overlapping IP networks in VLAN

Discussion in 'Cisco' started by Rob, Mar 4, 2010.

  1. Rob

    Rob Guest

    In a Cisco 877 (IOS 12.4(15)T11) there are two Vlan interfaces:

    Vlan1 (default vlan) with ip address 172.26.1.1 mask 255.255.0.0

    Now I would like to add a Vlan10
    with ip address 172.26.16.1 mask 255.255.255.0

    i.e. the Vlan10 is actually a subnet of the larger Vlan1 space.

    The router refuses this assignment, complaining that the addresses
    do overlap.
    Of course this is true. But is it a real problem?
    Systems on Vlan10 don't need to communicate with Vlan1, but both
    Vlans are routed to another site over separate IPsec tunnels.

    Is there a global config command that would allow this setup?
    Rob, Mar 4, 2010
    #1
    1. Advertising

  2. Rob

    Mark Huizer Guest

    The wise Rob enlightened me with:
    > In a Cisco 877 (IOS 12.4(15)T11) there are two Vlan interfaces:
    >
    > Vlan1 (default vlan) with ip address 172.26.1.1 mask 255.255.0.0
    >
    > Now I would like to add a Vlan10
    > with ip address 172.26.16.1 mask 255.255.255.0
    >
    > i.e. the Vlan10 is actually a subnet of the larger Vlan1 space.
    >
    > The router refuses this assignment, complaining that the addresses
    > do overlap.
    > Of course this is true. But is it a real problem?
    > Systems on Vlan10 don't need to communicate with Vlan1, but both
    > Vlans are routed to another site over separate IPsec tunnels.
    >
    > Is there a global config command that would allow this setup?


    Maybe you are looking for the wrong solution for a problem?

    I don't think it is possible to work the way you want it, unless you
    really seperate the networks (using stuff like vrf etc), but that might
    not be fun and not much of a solution :)

    What I would look at is:

    * you can use vlan acls (vacl) to filter the traffic between 172.26.0.0/0
    and 172.26.16.0/24 (is that possible in your situation? dunno about your
    l2 environment).

    * ipsec tunnels use an acl to decide what traffic goes into a tunnel. If
    you have an acl that denies 172.26.16.0 and then allows 172.16.0.0 for
    the one tunnel, and one that only allows 172.26.16.0 you have it worked
    out for the ipsec tunnel

    Mark
    Mark Huizer, Mar 4, 2010
    #2
    1. Advertising

  3. Rob

    Rob Guest

    Mark Huizer <> wrote:
    > The wise Rob enlightened me with:
    >> In a Cisco 877 (IOS 12.4(15)T11) there are two Vlan interfaces:
    >>
    >> Vlan1 (default vlan) with ip address 172.26.1.1 mask 255.255.0.0
    >>
    >> Now I would like to add a Vlan10
    >> with ip address 172.26.16.1 mask 255.255.255.0
    >>
    >> i.e. the Vlan10 is actually a subnet of the larger Vlan1 space.
    >>
    >> The router refuses this assignment, complaining that the addresses
    >> do overlap.
    >> Of course this is true. But is it a real problem?
    >> Systems on Vlan10 don't need to communicate with Vlan1, but both
    >> Vlans are routed to another site over separate IPsec tunnels.
    >>
    >> Is there a global config command that would allow this setup?

    >
    > Maybe you are looking for the wrong solution for a problem?


    In Cisco IOS, you mean?
    It works fine in other environments.
    Maybe another numberplan would have been sturdier, but this is what
    has evolved historically.

    > I don't think it is possible to work the way you want it, unless you
    > really seperate the networks (using stuff like vrf etc), but that might
    > not be fun and not much of a solution :)


    Ok

    > What I would look at is:
    >
    > * you can use vlan acls (vacl) to filter the traffic between 172.26.0.0/0
    > and 172.26.16.0/24 (is that possible in your situation? dunno about your
    > l2 environment).
    >
    > * ipsec tunnels use an acl to decide what traffic goes into a tunnel. If
    > you have an acl that denies 172.26.16.0 and then allows 172.16.0.0 for
    > the one tunnel, and one that only allows 172.26.16.0 you have it worked
    > out for the ipsec tunnel


    It is not a problem to get the ipsec tunnels working.
    (those are running over an ADSL line that is connected to the router)

    What is "a problem" (I have a workaround but I still would like to get
    the above working) is to have two different LAN segments, implemented
    as two Vlans in the router config, that have addresses where one is a
    small subnet of the other.

    It is not a problem IP-technically. It is a check/restriction made
    by IOS. I suspected that there might be some "ip magic-word" command
    that disables this check (like you have "ip subnet-zero" and "ip classless").
    Rob, Mar 4, 2010
    #3
  4. Rob

    Mark Huizer Guest

    The wise Rob enlightened me with:
    > Mark Huizer <> wrote:
    >
    >> What I would look at is:
    >>
    >> * you can use vlan acls (vacl) to filter the traffic between 172.26.0.0/0
    >> and 172.26.16.0/24 (is that possible in your situation? dunno about your
    >> l2 environment).
    >>
    >> * ipsec tunnels use an acl to decide what traffic goes into a tunnel. If
    >> you have an acl that denies 172.26.16.0 and then allows 172.16.0.0 for
    >> the one tunnel, and one that only allows 172.26.16.0 you have it worked
    >> out for the ipsec tunnel

    >
    > It is not a problem to get the ipsec tunnels working.
    > (those are running over an ADSL line that is connected to the router)


    That was not what I was trying to address. I was trying to address the
    fact that you wanted the right traffic to take the right tunnel.

    > What is "a problem" (I have a workaround but I still would like to get
    > the above working) is to have two different LAN segments, implemented
    > as two Vlans in the router config, that have addresses where one is a
    > small subnet of the other.
    >
    > It is not a problem IP-technically. It is a check/restriction made
    > by IOS. I suspected that there might be some "ip magic-word" command
    > that disables this check (like you have "ip subnet-zero" and "ip classless").


    Well, not as far as I can tell.

    Mark
    Mark Huizer, Mar 4, 2010
    #4
  5. Rob

    Rob Guest

    Mark Huizer <> wrote:
    > The wise Rob enlightened me with:
    >> Mark Huizer <> wrote:
    >>
    >>> What I would look at is:
    >>>
    >>> * you can use vlan acls (vacl) to filter the traffic between 172.26.0.0/0
    >>> and 172.26.16.0/24 (is that possible in your situation? dunno about your
    >>> l2 environment).
    >>>
    >>> * ipsec tunnels use an acl to decide what traffic goes into a tunnel. If
    >>> you have an acl that denies 172.26.16.0 and then allows 172.16.0.0 for
    >>> the one tunnel, and one that only allows 172.26.16.0 you have it worked
    >>> out for the ipsec tunnel

    >>
    >> It is not a problem to get the ipsec tunnels working.
    >> (those are running over an ADSL line that is connected to the router)

    >
    > That was not what I was trying to address. I was trying to address the
    > fact that you wanted the right traffic to take the right tunnel.


    No, that is not a problem. I know how to setup tunnels and how to
    direct the traffic.

    The one and only issue is how to setup two different (Vlan) interfaces
    for the two kinds of traffic, where one is a small subnet of the other.

    >> It is not a problem IP-technically. It is a check/restriction made
    >> by IOS. I suspected that there might be some "ip magic-word" command
    >> that disables this check (like you have "ip subnet-zero" and "ip classless").

    >
    > Well, not as far as I can tell.


    Pity...
    At other locations we use L3 switching with HP Procurve switches and
    they accept this configuration without issue.

    Why we want this: we have decided way in the past to use a 172.xx.0.0/16
    subnet for each location of the company, and to use 172.xx.yy.0/24 ranges
    for different kinds of devices (servers, printers, pcs etc). The
    172.xx.16.0/24 subnet is used for VoIP phones. But those are on a
    separate Vlan. It would be convenient to have this split made in the
    router, but when Cisco cannot do that we can do it in the ProCurve
    switch instead.
    Rob, Mar 5, 2010
    #5
  6. Rob

    bod43 Guest

    On 5 Mar, 08:21, Rob <> wrote:
    > Mark Huizer <> wrote:
    > > The wise Rob enlightened me with:
    > >> Mark Huizer <> wrote:

    >
    > >>> What I would look at is:

    >
    > >>> * you can use vlan acls (vacl) to filter the traffic between 172.26.0..0/0
    > >>> and 172.26.16.0/24 (is that possible in your situation? dunno about your
    > >>> l2 environment).

    >
    > >>> * ipsec tunnels use an acl to decide what traffic goes into a tunnel. If
    > >>> you have an acl that denies 172.26.16.0 and then allows 172.16.0.0 for
    > >>> the one tunnel, and one that only allows 172.26.16.0 you have it worked
    > >>> out for the ipsec tunnel

    >
    > >> It is not a problem to get the ipsec tunnels working.
    > >> (those are running over an ADSL line that is connected to the router)

    >
    > > That was not what I was trying to address. I was trying to address the
    > > fact that you wanted the right traffic to take the right tunnel.

    >
    > No, that is not a problem.  I know how to setup tunnels and how to
    > direct the traffic.
    >
    > The one and only issue is how to setup two different (Vlan) interfaces
    > for the two kinds of traffic, where one is a small subnet of the other.
    >
    > >> It is not a problem IP-technically.  It is a check/restriction made
    > >> by IOS.   I suspected that there might be some "ip magic-word" command
    > >> that disables this check (like you have "ip subnet-zero" and "ip classless").

    >
    > > Well, not as far as I can tell.

    >
    > Pity...
    > At other locations we use L3 switching with HP Procurve switches and
    > they accept this configuration without issue.
    >
    > Why we want this: we have decided way in the past to use a 172.xx.0.0/16
    > subnet for each location of the company, and to use 172.xx.yy.0/24 ranges
    > for different kinds of devices (servers, printers, pcs etc).  The
    > 172.xx.16.0/24 subnet is used for VoIP phones.  But those are on a
    > separate Vlan.  It would be convenient to have this split made in the
    > router, but when Cisco cannot do that we can do it in the ProCurve
    > switch instead.


    Cisco routers will not accept that configuration.

    Except:-

    Maybe you can achieve what you want with either
    secondary addressing or HSRP.

    int fa 1
    ip address totally-fake-n-arbitrary mask
    ip address 172.xx.10.0 255.255.255.0 secondary

    or

    int fa 1
    ip address totally-fake-n-arbitrary mask
    standby ... whatever .. I forget exactly

    You need a designer with a clue.
    bod43, Mar 5, 2010
    #6
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Nate Smith
    Replies:
    2
    Views:
    507
    Hugo Drax
    Oct 21, 2003
  2. Oleg Tipisov
    Replies:
    0
    Views:
    764
    Oleg Tipisov
    Aug 10, 2004
  3. Oleg Tipisov

    IOS: IPSec between overlapping subnets

    Oleg Tipisov, Aug 10, 2004, in forum: Cisco
    Replies:
    1
    Views:
    3,571
  4. Siddhartha Jain
    Replies:
    0
    Views:
    534
    Siddhartha Jain
    Mar 31, 2005
  5. Robby Cauwerts
    Replies:
    2
    Views:
    675
    Robby Cauwerts
    Nov 27, 2007
Loading...

Share This Page