Solved: Secondary LAN IP VS Subinterface

johnlloyd_13 · ‎10-09-2012

hi all,

i have a 1941 installed on a client site with 10.0.0.0/16 required subnet. WAN is via MPLS VPN.

can someone let me know if it's a good practice to use secondary IP addresses or should i go using subinterface? what are the pros and cons of using one over the other.

still contemplating on the setup (not yet in production) and shall be reading your thoughts. thanks in advance!

#sh ver

Cisco IOS Software, C1900 Software (C1900-UNIVERSALK9-M), Version 15.0(1)M6, RELEASE SOFTWARE (fc1)

Technical Support: http://www.cisco.com/techsupport

Compiled Wed 01-Jun-11 15:31 by prod_rel_team

#sh run int g0/1

Building configuration...

Current configuration : 410 bytes

!

interface GigabitEthernet0/1

description Customer Network

ip address 10.0.0.1 255.255.255.0 secondary

ip address 10.0.1.1 255.255.255.0 secondary

ip address 10.0.2.1 255.255.255.0 secondary

ip address 10.0.3.1 255.255.255.0 secondary

ip address 10.0.4.1 255.255.255.0 secondary

ip address 10.0.5.1 255.255.255.0 secondary

ip address 10.0.8.1 255.255.255.0

duplex full

speed 100

no keepalive

shillings · ‎10-10-2012

Subinterfaces will also keep traffic in separate broadcast domains which is another benefit. However, this means you need to apply additional configuration in order to forward broadcasts between VLANs. For example, so that DHCP clients can communicate with a DHCP server in another VLAN. The ip helper-address command will forward the most common ones, such as DHCP. Place it on the subinterface where the DHCP clients reside and set the helper address as the DHCP server. Google and I'm sure you'll find plenty of examples.

Subinterfaces will tag traffic with a VLAN ID, so I'm rather presuming your connected devices are also able to VLAN tag the traffic. What devices are you connecting your router GigabitEthernet0/1 interface?

View solution in original post

shillings · ‎10-10-2012

If you use sub-interfaces, then you can apply an ACL on each one to filter inter-VLAN traffic.

You'd probably have to use policy based routing to do the same on secondary interfaces and I think there is a processor impact on most platforms. Cisco recommend avoiding PBR unless you really have to use it.

johnlloyd_13 · ‎10-10-2012

hi,

thanks for your input! good point on the ACL.

i don't think we'll be doing any PBR on this router anytime soon and i also don't think there would be such impact on the especially on an ISR2.

so do you go for doing a subinterface for each subnet on the LAN interface?

shillings · ‎10-10-2012

Subinterfaces will also keep traffic in separate broadcast domains which is another benefit. However, this means you need to apply additional configuration in order to forward broadcasts between VLANs. For example, so that DHCP clients can communicate with a DHCP server in another VLAN. The ip helper-address command will forward the most common ones, such as DHCP. Place it on the subinterface where the DHCP clients reside and set the helper address as the DHCP server. Google and I'm sure you'll find plenty of examples.

Subinterfaces will tag traffic with a VLAN ID, so I'm rather presuming your connected devices are also able to VLAN tag the traffic. What devices are you connecting your router GigabitEthernet0/1 interface?