• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 447
  • Last Modified:

2 (layer 3) networks over a single flat unmanged network.

I have a random question.  What are the issues with running two separate /24 networks over a single unmanaged flat switched network?

My situation is that we're at a very small school district with close to a zero budget.  We currently have random wireless APs which provide decent coverage through the district.  They are really nothing more than a WPA encrypted extentions of our flat networks without a RADIUS of any kind.  (obviously not the best scenario, but hey we're cheap here and it's what we have...)

The networks are switched together with random unmanaged switches that just boost and pass the signal for a 10.0.0.0 /24 network.  So with that information...

What would happen if I set my APs to a separate 192.168.0.0 /24 network on the same flat unmanned switching equipment as my 10.0.0.0 /24 uses?  (Sure separate VLANs would be wonderful, but costly and it's not an option).  

Could I potentially put a RADIUS server with one NIC set on the 192.168.0.0 network and a second to the 10.0.0.0 network?    What are some problems?   Would even work?  Am I nuts on a thursday?

Just brainstorming...   thanks for any info...
0
irishmic33
Asked:
irishmic33
  • 3
  • 2
1 Solution
 
giltjrCommented:
Putting two IP subnets (layer 3) on the same layer 2 network just means that  everybody will see all broadcasts from both IP subnets.  In some instances they may also see traffic to specific mac addresses, but that can happen on when you have a single IP subnet on a single layer 2 network.

Without a layer 3 device IP hosts on one subnet will not be able to talk to IP hosts on the other subnet.

You could put a RADIUS server on both subnets and you don't even need two NIC's.  You could put two IP addresses on the same single NIC.  In fact you could enable routing on this server and have it do routing between the two subnets, if you want them to talk to each other.  If you do not want the two subnets talking to each other, then make sure you disable routing.

That is all the "good" news.  The bad news is DHCP is going to be a pain if you do it for both subnets.  

Since there is no layer 2 seperation, when a DHCP broadcast goes out, it goes out to EVERY device on the layer 2 network.  Which means all DHCP servers will receive the request and all of them will attempt to respond.  The first DHCP server to respond "wins."  So one time you will get an IP address on the 10.0.0.0/24 subnet and the next time it could be on the 192.168.1.0/24 subnet.

So to prevent this you need to either do DHCP for one and static for the other, or for one of the subnets setup the DHCP server with mac address reservations.  This way you assign an IP address to a specific MAC address, but that device uses DHCP to get it.  The down side is you need to know the MAC address for each device that you want in one of the subnets (say SUBNET#1).  For the other subnet (say SUBNET#2) you can just do normal DHCP.

This mean that if somebody tries to connect and have not given you their MAC address, they will get assigned to SUBNET#2 no matter what.

Other here could be more creative and have other ideas or I may have overlooked the obvious.
0
 
irishmic33Author Commented:
Wow giltjr, you're an awesome source of info...

I wonder what would happen if I allowed the separate WAPs to handle their own DHCP/NAT... Then the only traffic on the 192.169.0.0 /24 would be the known static IPs assigned to the WAPs.  

Of course it would defeat the mesh coverage that we currently have as you would be dependent on each WAP for connection... Guess that wouldn't be very good.
0
 
giltjrCommented:
It depends on what WAP's you have.  The more inexpensive ones would also accepct DHCP requests on the LAN ports, which would mean they could hand out IP addresses to any wired comptuer also.
0
 
irishmic33Author Commented:
Well they weren't cheap, but they probably fall into the SOHO category.  

APs =  Dlink 3200

You've given me a great amount of information.  It's probably best to just vlan out and segment the networks.

On top of everything else it really leaves a vulnerability to something like firesheep.  I was just trying to think outside the box.

Thanks for all the great info.
0
 
giltjrCommented:
Those AP's are actually fairly decent.  Infact they seem to support most anything most businesses would need.  Way more advanced that your switches.

If you could somehow upgrade your switches to support VLAN's those AP's already support them and would be ready to provide multiple VLAN support.  You can have multiple SSID's and each one can be its own VLAN/IP Subnet.
0

Featured Post

Free recovery tool for Microsoft Active Directory

Veeam Explorer for Microsoft Active Directory provides fast and reliable object-level recovery for Active Directory from a single-pass, agentless backup or storage snapshot — without the need to restore an entire virtual machine or use third-party tools.

  • 3
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now