Subnets and network security

[Constantin]

I apologize in advance, as I have yet to find a good answer with the search function...

Subnetting has been advocated by some for as a means of allowing greater network security - i.e. have one subnet for private use (ex: 192.168.1.0/24), and another for the guest network (192.168.2.0/24), for example. Assets on the private network that are supposed to reach both networks then can be given a /23 netmask.

That all seems well and good but how does this improve network security unless the devices in question are behaving nicely per the instructions sent out by the DHCP server or as pre-set on a fixed basis? That is, would there be anything that prevents a device from giving itself a rogue IP address / netmask and hence reaching anything and everything attached to the gateway / switch?

Or is subnetting is mostly beneficial at limiting impacts of broadcasts and other network traffic to smaller segments and not so much security. Hence the suggestion to combine VLANs with subnets - VLANs for security, and well-thought-out subnets to manage traffic and IP address allocation?

 

[Samuel Tai]

Subnetting a single VLAN as you described isn't recommended, and can lead to very difficult to troubleshoot connectivity problems. You should instead put separate subnets on separate VLANs.

 

[Constantin]

Sorry, I think that is what I meant - one subnet range per VLAN?

So if I understand it correctly, the VLAN provides the security and the subnet by VLAN provides the organization of the IP address space?

 

[Samuel Tai]

Exactly.

 

[Constantin]

OK thank you!

 

[Yorick]

And furthermore: You want your subnets to run through firewall. If guest can get to home just by routing on a switch, that's not noticeably more secure than having both types of devices on the same subnet.
Your "Layer 3 boundary" is what enforces who can talk to whom. Usually a firewall. Switch ACLs work but are a pain administratively.