overlapping IP networks in VLAN
in [Cisco]
|
From: bod43 on 5 Mar 2010 04:40 On 5 Mar, 08:21, Rob <nom...(a)example.com> wrote: > Mark Huizer <xaa+news_comp.dcom.sys.ci...(a)dohd.org> wrote: > > The wise Rob enlightened me with: > >> Mark Huizer <xaa+news_comp.dcom.sys.ci...(a)dohd.org> wrote: > > >>> What I would look at is: > > >>> * you can use vlan acls (vacl) to filter the traffic between 172.26.0..0/0 > >>> and 172.26.16.0/24 (is that possible in your situation? dunno about your > >>> l2 environment). > > >>> * ipsec tunnels use an acl to decide what traffic goes into a tunnel. If > >>> you have an acl that denies 172.26.16.0 and then allows 172.16.0.0 for > >>> the one tunnel, and one that only allows 172.26.16.0 you have it worked > >>> out for the ipsec tunnel > > >> It is not a problem to get the ipsec tunnels working. > >> (those are running over an ADSL line that is connected to the router) > > > That was not what I was trying to address. I was trying to address the > > fact that you wanted the right traffic to take the right tunnel. > > No, that is not a problem. I know how to setup tunnels and how to > direct the traffic. > > The one and only issue is how to setup two different (Vlan) interfaces > for the two kinds of traffic, where one is a small subnet of the other. > > >> It is not a problem IP-technically. It is a check/restriction made > >> by IOS. I suspected that there might be some "ip magic-word" command > >> that disables this check (like you have "ip subnet-zero" and "ip classless"). > > > Well, not as far as I can tell. > > Pity... > At other locations we use L3 switching with HP Procurve switches and > they accept this configuration without issue. > > Why we want this: we have decided way in the past to use a 172.xx.0.0/16 > subnet for each location of the company, and to use 172.xx.yy.0/24 ranges > for different kinds of devices (servers, printers, pcs etc). The > 172.xx.16.0/24 subnet is used for VoIP phones. But those are on a > separate Vlan. It would be convenient to have this split made in the > router, but when Cisco cannot do that we can do it in the ProCurve > switch instead. Cisco routers will not accept that configuration. Except:- Maybe you can achieve what you want with either secondary addressing or HSRP. int fa 1 ip address totally-fake-n-arbitrary mask ip address 172.xx.10.0 255.255.255.0 secondary or int fa 1 ip address totally-fake-n-arbitrary mask standby ... whatever .. I forget exactly You need a designer with a clue. |