Solved: Single Nic with Multiple IPs to Single Interface with Multiple VLANS

tfmoseley2 · ‎10-12-2012

I have a customer who needs to have a laptop hooked to the network. Being a laptop it has a single network interface. The customer is balking at purchasing a usb NIC for a second interface and so is creating a primary and aliased IP on the NIC card. The network switch interface is a 4500 series with multiple VLANS and a mix of static and dynamic routing on it. He needs to send and receive data on both IP addresses and said data needs to get to devices that are on different VLANs.

The customer insists that his engineers have done this with a different switch, but I am in an accredited environment and constrained by what type of equipment is allowed (any CISSPs out here know the dilema). I'm not conviced there is a readily identifiable solution since this is data and data but I wanted to put it out to the community since it seems like responses here are pretty quick.

I've attached a jpg that more or less depicts my dilemma. Yes and no responses are much appreciated, especially it it will help explain to the customer why they cannot do what they want!

John Blakley · ‎10-12-2012

Afaik, you won't be able to do what you're client wants to do with one nic.

Let me make a couple of assumptions:

int vlan 1

ip address 192.168.1.1 255.255.255.0

int vlan 10

ip address 10.10.10.1 255.255.255.0

Laptop connects to fa0/10

int fa0/10

switchport mode trunk

switchport trunk allowed vlan 1,10

The problem is that you have a laptop, which referring to my previous post by default doesn't tag traffic, connected to a trunk port. The 192.168.1.5 is the primary ip which corresponds to the vlan 1 subnet. Then you have 10.10.10.100 as a secondary address(?) that's also coming in on vlan 1 (because it's not going to tag the traffic for you). The switch will drop the traffic because it doesn't support that subnet on vlan 1.

Although, with a second nic, you could obviously have 1 nic configured for vlan 1 and the other configured for vlan 10.

HTH,

John

*** Please rate useful posts ***

HTH, John *** Please rate all useful posts ***

View solution in original post

John Blakley · ‎10-12-2012

Ted,

If you are only allowed the 1 nic, then yes, you won't be able to pass traffic that is destined for 2 different vlans. I'm going to state the obvious, but the laptop is not going to tag its traffic (unless you have a nic that supports tagging). So, the laptop is going to be a member of the native vlan (no tagging). The problem comes in that you have a trunk toward the laptop wanting to support 2 separate vlans, which also indicates that you're going to tag at least one of those.

On another note, if you have 2 vlans: 192.168.1.0/24 (vlan 1) and 10.10.10.0/24 (vlan 10), then these subnets belong to those vlans. You wouldn't be able to have a laptop on vlan 1 (native) with a 10.10.10.10 address as a secondary and be able to pass traffic because the switch is looking for either a tag or the switch is looking for access ports that are members of the vlan 10.

What you don't mention is if the subnets that the customer needs to support on already attached to SVIs. If they are, then the above scenario would be the issue, but if they're not then you very well could put a secondary address on the vlan that the workstation will be a member of and you can pass traffic for both subnets with no issue.

For example, if the customer had 192.168.1.50 as the primary address and 15.15.15.15 as the secondary address on the laptop, and on the switch you had vlan 1 with address 192.168.1.1 and vlan 10 with 10.10.10.1, then the 15.15.15.0/24 isn't an issue. You can put that as a secondary on the vlan 1 svi and the laptop will be able to pass traffic for both subnets.

HTH,

John

HTH, John *** Please rate all useful posts ***

tfmoseley2 · ‎10-12-2012

John,

Thanks for the quick response. I think I got most of what you were talking about. I didn't configure the 4507 but I have looked at the configuration enough to be fairly certain we are not using any switched virtual interfaces (SVI) on it. It does have me curious if this might be something I could do. I'll need to do a little more reading on SVIs to see if that would work.

If I understood you correctly it could become less of a VLAN interface issue and more of being able to have the interface understand how to route information for both networks? Any chance you could help unravel the SVI question a little further?

Thanks again!

Ted

John Blakley · ‎10-12-2012

Ted,

If you don't have svi's on the switch, something else has to be routing between vlans for them. Have you had a chance to look at the router? They may be running a router-on-a-stick configuration and not doing any routing on the 4507. Basically, you have 2 ways of routing for a vlan: Router-on-a-stick or L3 SVIs on the switch.

Example of router-on-a-stick would be:

RouterA:

int fa0/0

ip addres 192.168.1.1 255.255.255.0

int fa0/0.2

encapsulation dot1q 2

ip addres 192.168.2.1 255.255.255.0

int fa0/0.3

encapsulation dot1q 3

ip address 192.168.3.1 255.255.255.0

On the switchport of the switch that the router connects to, it would be configured as a trunk port. On the switch, you'd have vlans 1,2,3 (vlan 1 is fa0/0). Then your interconnected switches would have these vlans as well, but for a host on vlan 3 to get to a host on vlan 1, it would have to go to the router for it to route.

An example of the 4507 with L3 SVI:

ip routing

vlan 2

vlan 3

int vlan 1

ip address 192.168.1.1 255.255.255.0

int vlan 2

ip address 192.168.2.1 255.255.255.0

int vlan 3

ip address 192.168.3.1 255.255.255.0

In the SVI scenario, a router isn't needed to route because the switch has the L3 functionality to do it. So a host on vlan 3 will go up to the switch and route to vlan 1 at the switch level. As far as L2 switches, you won't have the ability to create SVIs, so you'll need to have all of your L2 vlans and the ports that lead to your 4507 would need to be trunked.

HTH,

John

**** Please rate all useful posts ****

HTH, John *** Please rate all useful posts ***

tfmoseley2 · ‎10-12-2012

John,

My apologies. I misunderstood the concept but already understood the approach without knowing the term in use (). We do have SVIs built on the switch with IP routing enabled. So it certainly is possible to route between VLAN XXX and YYY and ZZZ, etc. But then it comes back to the orginal question of how the actual port would be configured on the 4507 to accomodate the requirements of the laptop(s) to communicate on the two different subnets. As it currently stands the ports on the switch generally carry one of two configurations:

1. switchport trunk .....

2. switchport access vlan ....

And yes, VLANs XXX, YYY, etc have their appropriate interface vlan / ip address statements on them.

I'm assuming that what you have alluded to is that I would use some variation of #2 above to allow the interface's primary VLAN for tagged traffic and that the interface will also somehow know how to route the traffic that is coming back from the same interface with a different subnet assigned to it.

So in my drawing the laptop has 192.168.1.5/24 on the primary interface and then 10.10.10.100/24 as the aliased IP. The software on the laptop brings in data on the .5 interface and manipulates it to put out different traffic on the .100 interface bound for device 10.10.10.101/24. 101 has to do similar manipulations to put it on yet another subnet but the configuration approach would be identical (with different subnets called out).

John Blakley · ‎10-12-2012

Afaik, you won't be able to do what you're client wants to do with one nic.

Let me make a couple of assumptions:

int vlan 1

ip address 192.168.1.1 255.255.255.0

int vlan 10

ip address 10.10.10.1 255.255.255.0

Laptop connects to fa0/10

int fa0/10

switchport mode trunk

switchport trunk allowed vlan 1,10

The problem is that you have a laptop, which referring to my previous post by default doesn't tag traffic, connected to a trunk port. The 192.168.1.5 is the primary ip which corresponds to the vlan 1 subnet. Then you have 10.10.10.100 as a secondary address(?) that's also coming in on vlan 1 (because it's not going to tag the traffic for you). The switch will drop the traffic because it doesn't support that subnet on vlan 1.

Although, with a second nic, you could obviously have 1 nic configured for vlan 1 and the other configured for vlan 10.

HTH,

John

*** Please rate useful posts ***

HTH, John *** Please rate all useful posts ***

tfmoseley2 · ‎10-12-2012

John,

Thanks for your valuable input. A no answer with a solid technical response is every bit as good as a magic bullet answer to make it all work!

Thank you again for your help in understanding the issue at hand!

Regards,

Ted

John Blakley · ‎10-12-2012

You're very welcome! Good luck with your client

HTH, John *** Please rate all useful posts ***