overlapping IP networks in VLAN

In a Cisco 877 (IOS 12.4(15)T11) there are two Vlan interfaces:

Vlan1 (default vlan) with ip address 172.26.1.1 mask 255.255.0.0

Now I would like to add a Vlan10 with ip address 172.26.16.1 mask 255.255.255.0

i.e. the Vlan10 is actually a subnet of the larger Vlan1 space.

The router refuses this assignment, complaining that the addresses do overlap. Of course this is true. But is it a real problem? Systems on Vlan10 don't need to communicate with Vlan1, but both Vlans are routed to another site over separate IPsec tunnels.

Is there a global config command that would allow this setup?

Reply to
Rob
Loading thread data ...

The wise Rob enlightened me with:

Maybe you are looking for the wrong solution for a problem?

I don't think it is possible to work the way you want it, unless you really seperate the networks (using stuff like vrf etc), but that might not be fun and not much of a solution :-)

What I would look at is:

  • you can use vlan acls (vacl) to filter the traffic between 172.26.0.0/0 and 172.26.16.0/24 (is that possible in your situation? dunno about your l2 environment).
  • ipsec tunnels use an acl to decide what traffic goes into a tunnel. If you have an acl that denies 172.26.16.0 and then allows 172.16.0.0 for the one tunnel, and one that only allows 172.26.16.0 you have it worked out for the ipsec tunnel

Mark

Reply to
Mark Huizer

In Cisco IOS, you mean? It works fine in other environments. Maybe another numberplan would have been sturdier, but this is what has evolved historically.

Ok

It is not a problem to get the ipsec tunnels working. (those are running over an ADSL line that is connected to the router)

What is "a problem" (I have a workaround but I still would like to get the above working) is to have two different LAN segments, implemented as two Vlans in the router config, that have addresses where one is a small subnet of the other.

It is not a problem IP-technically. It is a check/restriction made by IOS. I suspected that there might be some "ip magic-word" command that disables this check (like you have "ip subnet-zero" and "ip classless").

Reply to
Rob

That was not what I was trying to address. I was trying to address the fact that you wanted the right traffic to take the right tunnel.

Well, not as far as I can tell.

Mark

Reply to
Mark Huizer

No, that is not a problem. I know how to setup tunnels and how to direct the traffic.

The one and only issue is how to setup two different (Vlan) interfaces for the two kinds of traffic, where one is a small subnet of the other.

Pity... At other locations we use L3 switching with HP Procurve switches and they accept this configuration without issue.

Why we want this: we have decided way in the past to use a 172.xx.0.0/16 subnet for each location of the company, and to use 172.xx.yy.0/24 ranges for different kinds of devices (servers, printers, pcs etc). The

172.xx.16.0/24 subnet is used for VoIP phones. But those are on a separate Vlan. It would be convenient to have this split made in the router, but when Cisco cannot do that we can do it in the ProCurve switch instead.
Reply to
Rob

Cisco routers will not accept that configuration.

Except:-

Maybe you can achieve what you want with either secondary addressing or HSRP.

int fa 1 ip address totally-fake-n-arbitrary mask ip address 172.xx.10.0 255.255.255.0 secondary

or

int fa 1 ip address totally-fake-n-arbitrary mask standby ... whatever .. I forget exactly

You need a designer with a clue.

Reply to
bod43

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.