Wie intelligent ist mein Netzwerk?

6827
bizzehdee

In meinem Büro gibt es einen Streit darüber, wie intelligent / effizient das Netzwerk ist, das wir eingerichtet haben.

Wir haben eine Glasfaserleitung und eine Kabelleitung, die in einen Load-Balancing-Router führen, der eine Hardware-Firewall hat, an die zuletzt ein 64-Port-Switch angeschlossen ist.

Jede unserer Workstations ist an den Switch angeschlossen (ca. 30 Computer), ein NAS und ein paar interne Testserver (alle mit 192.168.0.x-Adressen zugewiesen).

Wenn die Workstation A mit der Workstation B kommunizieren möchte, ist unser Netzwerk intelligent genug, um Folgendes zu erreichen:

A → Schalter → B und nur über die zuerst häufigste Verbindung fahren

oder wäre der Pfad A → Switch → Firewall → Router → Firewall → Switch → B und müsste jedes Mal die vollständige Route zurücklegen?

36
Nicht klüger als die Person, die es eingerichtet hat. Moab vor 8 Jahren 86
hub - nutzlos; Router - stumme Hardware; Schalter - intelligente Hardware Raystafarian vor 8 Jahren 5

4 Antworten auf die Frage

73
Ben N

Routers aren't necessary unless your traffic needs to move to a different subnet. When a computer wants to send some IP traffic to a different machine on its subnet, it needs the recipient's MAC address, since IP addresses aren't a thing at a switch's layer (Layer 2 of the OSI model). If it doesn't know the MAC address, it broadcasts an ARP request, saying "hey, whoever has this IP address, could you tell me your MAC address please?" When the machine gets a response, that address is then attached to the packet, and the switch uses it to send the packet out the right physical port.

When the destination isn't on the same subnet, routers need to get involved. The sender gives the packet to the appropriate router (usually the default gateway, unless you have special routing needs), which sends it through the network to the intended recipient. Unlike switches, routers know about and have IP addresses, but they also have MAC addresses, and that's the MAC address that initially gets put on packets that need routing. (MAC addresses never leave the subnet.)

You can see router IP addresses in the Gateway column of the output of route print on Windows. Destinations that don't require routing have On-link there.

+1, um Recht zu haben. Ich füge dies für noch mehr Klarheit hinzu: Wenn das Paket in ein anderes Subnetz geroutet werden muss (also zum Router gehen muss), sendet das System den Frame immer noch an eine MAC-48-Adresse. Es sendet es nur an die MAC-48-Adresse des Routers und nicht an den endgültigen Empfänger. In jedem Fall wird der Frame über eine MAC-48-Adresse übermittelt. Der Switch ignoriert grundsätzlich die IP-Adresse und schaut nur, welche MAC-Adresse benötigt wird. TOOGAM vor 8 Jahren 12
Akzeptiert für die Antwort nicht nur auf die Frage, sondern auch, warum und wie. Vielen Dank bizzehdee vor 8 Jahren 1
29
Nathan Adams

If 2 computers are connected to the same vlan on a switch and share the same subnet mask - the switch should deliver the packet without hitting your firewall or router.

You can verify this by running tracert 192.168.0.X (assuming Windows) and you should see a direct route to that system.

Oder `traceroute` bei Debian oder` nc` bei verschiedenen Unicies. cat vor 8 Jahren 15
19
200_success

Almost certainly, the communication path would be A ↔︎ switch ↔︎ B, not going through the firewall and router. Assuming that workstations A and B have IP addresses with the same network and netmask, they should be able to interact with no router involved, because the switch knows how to forward packets. You should be able to verify that there are no intermediate hops between A and B by running traceroute ip_address_of_B from a command prompt on A. (On Windows, the command would be tracert instead of traceroute.)

That said, alternative scenarios are possible, but less likely.

In the old days, before Ethernet switches were prevalent, there were Ethernet hubs. Hubs work the same way, except that they would unintelligently duplicate and forward incoming Ethernet packets out through every single port of the hub, instead of out of the appropriate port as a switch would. If you had a hub instead of a switch, then the router would see (and ignore) all traffic between A and B. Of course, such indiscriminate packet forwarding creates a lot of unnecessary traffic, and Ethernet hubs are uncommon these days.

Another possible (but unlikely) scenario is that the switch could be configured to do port isolation. That would force each workstation's traffic to go through the router. You might want to do that if you considered the workstations to be hostile to each other — for example, ports at a public library or in separate hotel rooms — and you don't want them to be able to directly communicate at all. In an office environment, though, it's very unlikely that your network administrator has set it up that way.

To answer your question in layman's terms: the network should naturally do the "right thing" in your case. However, it could be deliberately reconfigured to do a different "right thing". As a corollary to that, it could also be accidentally misconfigured to do a dumb thing.

0
Criggie

The other answers are correct. So in the interests of confirmation - I suggest you try it and find out.

tracert or traceroute or tracepath or mtr from one host to another.

Grab a spare (ie non-production) computer and give it an IP of 192.168.166.x /24 or 255.255.255.0 and a gateway of 192.168.166.1

You'll need to configure your firewall device to have a secondary IP of 192.168.166.1 /24 on the same interface as your LAN. Be careful to not break your LAN production traffic at this time. Exactly how you do this depends on your firewall OS.

There's a chance you may need to tweak or extend firewall rules for the LAN interface as well.

The path should be 166machine-switch-firewall-switch-0machine (but you won't see the switch in the traceroute because ethernet switches are at layer2 and traceroute is ICMP at layer3.

Do note, this is called an "overlay" network, and provides no added security. It is not a DMZ, there is no isolation, and does not hide the 166 network from the 0 network.

Verwandte Probleme