Multiple VLANs using same network

mikearama · April 2008

Here's one for you techies...

Take the network 10.22.100.0/24. Now suppose I want that one network to have multiple vlans. Normally I'd configure the router port that my switch trunks to like:

En
Config t
Interface FastEthernet0/0.1
Encapsulation dot1q 10
IP address 10.22.100.1 255.255.255.0
Exit
Interface FastEthernet0/0.2
Encapsulation dot1q 11
IP address 10.22.101.1 255.255.255.0
End
Wr mem

Now I know that best practice is to assign a network per vlan, so the above config works. I also know that a subnet can be divided by vlans... I just don't know how to config it.

Anyone ever taken one network and setup multiple vlans on it? How did you config your router port?

Much obliged,
Mike

darkuser · April 2008

you've actually got two vlans there
vlan10
and
vlan11
also you dont show the switch config

mikearama · April 2008

I'm showing an existing config, where there's a subnet per vlan. I'd like to know how it changes to have multiple vlans in the SAME subnet.

And yeah, this is me thinking through the process and settings... it hasn't been done yet. So I don't have a config to post.

Suffice it to say the switch currently runs several vlans, all trunked to a router port with an equal amount of sub-ints.

Sorry I don't have more... it's a work in progress.

mikearama · April 2008

Had a hard time finding any info on doing this. This links to a page from a CCIE prep book by Odom says that "proxy ARP" needs to be enabled to permit what I describe.

http://books.google.ca/books?id=dKzpj4r7KCwC&pg=PA31&lpg=PA31&dq=multiple+vlans+one+subnet&source=web&ots=qMoUT6UR6R&sig=wj9GskCXtlEtlXo26zw4iB_Wz38&hl=en

Anyone know how that makes a difference? Guess I'll start researching proxy arp.

redwarrior · April 2008

From how I understand it (I work on a network that is vlan-happy!), you would need proxy arp because, by separating 1 subnet into separate vlans, you are creating separate logical networks. This means that layer 2 broadcasts would not be able to cross those vlans to reach the broadcast address for the subnet without proxy arp. In our case, this would go against our reasons for using vlans in the first place, since we are using them to segment our network for the purposes of isolating broadcast traffic and security.

Please post whatever you dig up...it does sound interesting!

AlanJames · April 2008

yeah,
I don't think i've ever seen what you want done in a networked environment, cisco best practice is one subnet per VLAN.

georgemc · April 2008

Intriguing concept Mike, I'm busy trying to locate page 37 of the book you referenced above to find out more about it.

Thanks,
George

tech-airman · April 2008

mikearama,

mikearama wrote:

Here's one for you techies...

Take the network 10.22.100.0/24. Now suppose I want that one network to have multiple vlans. Normally I'd configure the router port that my switch trunks to like:

En
Config t
Interface FastEthernet0/0.1
Encapsulation dot1q 10
IP address 10.22.100.1 255.255.255.0
Exit
Interface FastEthernet0/0.2
Encapsulation dot1q 11
IP address 10.22.101.1 255.255.255.0
End
Wr mem

Now I know that best practice is to assign a network per vlan, so the above config works. I also know that a subnet can be divided by vlans... I just don't know how to config it.

I have to ask but why are you trying to further subdivide a subnet? What routing protocol is being used on the router on a stick?

mikearama wrote:

Anyone ever taken one network and setup multiple vlans on it? How did you config your router port?

Much obliged,
Mike

You're supposed to take a network then subnet it. Subnet it either classfully or classlessly. Then associate a VLAN for EACH subnet.

mikearama · April 2008

I have an existing subnet to use, and cannot add another. And yet, within that one subnet, I'd like to seperate user/server/wireless traffic. So I'd like to use vlans.

So based on that, I'd like to see if a couple vlans can be created, but using the same existing subnet.

I continue to read that it's possible (though not best practice), and I wondered if anyone had actually set it up, and if so, how. I guess no one's had a subnet restriction like the one I face, so everyone's been able to just throw a subnet at each vlan.

tech-airman · April 2008

mikearama wrote:

I have an existing subnet to use, and cannot add another. And yet, within that one subnet, I'd like to seperate user/server/wireless traffic. So I'd like to use vlans.

So based on that, I'd like to see if a couple vlans can be created, but using the same existing subnet.

I continue to read that it's possible (though not best practice), and I wondered if anyone had actually set it up, and if so, how. I guess no one's had a subnet restriction like the one I face, so everyone's been able to just throw a subnet at each vlan.

mikearama,

Questions:

Which routing protocol is running on the router that is performing the inter-VLAN routing?
Are the wireless networking devices made by Cisco?
What kinds of wireless networking devices are involved?

mikearama · April 2008

EIGRP across the board.

Everything's Cisco... the AP's are 1230's, and they're not controller-based (a future project).

darkuser · April 2008

i think you have adjust your logical concepts of vlans and networks
a vlan is just a seperate layer
two broadcast domain.

a network is a layer 3 grouping of addresses.

you can bridge two vlans together
or you can use a secondary address on a vlan to essentially make a single vlan
the home for two subnets.
we did that during a migration.

darkuser · April 2008

redwarrior wrote:

From how I understand it (I work on a network that is vlan-happy!), you would need proxy arp because, by separating 1 subnet into separate vlans, you are creating separate logical networks. This means that layer 2 broadcasts would not be able to cross those vlans to reach the broadcast address for the subnet without proxy arp. In our case, this would go against our reasons for using vlans in the first place, since we are using them to segment our network for the purposes of isolating broadcast traffic and security.

Please post whatever you dig up...it does sound interesting!

i have 110 had to tell my boss NO MORE
usless you'd like a layer two explosion

Cucumber · April 2008

I have not tried to lab this up so Mikerama, please post an update if you manage to do this several vlans for one IP network thing. I read the very same reference you posted in that CCIE book and I was like "I have to try this lab" but I havent had the time yet.

APA · April 2008

Can be done via Private VLAN config.... but you need a 3560 or 3750..........

Also the two vlans would not be able to communicate with each other at all.... So not sure if that would be the best design for you????

ofmanyone · May 2014

I've been a network engineer for 13 years, and a CCIE for 7, so please understand that I'm no spring chicken...

I just ran into a situation where I needed this option of providing a single subnet to multiple VLANs: A small ISP (friend of mine) has multiple wireless bridges connected to a single broadcast domain (VLAN) and multiple wireless customers connected to each bridge via the same SSID. This single VLAN is providing public IP addresses directly to customers at a premium. The same VLAN provides private IP addresses to everyone else, who are NATed for Internet access. This is the classic "Multiple Subnets per VLAN" scenario. The problem is, my friend has had major network issues after lightning strikes, and affected APs bring down the entire network (haven't looked at his design/topology yet). Suffice it to say, it would be really nice to place each AP on a separate broadcast domain/VLAN. However, that is not desirable due to the limited public IP space available to my friend (which he pays the ISP for). The "Single Subnet per VLAN" scenario here would necessitate carving out subnets from his /24 public IP space, which would burn up 2 valuable addresses for every subnet. See the conundrum?

The solution is to keep his /24 mask for his public IP space, while assigning each AP to a different VLAN. "mikearama" was correct when he quoted Odom, suggesting that Proxy ARP is required. How does that work? I now quote from Jeff Doyle from "Routing TCP/IP Vol I"

"For example, a host 192.168.12.5 /24 needs to send a packet to 192.168.20.101 /24, but it is not configured with default gateway information and therefore does not know how to reach a router. It might issue an ARP Request for 192.168.20.101; the local router, receiving the request and knowing how to reach network 192.168.20.0, will issue an ARP Reply with its own data link identifier in the hardware address field. In effect, the router has tricked the local host into thinking that the router’s interface is the interface of 192.168.20.101. All packets destined for that address are then sent to the router... Proxy ARP is enabled by default in IOS and might be disabled on a per interface basis with the command "no ip proxy-arp."

Doyle, Jeff; Carroll, Jennifer (2005-10-19). Routing TCP/IP, Volume 1 (2nd Edition)

DISCLAIMER: I haven't tested this, though it stands to reason according to our new understanding of Proxy ARP. I also checked CCO at the following link, which confirms that Proxy ARP is enabled by default on the 3750-X 12.2(55)SE code.

Catalyst 3750-X and 3560-X Switch Software Configuration Guide, Release 12.2(55)SE - Configuring IP Unicast Routing [Cisco Catalyst 3750-X Series Switches] - Cisco

In our specific scenario, all of the APs are trunked through the switched network on VLAN 200 to a Cisco 3750 distribution switch running at Layer 3, and all of the hosts are on the 172.16.1.0 /24 network (just for example). What we will do is move each AP to its own VLAN on the switches that they are physically connected to, e.g. AP-1 to VLAN 10, AP-2 to VLAN 20, AP-3 to VLAN 30, etc. We will then create an SVI (Interface VLAN) for VLANs 10, 20, 30, etc. on the 3750; e.g. 192.168.10.1 /24, 192.168.20.1 /24, 192.168.30.1 /24, etc. respectively. We will also create an SVI for VLAN 100 with an IP address of 172.16.1.1 /24. All of the hosts will be sending ARP requests for 172.16.1.1, which they are not logically connected to. But the Layer 3 switch will respond with the MAC address of the SVI that the hosts are connected to, thus providing Proxy ARP for Interface VLAN 100, and allow the hosts to route to their default gateway. If L3 broadcasts are not being blocked (not sure if they will be), then we can apply access-lists or storm control to each SVI to prevent them. The config on the 3750 looks like this:

interface GigabitEthernet1/0/1
description TRUNK TO AP SWITCHED NETWORK
switchport trunk encapsulation dot1q
switchport mode trunk
switchport trunk allowed vlan 10,20,30
!
interface VLAN 10
ip address 192.168.10.1
!
interface VLAN 20
ip address 192.168.20.1
!
interface VLAN 30
ip address 192.168.30.1
!
interface VLAN 100
ip address 172.16.100.1
!

Hosts on the wireless network, looking for 172.16.100.1 as their default gateway, will send ARP requests. Even though they are not on VLAN 100, the 3750 L3 switch will reply with the mac address of the SVI that the ARP request came in on.

I've taken too much time already. If there are individual technologies referenced here that you do not understand, then you simply need to study. Have fun guys!

Multiple VLANs using same network

Comments