overlapping IP networks in VLAN

Discussion in 'Cisco' started by Rob, Mar 4, 2010.

  1. Rob

    Rob Guest

    In a Cisco 877 (IOS 12.4(15)T11) there are two Vlan interfaces:

    Vlan1 (default vlan) with ip address mask

    Now I would like to add a Vlan10
    with ip address mask

    i.e. the Vlan10 is actually a subnet of the larger Vlan1 space.

    The router refuses this assignment, complaining that the addresses
    do overlap.
    Of course this is true. But is it a real problem?
    Systems on Vlan10 don't need to communicate with Vlan1, but both
    Vlans are routed to another site over separate IPsec tunnels.

    Is there a global config command that would allow this setup?
    Rob, Mar 4, 2010
    1. Advertisements

  2. Rob

    Mark Huizer Guest

    The wise Rob enlightened me with:
    Maybe you are looking for the wrong solution for a problem?

    I don't think it is possible to work the way you want it, unless you
    really seperate the networks (using stuff like vrf etc), but that might
    not be fun and not much of a solution :)

    What I would look at is:

    * you can use vlan acls (vacl) to filter the traffic between
    and (is that possible in your situation? dunno about your
    l2 environment).

    * ipsec tunnels use an acl to decide what traffic goes into a tunnel. If
    you have an acl that denies and then allows for
    the one tunnel, and one that only allows you have it worked
    out for the ipsec tunnel

    Mark Huizer, Mar 4, 2010
    1. Advertisements

  3. Rob

    Rob Guest

    In Cisco IOS, you mean?
    It works fine in other environments.
    Maybe another numberplan would have been sturdier, but this is what
    has evolved historically.
    It is not a problem to get the ipsec tunnels working.
    (those are running over an ADSL line that is connected to the router)

    What is "a problem" (I have a workaround but I still would like to get
    the above working) is to have two different LAN segments, implemented
    as two Vlans in the router config, that have addresses where one is a
    small subnet of the other.

    It is not a problem IP-technically. It is a check/restriction made
    by IOS. I suspected that there might be some "ip magic-word" command
    that disables this check (like you have "ip subnet-zero" and "ip classless").
    Rob, Mar 4, 2010
  4. Rob

    Mark Huizer Guest

    The wise Rob enlightened me with:
    That was not what I was trying to address. I was trying to address the
    fact that you wanted the right traffic to take the right tunnel.
    Well, not as far as I can tell.

    Mark Huizer, Mar 4, 2010
  5. Rob

    Rob Guest

    No, that is not a problem. I know how to setup tunnels and how to
    direct the traffic.

    The one and only issue is how to setup two different (Vlan) interfaces
    for the two kinds of traffic, where one is a small subnet of the other.
    At other locations we use L3 switching with HP Procurve switches and
    they accept this configuration without issue.

    Why we want this: we have decided way in the past to use a 172.xx.0.0/16
    subnet for each location of the company, and to use 172.xx.yy.0/24 ranges
    for different kinds of devices (servers, printers, pcs etc). The
    172.xx.16.0/24 subnet is used for VoIP phones. But those are on a
    separate Vlan. It would be convenient to have this split made in the
    router, but when Cisco cannot do that we can do it in the ProCurve
    switch instead.
    Rob, Mar 5, 2010
  6. Rob

    bod43 Guest

    Cisco routers will not accept that configuration.


    Maybe you can achieve what you want with either
    secondary addressing or HSRP.

    int fa 1
    ip address totally-fake-n-arbitrary mask
    ip address 172.xx.10.0 secondary


    int fa 1
    ip address totally-fake-n-arbitrary mask
    standby ... whatever .. I forget exactly

    You need a designer with a clue.
    bod43, Mar 5, 2010
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.