cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2447
Views
0
Helpful
4
Replies

Configuring Secondary IPs on an Interface vs. VLAN Interfaces vs. Sub-Interfaces

dhyland
Level 1
Level 1

Can someone provide a bit of substance on the reasoning behind using these various methods of creating networks on a router?

I've often seen routers configured that have an interface configured with the 'secondary' command to add additional networks (additional IPs to be used as gateways) when it would seem that a sub-interface (or VLAN interface) would have done the trick.  What are the differences in these configuration methods and some of the reasoning behind them?          

Thanks in advance!

4 Replies 4

John Blakley
VIP Alumni
VIP Alumni

It can be for a couple of reasons. The first would be that maybe the primary native vlan has run out of address space and a new subnet needs to be spun up pretty quickly. The second may be a management issue of the person that is configuring the device and may not know how to configure vlans.

The best way is to create vlans, but sometimes it's just put as a secondary address on the router to get by.

HTH,
John

*** Please rate all useful posts ***

HTH, John *** Please rate all useful posts ***

Frankaviglia
Level 1
Level 1

I might add that if both subnets coexist in the same Network Segment there is no separation between the two, both physical and Logical.

When instead they are separated into different VLANs, there is much more control on what flows between the two VLANs.

However, this second scenario requires at least a Manageable Switch and, when used with Router on a Stick has got very poor performance since the router has to first receive the package and then send it back onto the other VLAN, thus reducing the throughput by 50%.

When instead everything ends up on the same interface, by means of secondary IP addresses, there is no need for Manageable Switch, even a regular cheap device will work.

Francesco

*** Please rate all useful posts ***

Disclaimer

The  Author of this posting offers the information contained within this  posting without consideration and with the reader's understanding that  there's no implied or expressed suitability or fitness for any purpose.  Information provided is for informational purposes only and should not  be construed as rendering professional advice of any kind. Usage of this  posting's information is solely at reader's own risk.

Liability Disclaimer

In  no event shall Author be liable for any damages whatsoever (including,  without limitation, damages for loss of use, data or profit) arising out  of the use or inability to use the posting's information even if Author  has been advised of the possibility of such damage.

Posting

Frankaviglia wrote:

I might add that if both subnets coexist in the same Network Segment there is no separation between the two, both physical and Logical.

Actually there is some logical separation.  NICs should logically ignore packets not part of their subnet; much as NICs should logically ignore packets that don't have their IP.  The latter would also handle the former except in cases of directed/subnet broadcasts.

On a router, having traffic in different subnets, even on the same interface, allows ACLs to also distinguish between packets from different subnets, another case of logical separation.

PS:

Historically, before there were VLANs, you might use secondary addressing for the above reasons when weren't able to use different physical interfaces.  As also noted in John's post, secondaries then, and still now, can be very useful for address space migrations.  It allows both an "old" and "new" network while performing the migration.  When using DHCP, if you make the "new" network the primary interface address, DHCP clients will seamlessly migrate their host IPs from the old to the new network when they renew their DHCP lease.

Perhaps another way to look at this question is to think of broadcast domains, which is the group of devices that will receive each others broadcasts. A broadcast domain is one way to understand the boundary of the network. And essentially a broadcast domain is a VLAN and a VLAN is a broadcast domain. So if you create a different VLAN you have created a new and entirely separate network from the one that existed. And creating a subinterface is the same because a subinterface is how you handle a VLAN on a router interface.

So if you want to create a new network with its own address space then you would use VLAN or subinterface. And if you want to increase the size of the address space within a network (or to accommodate another network/subnet within that network) then you would use secondary addresses.

HTH

Rick

HTH

Rick

Review Cisco Networking for a $25 gift card