Restrict access to network having only an umanged switch


I've learned that VLAN is actually the only secure way to separate host from each other in a network.
My problem is that I have only a simple ZyXEL NBG6616 and a Unmanaged Desktop Switch # DGS‑1008D, so wired VLANs are not that practical.
MAC Filter on WiFi and hidden SSID aren't really a security improving measurement as described in:

but setting up wireless VLANs and strong passwords is not that much of big deal.

It is different when it comes to LAN, you find discussions like

but still, it looks like that you even can sniff MAC in LAN MACs within a LAN and soon as you have access to a connected host, you can easily figure out the MAC.
There is the discussion Is there any way to filter packets between two machines in same lan? but is still answers the question 100%.

So how do I prevent someone to breach network as soon a host is hooked up to an open port on the switch?


You don't, it's that simple.

Yes, there is IEEE 802.1X - but for that to work, you need a managed switch and a radius server in your network.

Yes, your router also has a managed switch, meaning that you can physically separate VLANs on its different LAN/ WAN ports and use unmanaged switches (plural) from there, but if your potential "attacker" has access to this switch and shuffles patch cables around… well, the attacker could just as easily hit the reset button.

In the end you need to analyze what your threat scenario really is and act accordingly, if you're a three-letter agency that might involve armed guards sitting on the router with a self destruct sequence, at home a stern talk might be sufficient - and there are lots of options inbetween these extremes.

1 Like

WOW that was quick.

possible but have to spend more money

could run on my NAS.


that's right and that might answer the question is the risk worth spending the money.


do you mean how much dedicated equipment shall be used?