Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
735
Views
5
Helpful
3
Replies

looking for ideas on how to segment overlapping vlans/subnets

Go to solution
suelange
Level 1
Level 1

‎03-01-2019 08:13 AM

Thought I posted this yesterday but i don't see it in my discussions so adding again. Sorry if it made it but my profile didn't get updated.

 

We have a legacy network, 10.20.1.1/16.  It has been "self governed" to have internal break outs  of usage by function.  So for example routers/switches are in 10.20.1.0; management devices like ILO and such are in 10.20.2.0; servers in 10.20.3.0 etc.  But they are all /16 masks, pointing to 10.20.1.1 as the gateway, which is an SVI for vlan1 on the core 7K.

 

We have been mandate to segment these for the purpose of security and being able to police what traffic can go where.  The mechanism to perform that function will not allow VMs in VxLans to be co mingled with physical devices on vlans within the same subnet- IP range.

 

On the surface it would seem easy enough to just create all new vlans and IP ranges and "move" everything but we are talking about a whole lot of things that will have far reaching fall out.  ISE for example is going to be a major headache to re-IP, as would be our firewall and proxy servers and routers because everything touches them or points to them and would have to be adjusted.  But a number of our servers also would have problems being re-IP'd because some applications (sadly) have hard coded IPs in them.  

 

Our team batted around the idea of leaving the IP addresses alone, just changing mask and gateway, then creating vlans and SVIs for subnets of 10.20 on the 7K.  That's also relatively easy but the question is how do I keep things up and running during the migration?  We have a short window but we are talking over 500 servers and additional hardware appliances, etc...we can't do this all in one fell swoop.  

 

I toyed with using a VRF for the larger 10.20.0.0/16 and another VRF for the subnets.  Then it would just be a matter of changing the incoming port from one VRF to another as the owners of the devices changed their gateway and mask.  Unfortunately many of these units are hanging off of single ether-channel links.  It's kind of an all or nothing deal.  And, I'm not sure how I would route between the VRFs so that traffic going from the segmented 10.20.0.0 network could make it to the larger 10.20.0.0 network to find devices not yet migrated.

 

The only way to create the gateways (SVIs) for the smaller subnets is to change the mask on the current SVI (10.20.1.1) from /16 to /24.  Otherwise I will not be able to create SVIs in the rest of the 10.20 range as it would be seen as overlapping.  But as soon as I change that mask, traffic is not going to route back properly to devices that are not yet adjusted for the new mask/gateway they would need to use. 

 

ideas?  We can't be the only ones that have had to carve up a gigantic legacy network.  

 

Again it would be BEST if they would slow down, plan this out, create new networks and migrate in batches.  That isn't the mandate unfortunately.  The mandate is, do this now, do it fast, and don't have any down time....

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Reza Sharifi
Hall of Fame
Hall of Fame

‎03-01-2019 12:35 PM - edited ‎03-01-2019 12:36 PM

This is a major project and requires a lot of planning, documentation, and testing. This is not something you can just rush into as it can quickly become your biggest nightmare especially if your environment can't tolerate downtime. I agree with you that the best way to approach this is by creating new subnets and migrate in batches.

 

View solution in original post

3 Replies 3

Go to solution
Reza Sharifi
Hall of Fame
Hall of Fame

‎03-01-2019 12:35 PM - edited ‎03-01-2019 12:36 PM

This is a major project and requires a lot of planning, documentation, and testing. This is not something you can just rush into as it can quickly become your biggest nightmare especially if your environment can't tolerate downtime. I agree with you that the best way to approach this is by creating new subnets and migrate in batches.

 

Go to solution
suelange
Level 1
Level 1
In response to Reza Sharifi

‎03-01-2019 12:48 PM

Thank you!  I appreciate the validation.  Not that anyone is going to listen to me but I'll sure pass that along.

0 Helpful

Go to solution
Reza Sharifi
Hall of Fame
Hall of Fame
In response to suelange

‎03-02-2019 11:07 AM

No problem and good luck!

If they don't listen and what to do this without detail planning, they will see that things quickly fall apart and results will not be pleasant.  I just did the exact same thing you are trying to do last year. It was all done with no or minimal downtime but it required a lot of planning and coordination with business owners and other stakeholders as we could not effort to have downtime. It is also very important to have qualified and dedicated engineers to do this type of project as not every engineer is interested in doing a good job during none production hours (after midnights) and weekends.

HTH 

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card