contradict question 2 as then you would have two devices with the same ip adress)?
Can you have a network port with a device attached to it, that will be accessable to every vlan (e.g. a printer)? Is that dangerous because than a hacker could probably access that device and use it to jump between vlan's?
That's it. I know that there are alot of questions but I hope you can help with a few at least. The thing is, youtube video's always just explain that vlan's are separate networks, but I want to know: "How separate are they?" You see that almost every question is about "How separate are they exactly?"
I hope you can help!
Thanks
hopefully this will answer your questions
VLANs are like separated cables inside cable and they do not mix or intefer between themselfs
Answers:
Yes. As mentioned above
Yes but it's not good practice because you can make mistake durring VLANs settings causing sec flaws or IP collisions
Not directly but this can be done via gateway/router between VLANs and all traffic have to go thru GW (easy way)
Yes and usually you do. For example you have:
VLAN 10: Subnet 192.168.10.0/24; GW 192.168.10.1; DNS 192.168.10.1
VLAN 20: Subnet 192.168.20.0/24; GW 192.168.20.1; DNS 192.168.20.1
Yes it is common/required behavior. It is done by filtering firewall rule by incoming interface (eg vnet7), incoming subnet or incoming IP
Yes. But there are two ways setting VLANs:
ACCESS (untag): VLAN is ended at output interface thus client device dont have to support/setup VLAN. Actualy client device even don't know that there is some VLAN
TRUNK (tag): VLAN (or multiple VLANs) are routed thru access point and client device has to be configured same way on incoming interface
Access is what you need in this case
Yes if you setup firewall that way (routing between subnes)
As explained in point 6
No. VLAN is just number. To protect your vlans you have to setup network devices in way that every port (unless needed - eg switches bond interconnection) is set in ACCESS mode so only admin with access to network device can change VLAN for client device. Or implement NAC such as packetfence
As points 6. and 8. Only when your setup allows
Inside VLAN no portforward is needed because all devices in same VLAN are at same L2 network
No simple answer here, it all depends on your VLAN and firewall settings
Can not be done with VLANs only. Common practice is to setup specific VLAN (lets call it management VLAN) which is ended in ACCESS mode on some physicaly secured switch ethernet port and then using firewall and routings on GW to setup access across all VLANS (well .. not all but required ones)
Yes you can as mentioned above but again using firewall and routing settings on gateway
This one is long :) ... fell free to continue in chat
I've been told that it is bad practice to have two interfaces on the same device on the same subnet. i.e. two Ethernet ports on a switch should be on different subnets. Could somebody explain why this is the case? (preferably simply as possible as I'm new to networking)
Because routing in your OS normally sets one of Ethernet card as out gate to specified subnet and all traffic to this subnet will have only 1 output. Second route to same subnet will have bigger Metrik value and will use to send some data if first interface is down. Even if somebody will send request to second interface answer can have first Ip as sender.
If you try to increase throughput to subnet you must use aggregation of Ethernet link. you`ll have 2 physically link and 1 IP.
subnet is the logical division of the IP network based on the subnet-mask/netmask. So unless you plan to have two different separate networks, you need not to have two different subnets. This link explains most of the possible cases to explain what it means by subnetworks on a switch.
Whether two interfaces on the same subnet is good or bad depends entirely of what you're trying to accomplish.
If you need link redundancy or a simple way of load sharing (L2 or L3) it may the right way to go.
If you need network/uplink redundancy or a more complex way of load sharing (L3 only) you connect to two different networks (multi-homing). This is also the setup for a router connecting the two networks.
I'm new to networking.I have seen that it's possible to capture packets through wireshark.Having seen it a question arises in my mind.
Is wifi a hub?.I mean,if im able to receive(but ignore by system since those packets aren't intended for me as a client) what another client on the same NAT is receiving doesn't that mean that wifi connection works like a hub since hubs don't filter the destination.
Sorry for the bad way of asking and explaining!!
And thank you in advance!
Wi-Fi (IEEE 802.11) is a set of protocols that use a shared medium (radio waves). Because the medium is shared, much like the old ethernet (IEEE 802.3) 10BASE-2 coax, all hosts on the medium can hear all traffic on the medium. Neither uses a hub.
A hub is something that was created to allow ethernet to use UTP in the same manner that ethernet could use coax cable. Ethernet has multiple standards to allow it to use different media, but many don't have hubs (specific to a medium and some ethernet standards), and neither does Wi-Fi.
Is there any way for two laptops that are connected to one wifi obtain different external IP address. What I mean is that when we go to site like ipchicken.com it will show different IP's for both of us. Because now we both see same IP.
Could this be achieved?
In this case, you should attach a switch to the modem, then connect both laptops and the router(wifi) to it. That way you can assign external IPs directly to the laptops. Then attach other devices such as PCs to the router as normal.
Source: http://www.tomshardware.com/forum/40244-42-servers-external-address-router
This video may be of some use: http://www.youtube.com/watch?v=8YFJOCJTkyI It explains the differences between a router, modem and switch and how to use them.
EDIT: Thilo is correct. You will need to request additional IPs from your ISP.
I would like to write a software running in a networked device, i.e. PC. It can automatically detect the other network devices' types. For example, it can detect there is a PS3, a Wii, an IPad running in the same network. Any ideas? Thanks,
You have two problems: first, detecting that a device is connected to your network and at 192.168.1.x. Second, somehow detecting what that device is.
The first is easy-ish to accomplish: there's discovery protocols like UPnP and Bonjour. However, in a home networking scenario, the easiest and most reliable way to get a list of connected devices is probably to pull the DHCP reservations from your router. You might have to scrape data from the router's HTML-based management interface—hacky as that may be—but it would work. (If you're using .NET, consider the HTML Agility Pack to accomplish this.)
Once you have a list of IP addresses of connected devices, your next problem is to figure out what each device actually is. This will be more challenging. Some possibilities:
You may be able to use the MAC address to help detect the device's vendor. (Here's a list.)
If you're using UPnP, you can ask the device what it is.
Use IP fingerprinting to determine what the device is.
Couple thoughts. The broadcast IP address - 255.255.255.255 is where devices talk and say "here I am". Should be able to listen to this and find ip addresses and more. Second, if devices are assigned an IP address by a DHCP client (obviously) you can usually find a list on the dhcp device. Devices often have names, this is a higher level protocol, like windows SMB, that you may have to interface with in order to get that information.