Hello Peter

I understand that if it had my router connected to a switch Cisco might make a trunk between them and subdivide the interface of the router in order that it had not conectividad between both subnets. But just now I have my router and a hub ¿ I can with an interface with primary and secondary IP do that does not exist conectivity between both subnets?

Thank you Peter...

my answer was also valid for a router. When you configure a router with two ip addresses on one interface, you have both routes in the routing table. And this means they you don't seperate the client. The client on subnet 1 will sent the traffic to the hub, the hub to the router and the will forward the traffic back to the hub. The router knows both subnets. When you want seperate the client, you should use a acl on the ethernet router interface.

Regards

Peter

I think I do not understand your question very well. But here is what I think may get to the point you are asking about.

There are two ways in which a router interface may have multiple IP addresses: with subinterfaces or with secondary addresses. With subinterfaces it means that there is something like Ethernet VLANs or maybe Frame Relay DLCIs which are separate subnets. They are connected on the router and the router is the only way that devices on one subinterface (VLAN or whatever) can communicate with devices on the other subinterface. The router is the only communications link.

With secondary addresses it means that several subnets are present on the same layer two media (like Ethernet) and in the same broadcast domain. In this situation devices on one subnet may use the router to get to devices in the other subnet but it is not required. Devices in one subnet may communicate directly with devices in the other subnet without using the router because they are in the same subnet. In this situation the PCs probably have the router configured as their default gateway. But if a PC in one subnet wants to communicate with a server in another subnet and would ARP for the server, the server would hear the ARP, would respond without the router, and the devices could communicate directly.

If my understanding of your question is not correct, please explain what the question is about.

HTH

Rick

Your mail explains very well in what I am interested, which I understand is that when you configuring an interface with primary IP and secuandary these subnets always are going to have conectividad between them ¿ it is this way? The mail of above(up) of Peter comments of configuring access-list in the interface it is possible to separate these subnets with access-lists? ¿ Is is possible ?

Thank you

Hi,

i made a test in our lab. The client on different subnets can reach each other when they are connected to a hub and the hub is connected to the router. On the router i configured two ip adresses (one as secondary). With a ACL on the ethernet interface i can restrict the traffic. I use extended ACL but it's not important if you use in- or outbound ACL on the ethernet.

So the anser to your last Questions: It's possible to seperate the client through an ACL on the Ethernet Interface.

Regards

Peter

I think your analysis is only partially correct. If the devices in one subnet ALWAYS send packets for remote addresses ONLY to their default gateway, then your test is correct. But if one of the devices sends an ARP request for the remote address in the other subnet that is secondary, then the destination machine will get the ARP and will send a response. In that case the machines will talk directly to each other and there is nothing you can do on the router to keep the subnets separate.

HTH

Rick

IF (as Peter says) you put an ACL on the router,

and IF (as Rick says) each host sends only to its default gateway,

and IF (as I say) the two subnets, as defined at the hosts, do not intersect,

THEN the two hosts will not communicate.

But it's an awful lot of ifs. I suppose it is fine if you want to stop casual traffic between the subnets, but it is hardly what I would call security.

I wonder if we can do something better with vlan maps? Marcos, what switch are you using in your network? (P.S. I just re-read that he is using a hub, so that idea is out.)

Kevin Dorrell

Luxembourg

The requirement was two subnets as primary and secondary on the router. So my statements all correct.

WHen he seperate the clients through subnets with the router as default gateway and the he use a ACL all will works as describe.

A correct funktion is neccessary!

Regards

Peter

If I understood the original question it was with a router interface with primary IP address and secondary IP address can we reliably separate the two groups of devices. The answer is NO. In some cases Peter has prooved that we can, but in other cases we can not. And the difference does not reflect anything we do on the router, but it is a question of how the workstations behave. So we can not reliably separate the groups of devices.

If my understanding of the question is not correct, please clarify.

HTH

Rick

Hello:

I have realized the tests on that Peter comments and has worked. I have put an access-list not to allow that should exist conectividad between both subnets and it has worked.

Thanks to all for yours help.

I could not agree more with Rick.

There are cases of end-stations that know nothing about subnets or gateways

and would always ARP to resolve the IP address of the destination they want to reach.

M.