One subnet per vlan?

mikearama

I understand that this is best practice, but... that means that it's possible to create a vlan that has multiple subnets in it.

IE, I create vlan 200 for my dynamic users, and assign the 10.10.200.0 /24 scope to my dhcp server. But, on the 254th dynamic user, I'm out of IP's. So I add a scope for 10.10.201.0 /24.

Anyone done this? Any implications?

rjbarlow

mikearama wrote:

I understand that this is best practice, but... that means that it's possible to create a vlan that has multiple subnets in it.

IE, I create vlan 200 for my dynamic users, and assign the 10.10.200.0 /24 scope to my dhcp server. But, on the 254th dynamic user, I'm out of IP's. So I add a scope for 10.10.201.0 /24.

Anyone done this? Any implications?

Done never, but You probably refer to the possibility to configure a 2nd subnet for the same interface, this is done when You are out of ip addresses and don't want to change IP addresses to all the devices. The command is:

router(config-if)#ip address <ip address> <subnet-mask> secondary

If You are using more VLANs You could probably need to put that command under a subinterface, then You have to put just coherent IP addresses on the new or out of IP addresses devices and all would have to work well, I guess.

georgemc

If I remember right, there are some issues with DHCP and secondary addresses. As in I don't think the IP Helper Addresses work. You may want to test it out in a lab. In your stated scenario, I would probably just slide the subnet mask 1 bit to the left. Thus retaining your previous leased addresses and gaining an additional 256 addresses.

George

networker050184

Yes I have done this, but not for that reason. You can put two subnets on the same VLAN and you can use two different DHCP pools.

mikearama

@ george... that's actually what my senior admin did with our network. The question, though, wasn't so much practical as theoretical... I just want to know the issues associated with multiple subnets in a vlan.

If I understand it correctly, regardless of the IP, hosts in the same vlan will communicate just fine. The issue is when trying to get to another vlan.

As rj suggested, the router's int will need another IP to act as a gateway for the second subnet... I'd prolly go with a sub-int. George... any idea if a helper address would work using a sub-int, and not a secondary address?

edit: that's what I was looking for, networker. So no problem forwarding dhcp requests and getting replies back on the second subnet?

georgemc

mikearama wrote:

If I understand it correctly, regardless of the IP, hosts in the same vlan will communicate just fine. The issue is when trying to get to another vlan.

Negative, even if they're in the same VLAN, hosts in different subnets will not communicate unless there is a router involved

mikearama wrote:

As rj suggested, the router's int will need another IP to act as a gateway for the second subnet... I'd prolly go with a sub-int. George... any idea if a helper address would work using a sub-int, and not a secondary address?

IP Helpers work fine with a sub-interface, but a separate sub-interface would probably require a different VLAN. I've never tried programming two sub-interfaces off of the same physical interface with identical VLANs, so I'm not sure if this will work/is allowed. If you try this in a lab, let us know how it goes.

mikearama wrote:

edit: that's what I was looking for, networker. So no problem forwarding dhcp requests and getting replies back on the second subnet?

Things have changed a bit since I last played with this. It used to be that it wouldn't work. Now you can use the "IP DHCP SMART-RELAY" command to have the router step through each IP network on the interface when forwarding DHCP requests. Without the smart relay agent configured, all request are forwarded using the primary IP address on the interface. I paraphrased this from the "Authorized Self-Study Guide Building Scalable Cisco Internetworks (BSCI), Third Edition", pg. 445-446

The way I'm reading this, addresses wont be assigned from the second subnet until all addresses are allocated from the first subnet.

rjbarlow

mikearama wrote:

As rj suggested, the router's int will need another IP to act as a gateway for the second subnet... I'd prolly go with a sub-int. George... any idea if a helper address would work using a sub-int, and not a secondary address?

Mike, if You are using more VLANs, than You are already using at least one sub-interface. I suggested You to issue that command for a secondary subnet on that sub-interface on which reside both the old and the new subnet.
If You must to do this work for a native 802.1q VLAN, than You have to do that on the physical interface. I don't know if I explained well what I wanted to say.
If You create a new sub-interface maybe it works, but seems to me a forcing.