01-21-2013 08:03 AM - edited 03-07-2019 11:12 AM
I currently have an ongoing VLAN project where I am creating separate VLANs based upon departments first and access requirements second. Security is the primary concern, with scalability and organization coming in a close second and third, respectively. When I inherited my current position, everything was in the default VLAN 1. Yeah. I know, right?
So, the general structure goes in place:
Dept A - VLAN 101 - 172.16.101.0/24
Dept B - VLAN 102 - 172.16.102.0/24
et cetera.
However, here is where things get complicated. I also would like to separate VLANs based upon various devices (printers, for instance), however, I do *not* want to create separate subnets for devices if I can get around it. We currently have some old devices within our WAN so I'd like to keep the numbers of routes propagated via OSPF/EIGRP as low as possible.
Would it be possible to define multiple VLANs across a single subnet and each pulling from the same DHCP pool? For instance:
Dept A - VLAN 101 - 172.16.101.0/24 (PCs)
Dept A - VLAN 1101 - 172.16.101.0/24 (Printers)
Dept B - VLAN 102 - 172.16.102.0/24 (PCs)
Dept B - VLAN 1102 - 172.16.102.0/24 (Printers)
The idea here is that I would be able to give Dept B's PCs access to Dept A's printers, without giving them access to Dept A's PCs, all while keeping the total number of propogated routes and DHCP scopes down to a minimum.
Alternatively, would it be kosher to define a single route via either OSPF or EIGRP (to say 172.16.0.0/16) and then let my switch handle the specific subnet routing? Or should I continue defining EIGRP routes per individual subnet? That way I'd only be progating one route and the above configuration may not be an issue. I'm just not sure how well other devices within my WAN would like that.
Solved! Go to Solution.
01-21-2013 08:21 AM
Ryan
It is a creative idea. But unfortunately it will not work. You can not have two VLANs using the same subnet and same DHCP pool. The biggest issue is that a PC in subnet 172.16.101.0/24 and VLAN 101 will believe that the printer in subnet 172.16.101.0/24 and in VLAN 1101 is in the same subnet and will ARP for it. But since it is in a different VLAN the printer will never see the ARP request, will not respond to the ARP, and the PC can not communicate with the printer.
As far as minimizing routes to be advertised I would suggest to you that EIGRP allows you to summarize at any point in the network, and OSPF allows you to summarize at area boundaries. So it should be possible to create a network design that allows you to summarize routes and to minimize the number of routes being advertised over the WAN.
HTH
Rick
01-21-2013 08:21 AM
Ryan
It is a creative idea. But unfortunately it will not work. You can not have two VLANs using the same subnet and same DHCP pool. The biggest issue is that a PC in subnet 172.16.101.0/24 and VLAN 101 will believe that the printer in subnet 172.16.101.0/24 and in VLAN 1101 is in the same subnet and will ARP for it. But since it is in a different VLAN the printer will never see the ARP request, will not respond to the ARP, and the PC can not communicate with the printer.
As far as minimizing routes to be advertised I would suggest to you that EIGRP allows you to summarize at any point in the network, and OSPF allows you to summarize at area boundaries. So it should be possible to create a network design that allows you to summarize routes and to minimize the number of routes being advertised over the WAN.
HTH
Rick
01-22-2013 09:57 AM
Fantastic! Thanks for the reply, that does help tremendously.
So, one last question. According to the summarization that you had mentioned, am I correct in assuming that I can setup either OSPF or EIGRP (or both) with a single 172.16.0.0/16 network, and that will allow traffic from external routers within my WAN to communicate with individual subnets/vlans (such as 172.16.101.0/24 and 172.16.102.0/24) while only advertising a single route?
That would be a great route to go (no pun intended).
01-22-2013 10:22 AM
Ryan
It depends on how the network is designed and implemented. But given the correct design and implementation, then yes it is possible to have your router advertise to the WAN a single route 172.16.0.0/16 and to be able to route to separate subnets (172.16.101.0/24, 172.16.102.0/24, etc).
The design question can get complex but the simple version would be something like: all subnets of 172.16.0.0/16 are routed through LAN interface(s) of the router and there are no subnets of 172.16.0.0/16 that are reached through the WAN interface(s) of the router.
It can be done with either EIGRP or OSPF. It is somewhat easier with EIGRP. With OSPF it is necessary to assure that the router is an Area Border Router and that the WAN is in some OSPF area and the LAN is in a different OSPF area.
HTH
Rick
01-22-2013 10:53 AM
Hello Ryan,
going back to the original question regarding
The idea here is that I would be able to give Dept B's PCs access to Dept A's printers, without giving them access to Dept A's PCs
Have you thought of using active directory to create OU's with global/local groups policys and applying these to provide the necessary access you have stated.
This way your routing is still in place and users under your control in one area have access to devices in another area by strict policy deployment.
This is assuming you have A/D and file & print servers are on unix/wintel boxes.
res
Paul
02-18-2013 06:40 AM
Thanks for the suggestion. That's so obvious it's a "Doh!" kinda of moment. Actually, I never really thought of it before, since the migration from Novell to AD was very sloppy within my organization, was done log before I came along, and was riddled with statements such as "Let me google that...". Needless to say, printers were never placed into our current domain, so I never thought of it as an option.
It does seem like the most logical choice though.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: