Showing results for 
Search instead for 
Did you mean: 
Fabrizio Nurra

Same vlan / subnet in different vrfs

Hi everybody.
I have to configure - on the same router - two different layer 3 gateways for the same subnet / vlan. The two layer 3 interfaces have to be in different VRFs.

The first layer 3 already exists: it is a SVI interface in vrf XYZ and ip address X.Y.Z.1/24.
Now I have to configure the second layer 3 interface on the same router. Obviously I can't use the same vlan id (I can't configure two interface vlan X),
so I thought to configure a routed interface with ip address in the same subnet (X.Y.Z.10/24) but in a different vrf (see attached file). Unfortunately it seems it's not working:
the switch connected to 7600 "sees" the routed interface mac-address from the 7600 switch access port on vlan X. I think it depends on the system-wide vlans
used by 7600.
Any suggestion about how to meet the goal?



Elliott Willink

I have re-read this a few times and I can't quite picture what you are trying to do. Is this a test/hypothetical question or is there an real-world networking outcome you want to achieve?

Hi Elliot,

 unfortunately this is a real case: a request from a client of my company. It's a bit difficoult to explain how and why we arrived at this foolish requirement, but the heart of the matter is that I have to achieve this architecture.

Edwin Matos


Even though it sees the same mac address it is on a difference vlan.





Vlan X Should be able to ping and Vlan Y should be able to ping on each respective VRF. They are two different broadcast domain, and mac address should be isolated. Even though you probably will see the same mac address.

Question though are you using Access port on the Switch or trunk? if you are using trunk make sure you allow only the right vlan.


Hi Edwin,

 the vlan is the same! Or better, the broadcast domain is the same! So, a server in vlan X mast be able to ping in VRF A, and a server in the same vlan X must be able to ping in vrf B. As you can see from the picture I attached, the broadcast domain is realized by two access switches.

As the broadcast domain is the same, I had to configure a SVI interface and a routed interface (as I can't configure the same SVI two times, one time in vrf A and one time in vrf B).



And there's where the problem exists, same broadcast domain with same Mac address. Would you be able to use a separate physical interface for each VRF? or at least separate the sub interfaces on a another physical interface. Sub interfaces inherit the mac address from the physical interface and since you are landing on the same broadcast domain you will get the same mac-address on the same vlan.

Here is my research.

Known facts: We are not able to change sub interface mac address.

1) I Plugged interface g0/0 and g0/1 of  a router into the same Vlan 1 of a switch, and only one of interface will obtain and IP Address. This is because they are on the same domain and 2 interface can not have the same subnet without a VRF setup.

2) I Created SITE1, and SITE2  VRF into two separate interface G0/0 G0/1 or could be sub interfaces as long as they are on a separate physical interface, and landing on the same vlan of the switch. Both Received an IP address from the same subnet DHCP(vlan1).

3) This won't work with they are sub interface with different VRF on the same physical interface, this is due to the fact you are landing on the same broadcast domain, basically you are separating the layer three on the router but no the layer 2 on the switch which depend on mac addresses

From Switch VIEW.

SW0-MAT#show cdp neighbors
Capability Codes: R - Router, T - Trans Bridge, B - Source Route Bridge
                  S - Switch, H - Host, I - IGMP, r - Repeater, P - Phone

Device ID        Local Intrfce     Holdtme    Capability  Platform  Port ID
                 Fas 0/9            139        R B S I    CISCO1941/Gig 0/0

                 Fas 0/4            151        R B S I    CISCO1941/Gig 0/1




RIKEV2#show vrf
  Name                             Default RD            Protocols   Interfaces
  SITE1                            101:101               ipv4        Gi0/0
  SITE2                            102:102               ipv4        Gi0/1


RIKEV2#show ip interface brief
Interface                  IP-Address      OK? Method Status                Protocol
Embedded-Service-Engine0/0    YES NVRAM  initializing          down
GigabitEthernet0/0  YES manual up                    up
GigabitEthernet0/1  YES manual up                    up

Back to Switch



Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to, timeout is 2 seconds:
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/3/4 ms

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to, timeout is 2 seconds:
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/4/4 ms



Hi Edwin,

 did you test it on a 7600 platform?



Is it not possible to use dot1q subinterfaces? Something like:


inter g0/1.10

encapsulation dot1q 10

ip address

ip vrf forwarding dot10


inter g0/1.20

encapsulation dot1q 20

ip address

ip vrf forwarding dot20

Hi mfurnival,

 in this case, I shuld configure the access switches with a trunk interface. But that's not possible, as the server are in the same vlan. Refer to the picture I attached.

 This configuration could work, but I'm sure I would use at least one physical interface, something like:


inter g0/1

encapsulation dot1q 10

ip address

ip vrf forwarding dot10


inter g1/1.20

encapsulation dot1q 20

ip address

ip vrf forwarding dot20



Unfortunately, this is an operating environment, with critical services, so I can't do many tests

Can you explain what requirement leads u in this type of setup. May be we can think of some other way



Maybe you need secondary IP address on same SVI interface?

Best Regards,