For a moment, forget about whether the following is typical or easy to explain, is it safe and sound?
Internet
|
ISP supplied router x.x.x.1 (public subnet)
|
switch-------------------------------------+
| (public subnet) | (public subnet)
BVI router (switch with an access list) NAT router
| (public subnet) | (private subnet 192.168.50.1)
+--------------------------------switch----+ (both subnets)
| |
computer with IP 192.168.50.2 ------+ +----computer with IP x.x.x.2
I don't plan to implement this setup, but I am curious about it.
- The 50.2 computer may send a packet to the x.2 computer, but it will use 50.1 as the router, since 50.2 knows that the subnet is different. Would this result in the packet being received twice by the x.2 machine, first directly through the switch, second by way of the two routers?
- Do you see any problems with this aside from how confusing it is, and that it would put one switch doing the work of two subnets?
Additional details:
- There will not be DHCP involved. (that would be truly confusing)
- I am aware that I have totally eliminated whatever security/separation I would normally have between
x.x.x.*and192.168.50.*. - I am not interested in accomplishing a direct link between
x.x.x.*and192.168.50.*. I am just interested in preventing endless loops, or double-delivery of all the packets. - My switches are unmanaged/dumb switches - except for the BVI router. The "router" is set up with BVI (similar to bridge-route). It works just like a switch, except for its dropping of packets based on source and destination IP address and port.
No, because a switch is not a hub. A switch sends unicast packets only to those ports that have the receiving MAC address registered.
No, but remember your security is as thin as it gets. Access the ports - no security. Hack a machine - no security. It works better if your switch is no totally stupid (unmanaged) and you can at least set multicast groups or VLAN settings.
From a technical standpoint there isn't much to stop a network administrator from having two IP networks on a single L2 broadcast domain -- some administrators do it unknowingly and aren't even aware of how proxy-arp is saving them.
With your x.x.x.2 node and the 192.168.50.2 node on the same L2 broadcast domain, they will attempt local (direct) delivery for IP's within their IP network and use a configured gateway for IP addresses outside of their IP network.
While the two devices in different IP networks, but on the same broadcast domain would normally not attempt local (direct) delivery to eachother (they would instead use their respective gateways as a next hop), local (direct) delivery can be achieved with static routes on each of the nodes -- enabling them to communicate at L3 without the use of an intermediate gateway.
An obstacle that arises when running multiple IP networks on a single L2 broadcast domain exists around dynamic addressing (DHCP/BOOTP) -- as those services rely on L2 broadcasts for addressing.
Another major obstacle, as noted in other replies, is security. Man-in-the-middle (MITM) attacks, ARP Poison Routing (APR), and a slew of others are possible.
You're looking for what is called a "VLAN". The exact implementation depends on the switch. What a VLAN-based setup does is create separate "virtual" broadcast domains within your switch. You can separate these out however you want on the switch, or even create what is called a "trunk" that can handle multiple VLANs simultaneously on one port.
Nothing wrong there as far as I can see, as long as your switch allows you to set up vlans. I've not played with unmanaged switches much and suspect this kind of set up wont work on them but I know this will work on managed switches such as a cisco 2960.
This wiki article explains VLANS in detail but this may make more sense, basically VLANs split the switch ports into seperate networks so one switch can handle different IP ranges, for example vlan 1 has the range 192.168.1.0/24 if every port on the switch is on vlan 1 then all devices connected on the vlan would need IPs on that range to work but if you introduce another vlan with the range 192.168.2.0/24 and assign it to half the ports then that half would not get traffic for the .1 range only the .2, I'm still trying to get my head round them completely but this should sum it up
You could use one subnet per VLAN to create multiple broadcast domain for multiple ip ranges. And if you want to communication between those virtually separated vlans (ip address ranges) within a switch, use Router on stick and configue trunck to interface which is connected between Router n switch.