6

I am learning about how L3 and IPv4 addressing works and I need some clarity on certain things.

I've encountered the following topology enter image description here

So in this topology, the router stands in the center and divides the network into two separate sub-networks, right? We separate networks like this when we don't want certain devices to talk to each other and when we want to reduce unnecessary network traffic and congestion and improve security.

Is the router necessary to divide the network like this? What if we removed the router but kept the IP addressing? enter image description here

Improve this question
3
  • 2
    Routers route packets between different networks, and that is the specific reason for routers. Switches bridge frames on the same network. To send packets between different networks, you need a router.
    – Ron Maupin
    Commented Feb 20, 2022 at 18:24
  • 3
    What's actually dividing the subnets is their different subnet prefixes. The router then connects those different subnets. If you replace the router by a bridged/switched link you've still got two subnets.
    – Zac67
    Commented Feb 20, 2022 at 19:36
  • It'd actually be possible to configure all these machines so that they would communicate together, without a router. However the question would be: what's the point?
    – user1532080
    Commented Feb 21, 2022 at 7:21

5 Answers 5

Reset to default
6

the router stands in the center and divides the network into two separate sub-networks, right?

Actually, the router connects the subnets that are divided by their different subnet prefixes and by separate L2 segments.

We separate networks like this when we don't want certain devices to talk to each other and when we want to reduce unnecessary network traffic and congestion and improve security.

Separating subnets & L2 segments and connecting them by router doesn't have any significant impact on congestion and security by itself. While it reduces (splits) the broadcast domain, anything else requires additional measures. Forcing inter-subnet communication through a router allows you to control traffic on that exact point - by ACLs, firewall functions, or any other filter.

Is the router necessary to divide the network like this?

Not for dividing them, no. It is required for connecting them.

What if we removed the router but kept the IP addressing?

In your diagram you've replaced the router by a bridged link. While that joins the L2 segments into a single one, the IP subnets are still distinct and - without a router - without connectivity.

As you've already pointed out, you could manipulate the local routing tables to enable connectivity (force the other subnet to be on-link). Similarly, you could also shorten the network mask/prefix length to /22 or shorter (supernetting).

Improve this answer
6

What if we removed the router but kept the IP addressing?

PCs 1 and 2 would not be able to talk to 3 and 4.

PC 1 would determine that PC 3 is not on the same subnet, so it would normally forward the packet to a gateway to be routed. But in the second diagram, there is no gateway, so PC 1 would simply return an error to the application saying there is no route to the host.

We separate networks like this when we don't want certain devices to talk to each other and when we want to reduce unnecessary network traffic and congestion and improve security.

That's usually not the real reasons. The purpose of routing is to deal with the scale of large numbers of devices spread over large areas. The first computer networks were small enough that they didn't use routing.

Improve this answer
6
  • "would simply return an error to the application saying there is no route to the host" -- well, unless they use other measures to install those routes.
    – ilkkachu
    Commented Feb 21, 2022 at 10:36
  • In almost every scenario, there’s some way to “hack” it to make it work. But that doesn’t help a student trying to learn the basic principles.
    – Ron Trunk
    Commented Feb 21, 2022 at 14:07
  • I have a hard time seeing how routes other than a default route would be "hacking" to make it work. I always thought systems with multiple routes are rather a common deal.
    – ilkkachu
    Commented Feb 21, 2022 at 20:43
  • The OP isn’t asking “how can I make this work.” The OP is trying to understand the purpose of routing and subnetting. If you disagree, you can certainly write your own answer.
    – Ron Trunk
    Commented Feb 21, 2022 at 21:40
  • No, they're saying they're "learning about how L3 and IPv4 addressing works", and IMO routing is a rather important part of that.
    – ilkkachu
    Commented Feb 22, 2022 at 13:07
2

We separate networks like this when we don't want certain devices to talk to each other and when we want to reduce unnecessary network traffic and congestion and improve security.

We split up Ethernet networks for several reasons.

One is to control broadcast traffic. Particularly embedded devices may struggle if the broadcast traffic rises too high.

Another is that Ethernet requires a loop-free topology, that is fine in a small network, but as the network gets larger it gets more and more inefficient.

Another is security, while it is possible to do filtering on layer 2 Ethernet traffic, it's generally easier and more convenient to do it on an IP device. It's also easier to prevent/mitigate issues like one device hijacking traffic intended for another.

Is the router necessary to divide the network like this?

There are two distinct but related concepts.

The first is the Layer 2 domain. That is the group of devices that can send Ethernet* packets to each other directly over a physical or virtual Ethernet network.

The second is the IP subnet, this defines what hosts the IP stack will assume are "on link" by default and send IP packets to directly, rather than trying to send them to a router.

Most of the time we keep a 1:1 mapping between Layer 2 domains and IP subnets. That is not to say there are never reasons to put multiple IP subnets on the same Layer 2 domain or to split a subnet between Layer 2 domains, but it's something that should be carefully considered before proceeding.

What if we removed the router but kept the IP addressing?

Then by default, if the IP stack is behaving in the expected manner, the hosts should be unable to exchange IPv4 unicast traffic.

Note that this is NOT the same thing as saying they would be unable to exchange traffic at all. IPv6, IPX, Netbeui etc are all completely independent of the IPv4 addresses you set. IPv4 broadcast and multicast traffic may also pass between the hosts.

You could make specific hosts able to exchange IPv4 unicast packets, by adding explicit entries to their routing tables to mark the other hosts as on-link and/or adding secondary IP addresses. You could also deploy a "one-armed router", which routes between multiple subnets on the same L2 link layer.

Having multiple subnets on one link and trying to restrict traffic between them is likely to lead to a false sense of security. You test with your ipv4 unicast pings and everything seems to be in order, but then either a malicious actor gets sufficient privileges to reconfigure the network stack on one of the hosts, or they discover can perform their malicious actions over a protocol other than IPv4 unicast.

* In theory other multipoint link layers exist, in practice in the real world it's very rare to see anything other than Ethernet or Wi-Fi which are similar enough for these purposes.

Improve this answer
1

Actually turning my comment into an answer.

Without a router, with appropriate configuration, you could still have all these machine talking together. Note, this is valid with relatively "smart" hosts, it's not necessarily doable with just any device.

Your router, in your initial diagram, has been configured and knows "who is where". Your computers on each of the 2 subnets know how to talk to others on the same subnet, and in general they'd have a setting saying "if not on your subnet, send to router" (typically, your "default route").

In the 2nd diagram, PC1 & PC2 could be configured (as in configuring their routing table) with an entry in their routing table saying "to talk to 192.168.2.x, just talk on the network"). PC3 & PC4 would have similar setting for 192.168.1.x.

It's arguable as to why you'd want to do this, but it is doable. Machines in one subnet can talk to another subnet on the same physical network without a router.

Also note, as I stated before, with a router, PC1 can talk to PC3 ONLY with appropriate configuration. Sticking a router between 2 subnets does not magically make this happen. You may already know about this, if you don't, the main "magic" is called "DHCP", consider looking it up. That's how in the vast majority of cases, when you connect a computer to a network, it gets its configuration.

Improve this answer
4
  • It's actually not about "smart" hosts, it's about separate subnets or a shared subnet. And of course you can abuse the routing table like you described to make it work. DHCP isn't the required magic, it's (again) the presence of valid routes.
    – Zac67
    Commented Feb 21, 2022 at 7:35
  • @Zac67, "smart" I guess in the sense that the hosts will have to know about multiple on-link routes, not just the default gw. Which plausibly might rule out some really simple (embedded) devices.
    – ilkkachu
    Commented Feb 21, 2022 at 10:36
  • @Zac67 ilkkachu guessed right, many embedded device don't have anything beyond a default gw. Of course it's the presence of valid routes that make it all work, and in most cases, the default route comes to you from a DHCP. Simply sticking computers on a network with a router (or without) and without any other form of configuration (manual or automatic) will not suffice.
    – user1532080
    Commented Feb 21, 2022 at 13:18
  • If "smart" means "not dumb" then it's "smart".
    – Zac67
    Commented Feb 21, 2022 at 18:47
0

This is called an "overlay network" and can be surprisingly useful, in specific setups.

  • PC1/2 can talk to each other, and PC3/4 can talk to each other.
  • SW1 and 2 see frames from all 4 hosts and build their MAC tables with all four hosts (ethernet being layer 2)
  • All 4 PCs see ARP requests but disregard the opposite two because they're from outside the local /24 network.

There is limited Security offered here - any PC can sniff the wire and potentially see traffic that is from the opposite hosts. Also, any PC can simply give itself a secondary IP in the other network and can then participate.

As pictured, your network hosts have no default gateway, so won't be able to see anything else outside this limited network. No Address allocation like DHCP or similar, so you're trusting each host will have it's IP hard set correctly.

Why would you want a setup like this?

Imagine a site that doesn't have a managed switch, only has a single unmanaged switch. By running an overlay network you can have two "separate" networks, perhaps one for storage with no gateway, and a LAN for regular use. Yes this is a somewhat contrived example.

An extension that I've seen in real life is to have a subnet inside a supernet, a /28 at the very front of a /24.

  • Some contractors had hard-set IPs in the first 14 addresses, with /29
  • DHCP was used for other hosts on site
  • The site's router had the xxx.1/24 IP so it was in both subnets and worked fine for both.

Result, the contractors could not see or get to any other host in the lan, and could still get out to the internet.

Improve this answer
2
  • Not actually an overlay, rather side-by-side. An overlay network is a network you put on top of another, equally functional network. For instance, you can put an overlay network consisting of VPN links on top of the Internet.
    – Zac67
    Commented Feb 21, 2022 at 20:37
  • @Zac67 fair enough - I was taught this was called an overlay or overlaid network, when doing my CCFA training.
    – Criggie
    Commented Feb 22, 2022 at 2:18

Not the answer you're looking for? Browse other questions tagged or ask your own question.