Re: Vlan overlap issue

dale.hopper · ‎04-26-2018

Having a problem trying increase vlan20 to have 64 addresses rather than 32 to fit in the following VLAN config

10	Server	10.21.112.0/27	10.21.112.30	255.255.255.224
20	CCTV & SECURITY (DOOR ACCESS)	10.21.112.32/27	10.21.112.62	255.255.255.224
40	Cashless Catering - SHUTDOWN	10.21.112.96/28	10.21.112.110	255.255.255.240
50	NEW ICT Support	10.21.112.112/28	10.21.112.126	255.255.255.240
60	Maths and OLD ICT Support	10.21.112.128/25	10.21.112.254	255.255.255.128

when I try to increase the CCTV VLAN20 to (#ip address 10.21.112.94 255.255.255.192) I get an 10.21.112.64 overlaps with VLAN40 error

Can anyone offer any insight - we are using VTP also

Regards

Dale

dale.hopper · ‎04-26-2018

apologies column 4 is the Default Gateway (SVI)

Dennis Mink · ‎04-26-2018

10.21.112.94 255.255.255.192 is from .64 - .127 so yes i would overlap with vlan 40

Please remember to rate useful posts, by clicking on the stars below.

dale.hopper · ‎04-26-2018

Hi Dennis thanks for replying. I am at a loss.

Could you suggest how I can alter the above VLAN diagram then to a /26 subnet on the VLAN20 CCTV, my core output currently shows it like this

---

interface Vlan1
no ip address
shutdown
!
interface Vlan10
description *** Server VLAN ***
ip address 10.21.112.30 255.255.255.224
ip helper-address 10.21.112.18
ip helper-address 10.21.112.10
!

interface Vlan20
description *** CCTV AND DOOR ACCESS VLAN ***
ip address 10.21.112.62 255.255.255.224
ip helper-address 10.21.112.5
ip helper-address 10.21.112.18
ip helper-address 10.21.112.10
!
interface Vlan40
description *** Cashless Catering VLAN ***
ip address 10.21.112.110 255.255.255.240
ip helper-address 10.21.112.5
ip helper-address 10.21.112.18
ip helper-address 10.21.112.10
!
interface Vlan50
description *** NEW ICT SUPPORT ***
ip address 10.21.112.126 255.255.255.240
ip helper-address 10.21.112.5
ip helper-address 10.21.112.18
ip helper-address 10.21.112.10
!
interface Vlan60
description *** Maths And IT Support VLAN ***
ip address 10.21.112.254 255.255.255.128
ip helper-address 10.21.112.5
ip helper-address 10.21.112.18
ip helper-address 10.21.112.10
ip helper-address 10.21.112.255
ip helper-address 10.21.114.255

------------

Many thanks

Dale

nixpengu1n · ‎04-26-2018

Hello,

Just change subnet mask and keep same SVI address.

#> ip address 10.21.112.62 255.255.255.192

dale.hopper · ‎04-26-2018

Thanks nixpengu1n, I've tried that but then get 10.21.112.0 overlaps with Vlan10

nixpengu1n · ‎04-26-2018

Hello,

That's bad. It means that when you specify a subnet mask IOS is divided address range equally by client amount in a subnet (in your case - 64). In this case you will need to re-apply all SVI configuration from scratch in top-down order (erase it and re-apply again).

dale.hopper · ‎04-26-2018

I was under the illusion that the VLAN config on the core was wrong (even though it works)

I had thought it should be set like this

---

interface Vlan1
no ip address
shutdown
!
interface Vlan10
description *** Server VLAN ***
ip address 10.21.112.0 255.255.255.224
ip helper-address 10.21.112.18
ip helper-address 10.21.112.10
!

interface Vlan20
description *** CCTV AND DOOR ACCESS VLAN ***
ip address 10.21.112.32 255.255.255.224
ip helper-address 10.21.112.5
ip helper-address 10.21.112.18
ip helper-address 10.21.112.10
!
interface Vlan40
description *** Cashless Catering VLAN ***
ip address 10.21.112.96 255.255.255.240
ip helper-address 10.21.112.5
ip helper-address 10.21.112.18
ip helper-address 10.21.112.10
!
interface Vlan50
description *** NEW ICT SUPPORT ***
ip address 10.21.112.112 255.255.255.240
ip helper-address 10.21.112.5
ip helper-address 10.21.112.18
ip helper-address 10.21.112.10
!
interface Vlan60
description *** Maths And IT Support VLAN ***
ip address 10.21.112.128 255.255.255.128
ip helper-address 10.21.112.5
ip helper-address 10.21.112.18
ip helper-address 10.21.112.10
ip helper-address 10.21.112.255
ip helper-address 10.21.114.255

------------

Becuase doesnt the subnet mask give you the amount of IP address off the network IP

It seemed the VLAN config started with the last usable IP in each range?

Regards

Dale

nixpengu1n · ‎04-26-2018

Hello,

Based on this config, I assume that ip subnet-zero is been populated into your core config, which can allow you to use "subnet address" as an SVI address.

Ideally you should not use subnet address and broadcast address for SVI.

dale.hopper · ‎04-27-2018

Thanks, nixpengu1n for your help so far.

I'm really considering my options - I could always collapse VLAN20 altogether and create a new VLAN with a new IP range as the end of the IP scope - I have the freedom to do this as I'm no longer constrained by other networks however I was hoping to get to the bottom of it rather than be wasteful.

If I was to shorten VLAN40 to a /29 address, could I then increase VLAN20 to a /26 address

Hope this makes sense

Regards

Dale

nixpengu1n · ‎04-27-2018

Hello,

OK, let me explain in more detail. First of all, please consider best Cisco practice for VLSM.

- If you are using VLSM consider to split address range in top down manner utilizing big subnets first and do not mix smaller and big subnets

It means that if you want for example split big /24 subnets into 4 smaller subnets /25, /26 and two /27 you should configure your network device in the following manner:

#> int vlan 25

#> description ** Subnet /25 **

#> ip address 192.168.1.1 255.255.255.128

#> int vlan 26

#> description ** Subnet /26 **

#> ip address 192.168.1.129 255.255.255.192

#> int vlan 27

#> description ** Subnet /27 **

#> ip address 192.168.1.193 255.255.255.224

#> int vlan 28

#> description ** Subnet /27 **

#> ip address 192.168.1.225 255.255.255.224

Cisco IOS calculates address range for particular VLSM by finding closer number to be divided by subnet number (for example for /27 it will be 64) in an octet. Division result should be either 0 or an integer (so for /27 VLSM such numbers will be 0, 64, 128 and 192 in address octet). So for /27 subnet in an octet usable address range will be:

0 - 63

64 - 127

128 - 191

192 - 255

In your particular example you have created 2 x /27 subnets which comes after each other and want to double address range of the second one (because, as you know, you have spare address range).

!
interface Vlan10
description *** Server VLAN ***
ip address 10.21.112.30 255.255.255.224
...
!

interface Vlan20
description *** CCTV AND DOOR ACCESS VLAN ***
ip address 10.21.112.62 255.255.255.224
...
!
interface Vlan40
description *** Cashless Catering VLAN ***
ip address 10.21.112.110 255.255.255.240
...
!

Problem is that IOS does not understand it and will try to calculate address range based on a rule I've provided. Thus suitable address range will be either 10.21.112.0 - 10.21.112.63 or 10.21.112.64 - 10.21.112.128 which overlaps with both VLANs 10 and 40 respecively.

Less disturbing solution in your case would be to swap VLAN 10 and 20 in this manner:

!
interface Vlan10
description *** Server VLAN ****** CCTV AND DOOR ACCESS VLAN ***
ip address 10.21.112.62 255.255.255.192
...
!

interface Vlan20
description *** Server VLAN ***
ip address 10.21.112.90 255.255.255.224
...

But it may not be a soultion in your case, because you will need to re-map all server's IP addresses which could be painfull.

dale.hopper · ‎05-01-2018

Thanks, nixpengu1n, you seem to of understood my request perfectly, it's kinda annoying that I've got that spare /28 range after IP. 62 will little I can do with except create another /28 range. I think at this stage I might be better off creating another /28 range here and actually physically splitting the VLAN 20 into 2 VLAN's (Door Access) and (CCTV) if that makes sense? rather than having the one combined /27 range

nixpengu1n · ‎05-01-2018

Hello,

Yes it can make sense just to create additional /28 subnet starting from .64 address down to .96 . It will not conflict with your existing setup, however you need to make a notice that now you have 2 VLANs for same type of devices.

mlund · ‎04-27-2018

Hi

If we just focus on the last octet of the ip address here.

If you use subnet mask /25 that means you have 2 subnets

first subnet .0 that have adresses from .1-.126 .127 is broadcast.

second subnet .128 have adresses from 129-254 .255 is broadcast < this one you are using

now you can take the first one, the .0 and subnet that one into 2 smaller subnets /26.

That will give you .0 and .64

.0 usable adresses is .1-62

.64 usable adresses is 65-126 . You are not using anyone of these so we can take both of them and subnet them further and use /27

.0 can be subnetted to .0 and .32 and then .64 can be subnetted to .64 and .96

wich will give you adresses from .1-30 and 33-62 and 65-94 and 97-126

Here you are using .0 and .32 . So up to here you are using addresses from 1-63 and 129-254.

If we go further and subnetts also .64 and the .96 with /28 we got

.64 .80 .96 and .112 here you are using .96 and .112 so we got .64 .and .80 left

.64/28 and .80/28 can as we see above also be used as .64 /27 so this is all you have left to deal with.

You can use this one as secondary address on vlan 20 if that is suitable for you. However logical this will then be two networks on the same vlan. First the .32/27 and then also .64/27. This not a problem for the router but it may not be what you are looking for.

You can also move your vlan 30 and 40 to .32/28 and .48/28 and move your vlan 20 to .64/26.

/Mikael

mohammed01701 · ‎05-01-2018

Hi dale.hopper!

What you have today is this:

		Subnet	Host from	Host To	Broadcast	Total host
Vlan 10	Server	10.21.112.0/27	10.21.112.1	10.21.112.30	10.21.112.31	30
Vlan 20	CCTV & SECURITY (DOOR ACCESS)	10.21.112.32/27	10.21.112.33	10.21.112.62	10.21.112.63	30
Vlan 40	Cashless Catering - SHUTDOWN	10.21.112.96/28	10.21.112.97	10.21.112.110	10.21.112.111	14
Vlan 50	NEW ICT Support	10.21.112.112/28	10.21.112.113	10.21.112.126	10.21.112.127	14
Vlan 60	Maths and OLD ICT Support	10.21.112.128/25	10.21.112.129	10.21.112.254	10.21.112.255	126

You trying to icrease vlan 20 which today has:

Vlan 20

CCTV & SECURITY (DOOR ACCESS)

10.21.112.32/27

10.21.112.33

10.21.112.62

10.21.112.63

30

If you want to increase this interface there is only one logical scenario because of you know already that there is some gaps between vlan 20 and 40, from .32 up to 95 sure. but the problem is when you try to increase this subnet for vlan 20, you also conflict other vlan like vlan 10.

Vlan 20

CCTV & SECURITY (DOOR ACCESS)

10.21.112.32/26

10.21.112.1

10.21.112.62

10.21.112.63

62

The problem is you destroy the server subnet when you going up to /26. As soon you increase up /26 you it means that you are taking off vlan 10 subnet.

Now you have two alternatives: 1 alternative is to have two vlans with /28 some nixpengu1n told you before:

Vlan 10	Server	10.21.112.0/27	10.21.112.1	10.21.112.30	10.21.112.31	30
Vlan 20	CCTV & SECURITY (DOOR ACCESS)	10.21.112.32/27	10.21.112.33	10.21.112.62	10.21.112.63	30
Vlan 30_NY	CCTV & SECURITY (DOOR ACCESS-2)	10.21.112.64/27	10.21.112.65	10.21.112.94	10.21.112.95	30
Vlan 40	Cashless Catering - SHUTDOWN	10.21.112.96/28	10.21.112.97	10.21.112.110	10.21.112.111	14
Vlan 50	NEW ICT Support	10.21.112.112/28	10.21.112.113	10.21.112.126	10.21.112.127	14
Vlan 60	Maths and OLD ICT Support	10.21.112.128/25	10.21.112.129	10.21.112.254	10.21.112.255	126

2 alternative is to move up vlan 40 and 50 then vlan 20 to down, you will get more spaces see the tabell:

Vlan 10	Server	10.21.112.0/27	10.21.112.1	10.21.112.30	10.21.112.31	30
Vlan 40	Cashless Catering - SHUTDOWN	10.21.112.32/28	10.21.112.33	10.21.112.46	10.21.112.47	14
Vlan 50	NEW ICT Support	10.21.112.48/28	10.21.112.49	10.21.112.62	10.21.112.63	14
Vlan 20	CCTV & SECURITY (DOOR ACCESS)	10.21.112.64/26	10.21.112.65	10.21.112.128	10.21.112.127	62
Vlan 60	Maths and OLD ICT Support	10.21.112.128/25	10.21.112.129	10.21.112.254	10.21.112.255	126

Hope it helps:

I edited last 2018-05-04

/Mohammed