06-28-2010 04:19 PM - edited 03-06-2019 11:48 AM
Hey,
Our network is currently using the 192.168.1.0/24 IP address range. I want to migrate to a network that will support more than 254 hosts. I'm thinking about using 10.11.0.0/16.
Although both networks will be on the same wire, they won't be able to talk to each other unless I implement some sort of routing between them. We have an ASA5510 as our main firewall, but it won't route between 2 internal networks so I can't use that. I've got a 3550 switch that will do layer 3 routing. What would be the best way to set this up?
This is what I was trying to do. Connect the 3550 to the rest of the network and give that connection an IP address of 192.168.1.250. Set the IP address for VLAN1 to 10.11.0.254.
interface GigabitEthernet0/1
no switchport
ip address 192.168.1.250 255.255.255.0
interface Vlan1
ip address 10.11.0.254 255.255.0.0
On my workstation I add a route to the 10.11.0.0 network via 192.168.1.250. On a computer on the other network make 10.11.0.254 the default gateway.
So far so good. From my computer I can ping 192.168.1.250 and 10.11.0.254. From the other computer I can ping 10.11.0.254 and 192.168.1.250, but I can't seem to ping from one computer to the other from either direction.
Is there a better way of doing this?
Thanks
David Kirk
06-29-2010 12:55 AM
davidrkirk wrote:
Hey,
interface GigabitEthernet0/1
no switchport
ip address 192.168.1.250 255.255.255.0
interface Vlan1
ip address 10.11.0.254 255.255.0.0Is there a better way of doing this?
Thanks
David Kirk
David
A more common approach is to use 2 vlan interfaces ie. on the 3550
int vlan 2
ip address 192.168.1.250 255.255.255.0
int vlan 1
ip address 10.11.0.254 255.255.0.0
and then assign gi0/1 into vlan 2 ie.
int gi0/1
switchport mode access
switchport access vlan 2
it's not clear where your 192.168.1.x clients are connected. You would need to create vlan 2 on any other switches and assign your clients into that vlan. This makes things more complicated so personally i would use vlan 1 as the vlan for your 192.168.1.x clients as this is the default vlan and they will already be in that vlan. Then use vlan 2 for your new network.
Finally 10.11.0.0/16 is a big network. Rather than simply use a bigger network you should keep your 192.168.1.x and have a 192.168.2.x for a new vlan. If you run out of addresses again just add 192.168.3.x etc. That way your vlans which are L2 broadcast domains will not have too many hosts in them.
So for each vlan you need you would have a L3 vlan interface on the 3550 switch. And then on the 3550 switch you should have a default route pointing to your firewall ie.
ip route 0.0.0.0 0.0.0.0
On the firewall you would need to add routes for the internal vlans on the 3550 switch eg.
route inside 192.168.2.0 255.255.255.0 <3559 ip address connecting to firewall>
Note that you don't have to but it is generally better to use a dedicated vlan for the connection between the 3550 and the firewall.
The above would mean all traffic is routed off the 3550 and only sent to the firewall if destined for the internet. This is fine if you do not need to firewall between internal vlans which it sounds like you don't need to. You would need some downtime to set all this up if you use a dedicated vlan for 3550 -> firewall but otherwise you could set it up live if you wanted.
Also when testing make sure the PCs do not have personal firewalls/anti-virus which could block incoming pings.
Jon
06-29-2010 02:26 AM
If you need a larger IP scope to support more hosts, why cant you just change the subnet mask to /23 on the network appliances and the DHCP server's scope configuration? Then have all the clients release their IP address leases and then renew.
Victor
06-30-2010 07:21 PM
Jon,
Thanks for your reply. We are a 24 hour business and I was hoping to minimize any downtime. All the computers I want to move to the new IP address range are in vlan1. If I create a new vlan for the other IP address range then I'll have to change all our vlan1 ports to the new vlan and as soon as I do that they won't be able to communicate with the other network until they get their new IP address.
What I was hoping to do was have both IP address ranges in vlan1. I would reduce the DHCP lease time to 1 hour and then delete the existing 192.168.1.0/24 scope and create a new one for 10.11.0.0/16. When the computers try to renew their DHCP lease it would give them an address on the new network and if they need to communicate with a host that hasn't updated it's address yet, it would go via the route on the 3550. Once all hosts have an address on the new network I would get rid of the routing.
My only problem with this is that in my testing I can't seem to connect to the other network through the 3550 at the moment. From the 3550 I can ping both my computer on 192.168.1.81. I can also ping my test laptop on 10.11.0.5. I just can't ping between the 2 computers.
Both computers have a route to the opposite network via the 3550. The 3550 knows where each network is, so I assume I don't need to add any routes in there.
Am I doing something wrong? Does the 3550 know that both ports are connected to the same vlan and refuse to forward packets?
Thanks
09-28-2010 07:58 PM
Has IP routing been enabled on the 3550 switch? (switch(config)# ip routing)
09-29-2010 05:33 PM
Yes, iprouting is enabled.
I have (mostly) completed the IP address change now. I ended up using the 3550 as the default gateway for the new IP address range and adding a pfsense box to the network. The pfsense box had 2 gigabit interfaces, both plugged in to the same network, but with addresses on both subnets.
I changed DHCP to offer addresses on the new network and manually updated all the printers, servers and any other statically assigned hosts.
Now I'm just watching the logs on the default gateway to see what is still trying to connect to an old IP address and then track down the service and reconfigure it. I'm almost done. Then I can get rid of the pfsense box.
Thanks
David Kirk
09-30-2010 02:17 AM
Use a secondary address on your current routing setup. Ugly , yes but it would probably work until you get things changed over...OOPs see this is a old thread ,disregard...
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide