«

In a Cisco 877 (IOS 12.4(15)T11) there are two Vlan interfaces:

Vlan1 (default vlan) with ip address 172.26.1.1 mask 255.255.0.0

Now I would like to add a Vlan10
with ip address 172.26.16.1 mask 255.255.255.0

i.e. the Vlan10 is actually a subnet of the larger Vlan1 space.

The router refuses this assignment, complaining that the addresses
do overlap.
Of course this is true. But is it a real problem?
Systems on Vlan10 don't need to communicate with Vlan1, but both
Vlans are routed to another site over separate IPsec tunnels.

Is there a global config command that would allow this setup?

The wise Rob enlightened me with:
> In a Cisco 877 (IOS 12.4(15)T11) there are two Vlan interfaces:
>
> Vlan1 (default vlan) with ip address 172.26.1.1 mask 255.255.0.0
>
> Now I would like to add a Vlan10
> with ip address 172.26.16.1 mask 255.255.255.0
>
> i.e. the Vlan10 is actually a subnet of the larger Vlan1 space.
>
> The router refuses this assignment, complaining that the addresses
> do overlap.
> Of course this is true. But is it a real problem?
> Systems on Vlan10 don't need to communicate with Vlan1, but both
> Vlans are routed to another site over separate IPsec tunnels.
>
> Is there a global config command that would allow this setup?

Maybe you are looking for the wrong solution for a problem?

I don't think it is possible to work the way you want it, unless you
really seperate the networks (using stuff like vrf etc), but that might
not be fun and not much of a solution

What I would look at is:

* you can use vlan acls (vacl) to filter the traffic between 172.26.0.0/0
and 172.26.16.0/24 (is that possible in your situation? dunno about your
l2 environment).

* ipsec tunnels use an acl to decide what traffic goes into a tunnel. If
you have an acl that denies 172.26.16.0 and then allows 172.16.0.0 for
the one tunnel, and one that only allows 172.26.16.0 you have it worked
out for the ipsec tunnel

Mark

Mark Huizer <xaa+> wrote:
> The wise Rob enlightened me with:
>> In a Cisco 877 (IOS 12.4(15)T11) there are two Vlan interfaces:
>>
>> Vlan1 (default vlan) with ip address 172.26.1.1 mask 255.255.0.0
>>
>> Now I would like to add a Vlan10
>> with ip address 172.26.16.1 mask 255.255.255.0
>>
>> i.e. the Vlan10 is actually a subnet of the larger Vlan1 space.
>>
>> The router refuses this assignment, complaining that the addresses
>> do overlap.
>> Of course this is true. But is it a real problem?
>> Systems on Vlan10 don't need to communicate with Vlan1, but both
>> Vlans are routed to another site over separate IPsec tunnels.
>>
>> Is there a global config command that would allow this setup?
>
> Maybe you are looking for the wrong solution for a problem?

In Cisco IOS, you mean?
It works fine in other environments.
Maybe another numberplan would have been sturdier, but this is what
has evolved historically.

> I don't think it is possible to work the way you want it, unless you
> really seperate the networks (using stuff like vrf etc), but that might
> not be fun and not much of a solution

Ok

> What I would look at is:
>
> * you can use vlan acls (vacl) to filter the traffic between 172.26.0.0/0
> and 172.26.16.0/24 (is that possible in your situation? dunno about your
> l2 environment).
>
> * ipsec tunnels use an acl to decide what traffic goes into a tunnel. If
> you have an acl that denies 172.26.16.0 and then allows 172.16.0.0 for
> the one tunnel, and one that only allows 172.26.16.0 you have it worked
> out for the ipsec tunnel

It is not a problem to get the ipsec tunnels working.
(those are running over an ADSL line that is connected to the router)

What is "a problem" (I have a workaround but I still would like to get
the above working) is to have two different LAN segments, implemented
as two Vlans in the router config, that have addresses where one is a
small subnet of the other.

It is not a problem IP-technically. It is a check/restriction made
by IOS. I suspected that there might be some "ip magic-word" command
that disables this check (like you have "ip subnet-zero" and "ip classless").

The wise Rob enlightened me with:
> Mark Huizer <xaa+> wrote:
>
>> What I would look at is:
>>
>> * you can use vlan acls (vacl) to filter the traffic between 172.26.0.0/0
>> and 172.26.16.0/24 (is that possible in your situation? dunno about your
>> l2 environment).
>>
>> * ipsec tunnels use an acl to decide what traffic goes into a tunnel. If
>> you have an acl that denies 172.26.16.0 and then allows 172.16.0.0 for
>> the one tunnel, and one that only allows 172.26.16.0 you have it worked
>> out for the ipsec tunnel
>
> It is not a problem to get the ipsec tunnels working.
> (those are running over an ADSL line that is connected to the router)

That was not what I was trying to address. I was trying to address the
fact that you wanted the right traffic to take the right tunnel.

> What is "a problem" (I have a workaround but I still would like to get
> the above working) is to have two different LAN segments, implemented
> as two Vlans in the router config, that have addresses where one is a
> small subnet of the other.
>
> It is not a problem IP-technically. It is a check/restriction made
> by IOS. I suspected that there might be some "ip magic-word" command
> that disables this check (like you have "ip subnet-zero" and "ip classless").

Well, not as far as I can tell.

Mark

Mark Huizer <xaa+> wrote:
> The wise Rob enlightened me with:
>> Mark Huizer <xaa+> wrote:
>>
>>> What I would look at is:
>>>
>>> * you can use vlan acls (vacl) to filter the traffic between 172.26.0.0/0
>>> and 172.26.16.0/24 (is that possible in your situation? dunno about your
>>> l2 environment).
>>>
>>> * ipsec tunnels use an acl to decide what traffic goes into a tunnel. If
>>> you have an acl that denies 172.26.16.0 and then allows 172.16.0.0 for
>>> the one tunnel, and one that only allows 172.26.16.0 you have it worked
>>> out for the ipsec tunnel
>>
>> It is not a problem to get the ipsec tunnels working.
>> (those are running over an ADSL line that is connected to the router)
>
> That was not what I was trying to address. I was trying to address the
> fact that you wanted the right traffic to take the right tunnel.

No, that is not a problem. I know how to setup tunnels and how to
direct the traffic.

The one and only issue is how to setup two different (Vlan) interfaces
for the two kinds of traffic, where one is a small subnet of the other.

>> It is not a problem IP-technically. It is a check/restriction made
>> by IOS. I suspected that there might be some "ip magic-word" command
>> that disables this check (like you have "ip subnet-zero" and "ip classless").
>
> Well, not as far as I can tell.

Pity...
At other locations we use L3 switching with HP Procurve switches and
they accept this configuration without issue.

Why we want this: we have decided way in the past to use a 172.xx.0.0/16
subnet for each location of the company, and to use 172.xx.yy.0/24 ranges
for different kinds of devices (servers, printers, pcs etc). The
172.xx.16.0/24 subnet is used for VoIP phones. But those are on a
separate Vlan. It would be convenient to have this split made in the
router, but when Cisco cannot do that we can do it in the ProCurve
switch instead.

On 5 Mar, 08:21, Rob <nom...@example.com> wrote:
> Mark Huizer <xaa+news_comp.dcom.sys.ci...@dohd.org> wrote:
> > The wise Rob enlightened me with:
> >> Mark Huizer <xaa+news_comp.dcom.sys.ci...@dohd.org> wrote:
>
> >>> What I would look at is:
>
> >>> * you can use vlan acls (vacl) to filter the traffic between 172.26.0..0/0
> >>> and 172.26.16.0/24 (is that possible in your situation? dunno about your
> >>> l2 environment).
>
> >>> * ipsec tunnels use an acl to decide what traffic goes into a tunnel. If
> >>> you have an acl that denies 172.26.16.0 and then allows 172.16.0.0 for
> >>> the one tunnel, and one that only allows 172.26.16.0 you have it worked
> >>> out for the ipsec tunnel
>
> >> It is not a problem to get the ipsec tunnels working.
> >> (those are running over an ADSL line that is connected to the router)
>
> > That was not what I was trying to address. I was trying to address the
> > fact that you wanted the right traffic to take the right tunnel.
>
> No, that is not a problem. *I know how to setup tunnels and how to
> direct the traffic.
>
> The one and only issue is how to setup two different (Vlan) interfaces
> for the two kinds of traffic, where one is a small subnet of the other.
>
> >> It is not a problem IP-technically. *It is a check/restriction made
> >> by IOS. * I suspected that there might be some "ip magic-word" command
> >> that disables this check (like you have "ip subnet-zero" and "ip classless").
>
> > Well, not as far as I can tell.
>
> Pity...
> At other locations we use L3 switching with HP Procurve switches and
> they accept this configuration without issue.
>
> Why we want this: we have decided way in the past to use a 172.xx.0.0/16
> subnet for each location of the company, and to use 172.xx.yy.0/24 ranges
> for different kinds of devices (servers, printers, pcs etc). *The
> 172.xx.16.0/24 subnet is used for VoIP phones. *But those are on a
> separate Vlan. *It would be convenient to have this split made in the
> router, but when Cisco cannot do that we can do it in the ProCurve
> switch instead.

Cisco routers will not accept that configuration.

Except:-

Maybe you can achieve what you want with either
secondary addressing or HSRP.

int fa 1
ip address totally-fake-n-arbitrary mask
ip address 172.xx.10.0 255.255.255.0 secondary

or

int fa 1
ip address totally-fake-n-arbitrary mask
standby ... whatever .. I forget exactly

You need a designer with a clue.