{Disarmed} Re: [Leaplist] noob networking help: 2 network ranges on same interface

Tue Sep 29 11:18:17 EDT 2009

-------- Original Message --------
Subject: Re: {Disarmed} Re: [Leaplist] noob networking help: 2 network 
ranges    on same interface
From: Bryan J. Smith <b.j.smith at ieee.org>
To: This is the Leap Main List <leaplist at leap-cf.org>
Date: 09/29/2009 10:47 AM
> [ Top-posting, preserving the responses ]
>
> Ingo --
>
>
> Now Kevin mentioned using Virtual LANs (VLANs).  In a nutshell, a VLAN
> is a way to make ports on a switch look like physically separate switches
> (this is a mega-oversimpliifcation, and there are many advantages to
> VLANs in the same switch fabric/stack versus separate switches), so you
> can have physically separate Ethernet LANs (layer 2).  So then you'd
> still need to "route" the IP (layer 3) traffic between the two VLANs, just like
> you'd need to "route" between two separate switches that were not
> connected to each other (which would only be layer 2, you want layer 3).
>
>   
I've got a PowerConnect 3424 switch. It has vlan support, but as far as 
I can see, one port can't be member of more than 1 vlan, so I would need 
2 nics in the firewall, but I'm trying to avoid that, as I don't have so 
many spare slots and I would like to create about 4-5 vlans.

I see terms like taging and private vlans, but I don't understand how 
they work :(
If you have a link where I can read more information I would appreciate it.

>
> I actually have a spare GS724TR at home since I bought the two for $500
> deal a few months back and I'm only using one switch if you want to try it
> out.
>
>   
Thanks for the offer, but I'm outside the US :S

regards,
Ingo.-
>
>
> ----- Original Message ----
> From: Kevin Korb <kmk at sanitarium.net>
> To: leaplist at leap-cf.org
> Sent: Tuesday, September 29, 2009 9:26:03 AM
> Subject: Re: {Disarmed} Re: [Leaplist] noob networking help: 2 network ranges on same interface
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Yes, a switch with VLANs is what you want.  You would have two VLANs one
> for each subnet and you would put the firewall's port on both VLANs so it
> can see both subnets.
>
> The other option is completely separate networks which would mean two
> switches and two NICs in the router/firewall.
>
> On Tue, 29 Sep 2009 09:22:46 -0400
> Randall Perry <randallp at domain-logic.com> wrote:
>
>   
>> Yes, the computers can see each other.
>> You can try to route things at layer 3 (the transport layer), but that
>> can get bypassed.
>> You could use something like Ettercap to sniff off a switch to see what
>> was going on.
>> You can add a manual route to the PC to NOT use the default gateway to
>> get to the address on the dissimilar network.
>> If a broadcast protocol like NetBEUI was loaded, it opens things wide
>> open.
>>
>> So to secure them, you should step down a layer on the OSI model, to
>> layer 2.
>> If you want them seperate, then you should either use a smart switch that
>> you can enable VLANs on.
>> Other options are available, but I do not know anything about the network
>> (layer2 config) in question.
>>
>> Eg. if you have an ipcop box, you could add an additional ethernet
>> interface and use a crossover cable to plug in directly to computer 2.
>>
>> Then again, I am not sure of the intent for security or how much
>> time/energy you want to put into this to make it 'secure'.
>> NOTHING is secure, but we allow acceptable levels of risk to determine
>> how lax we let a setup be.
>>
>> On Tue, Sep 29, 2009 at 8:30 AM, Ingo Claro <miclaro at netred.cl> wrote:
>>
>>     
>>> Hello all:
>>> I'm wondering how secure is to have 2 network ranges on the same wire.
>>> If i've got on the firewall a network interface with 2 IPs (alias),
>>> can the computers see each other some way or they allways pass through
>>> the firewall?
>>>
>>> example:
>>> firewall:
>>> eth0 -> 192.168.1.1/24
>>> eth0:1 -> 192.168.2.1/24
>>>
>>> PC1:
>>> eth0 -> 192.168.1.2/24
>>>
>>> PC2:
>>> eth0 -> 192.168.2.2/24
>>>
>>> all conected to the same switch
>>> Is there a way that PC1 can connect to PC2 without passing through the
>>> firewall?
>>>
>>>
>>> regards,
>>> Ingo.
>>>
>>>       
>
>   

-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.