overlapping IP networks in VLAN
in [Cisco]
|
From: Rob on 4 Mar 2010 12:52 In a Cisco 877 (IOS 12.4(15)T11) there are two Vlan interfaces: Vlan1 (default vlan) with ip address 172.26.1.1 mask 255.255.0.0 Now I would like to add a Vlan10 with ip address 172.26.16.1 mask 255.255.255.0 i.e. the Vlan10 is actually a subnet of the larger Vlan1 space. The router refuses this assignment, complaining that the addresses do overlap. Of course this is true. But is it a real problem? Systems on Vlan10 don't need to communicate with Vlan1, but both Vlans are routed to another site over separate IPsec tunnels. Is there a global config command that would allow this setup?
From: Mark Huizer on 4 Mar 2010 14:11 The wise Rob enlightened me with: > In a Cisco 877 (IOS 12.4(15)T11) there are two Vlan interfaces: > > Vlan1 (default vlan) with ip address 172.26.1.1 mask 255.255.0.0 > > Now I would like to add a Vlan10 > with ip address 172.26.16.1 mask 255.255.255.0 > > i.e. the Vlan10 is actually a subnet of the larger Vlan1 space. > > The router refuses this assignment, complaining that the addresses > do overlap. > Of course this is true. But is it a real problem? > Systems on Vlan10 don't need to communicate with Vlan1, but both > Vlans are routed to another site over separate IPsec tunnels. > > Is there a global config command that would allow this setup? Maybe you are looking for the wrong solution for a problem? I don't think it is possible to work the way you want it, unless you really seperate the networks (using stuff like vrf etc), but that might not be fun and not much of a solution :-) What I would look at is: * you can use vlan acls (vacl) to filter the traffic between 172.26.0.0/0 and 172.26.16.0/24 (is that possible in your situation? dunno about your l2 environment). * ipsec tunnels use an acl to decide what traffic goes into a tunnel. If you have an acl that denies 172.26.16.0 and then allows 172.16.0.0 for the one tunnel, and one that only allows 172.26.16.0 you have it worked out for the ipsec tunnel Mark
From: Rob on 4 Mar 2010 14:19 Mark Huizer <xaa+news_comp.dcom.sys.cisco(a)dohd.org> wrote: > The wise Rob enlightened me with: >> In a Cisco 877 (IOS 12.4(15)T11) there are two Vlan interfaces: >> >> Vlan1 (default vlan) with ip address 172.26.1.1 mask 255.255.0.0 >> >> Now I would like to add a Vlan10 >> with ip address 172.26.16.1 mask 255.255.255.0 >> >> i.e. the Vlan10 is actually a subnet of the larger Vlan1 space. >> >> The router refuses this assignment, complaining that the addresses >> do overlap. >> Of course this is true. But is it a real problem? >> Systems on Vlan10 don't need to communicate with Vlan1, but both >> Vlans are routed to another site over separate IPsec tunnels. >> >> Is there a global config command that would allow this setup? > > Maybe you are looking for the wrong solution for a problem? In Cisco IOS, you mean? It works fine in other environments. Maybe another numberplan would have been sturdier, but this is what has evolved historically. > I don't think it is possible to work the way you want it, unless you > really seperate the networks (using stuff like vrf etc), but that might > not be fun and not much of a solution :-) Ok > What I would look at is: > > * you can use vlan acls (vacl) to filter the traffic between 172.26.0.0/0 > and 172.26.16.0/24 (is that possible in your situation? dunno about your > l2 environment). > > * ipsec tunnels use an acl to decide what traffic goes into a tunnel. If > you have an acl that denies 172.26.16.0 and then allows 172.16.0.0 for > the one tunnel, and one that only allows 172.26.16.0 you have it worked > out for the ipsec tunnel It is not a problem to get the ipsec tunnels working. (those are running over an ADSL line that is connected to the router) What is "a problem" (I have a workaround but I still would like to get the above working) is to have two different LAN segments, implemented as two Vlans in the router config, that have addresses where one is a small subnet of the other. It is not a problem IP-technically. It is a check/restriction made by IOS. I suspected that there might be some "ip magic-word" command that disables this check (like you have "ip subnet-zero" and "ip classless").
From: Mark Huizer on 4 Mar 2010 17:02 The wise Rob enlightened me with: > Mark Huizer <xaa+news_comp.dcom.sys.cisco(a)dohd.org> wrote: > >> What I would look at is: >> >> * you can use vlan acls (vacl) to filter the traffic between 172.26.0.0/0 >> and 172.26.16.0/24 (is that possible in your situation? dunno about your >> l2 environment). >> >> * ipsec tunnels use an acl to decide what traffic goes into a tunnel. If >> you have an acl that denies 172.26.16.0 and then allows 172.16.0.0 for >> the one tunnel, and one that only allows 172.26.16.0 you have it worked >> out for the ipsec tunnel > > It is not a problem to get the ipsec tunnels working. > (those are running over an ADSL line that is connected to the router) That was not what I was trying to address. I was trying to address the fact that you wanted the right traffic to take the right tunnel. > What is "a problem" (I have a workaround but I still would like to get > the above working) is to have two different LAN segments, implemented > as two Vlans in the router config, that have addresses where one is a > small subnet of the other. > > It is not a problem IP-technically. It is a check/restriction made > by IOS. I suspected that there might be some "ip magic-word" command > that disables this check (like you have "ip subnet-zero" and "ip classless"). Well, not as far as I can tell. Mark
From: Rob on 5 Mar 2010 03:21
Mark Huizer <xaa+news_comp.dcom.sys.cisco(a)dohd.org> wrote: > The wise Rob enlightened me with: >> Mark Huizer <xaa+news_comp.dcom.sys.cisco(a)dohd.org> wrote: >> >>> What I would look at is: >>> >>> * you can use vlan acls (vacl) to filter the traffic between 172.26.0.0/0 >>> and 172.26.16.0/24 (is that possible in your situation? dunno about your >>> l2 environment). >>> >>> * ipsec tunnels use an acl to decide what traffic goes into a tunnel. If >>> you have an acl that denies 172.26.16.0 and then allows 172.16.0.0 for >>> the one tunnel, and one that only allows 172.26.16.0 you have it worked >>> out for the ipsec tunnel >> >> It is not a problem to get the ipsec tunnels working. >> (those are running over an ADSL line that is connected to the router) > > That was not what I was trying to address. I was trying to address the > fact that you wanted the right traffic to take the right tunnel. No, that is not a problem. I know how to setup tunnels and how to direct the traffic. The one and only issue is how to setup two different (Vlan) interfaces for the two kinds of traffic, where one is a small subnet of the other. >> It is not a problem IP-technically. It is a check/restriction made >> by IOS. I suspected that there might be some "ip magic-word" command >> that disables this check (like you have "ip subnet-zero" and "ip classless"). > > Well, not as far as I can tell. Pity... At other locations we use L3 switching with HP Procurve switches and they accept this configuration without issue. Why we want this: we have decided way in the past to use a 172.xx.0.0/16 subnet for each location of the company, and to use 172.xx.yy.0/24 ranges for different kinds of devices (servers, printers, pcs etc). The 172.xx.16.0/24 subnet is used for VoIP phones. But those are on a separate Vlan. It would be convenient to have this split made in the router, but when Cisco cannot do that we can do it in the ProCurve switch instead. |