Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
609
Views
0
Helpful
5
Replies

VLANs, single subnet, one DHCP pool - or- single external route

Go to solution
ryanelewis
Level 1
Level 1

‎01-21-2013 08:03 AM - edited ‎03-07-2019 11:12 AM

I currently have an ongoing VLAN project where I am creating separate VLANs based upon departments first and access requirements second. Security is the primary concern, with scalability and organization coming in a close second and third, respectively. When I inherited my current position, everything was in the default VLAN 1. Yeah. I know, right?

So, the general structure goes in place:

Dept A - VLAN 101 - 172.16.101.0/24

Dept B - VLAN 102 - 172.16.102.0/24

et cetera.

However, here is where things get complicated. I also would like to separate VLANs based upon various devices (printers, for instance), however, I do *not* want to create separate subnets for devices if I can get around it. We currently have some old devices within our WAN so I'd like to keep the numbers of routes propagated via OSPF/EIGRP as low as possible.

Would it be possible to define multiple VLANs across a single subnet and each pulling from the same DHCP pool? For instance:

Dept A - VLAN 101 - 172.16.101.0/24 (PCs)

Dept A - VLAN 1101 - 172.16.101.0/24 (Printers)

Dept B - VLAN 102 - 172.16.102.0/24 (PCs)

Dept B - VLAN 1102 - 172.16.102.0/24 (Printers)

The idea here is that I would be able to give Dept B's PCs access to Dept A's printers, without giving them access to Dept A's PCs, all while keeping the total number of propogated routes and DHCP scopes down to a minimum.

Alternatively, would it be kosher to define a single route via either OSPF or EIGRP (to say 172.16.0.0/16) and then let my switch handle the specific subnet routing? Or should I continue defining EIGRP routes per individual subnet? That way I'd only be progating one route and the above configuration may not be an issue. I'm just not sure how well other devices within my WAN would like that.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Richard Burts
Hall of Fame
Hall of Fame

‎01-21-2013 08:21 AM

Ryan

It is a creative idea. But unfortunately it will not work. You can not have two VLANs using the same subnet and same DHCP pool. The biggest issue is that a PC in subnet 172.16.101.0/24 and VLAN 101 will believe that the printer in subnet 172.16.101.0/24 and in VLAN 1101 is in the same subnet and will ARP for it. But since it is in a different VLAN the printer will never see the ARP request, will not respond to the ARP, and the PC can not communicate with the printer.

As far as minimizing routes to be advertised I would suggest to you that EIGRP allows you to summarize at any point in the network, and OSPF allows you to summarize at area boundaries. So it should be possible to create a network design that allows you to summarize routes and to minimize the number of routes being advertised over the WAN.

HTH

Rick

HTH

Rick

View solution in original post

0 Helpful
5 Replies 5

Go to solution
Richard Burts
Hall of Fame
Hall of Fame

‎01-21-2013 08:21 AM

Ryan

It is a creative idea. But unfortunately it will not work. You can not have two VLANs using the same subnet and same DHCP pool. The biggest issue is that a PC in subnet 172.16.101.0/24 and VLAN 101 will believe that the printer in subnet 172.16.101.0/24 and in VLAN 1101 is in the same subnet and will ARP for it. But since it is in a different VLAN the printer will never see the ARP request, will not respond to the ARP, and the PC can not communicate with the printer.

As far as minimizing routes to be advertised I would suggest to you that EIGRP allows you to summarize at any point in the network, and OSPF allows you to summarize at area boundaries. So it should be possible to create a network design that allows you to summarize routes and to minimize the number of routes being advertised over the WAN.

HTH

Rick

HTH

Rick
0 Helpful

Go to solution
ryanelewis
Level 1
Level 1
In response to Richard Burts

‎01-22-2013 09:57 AM

Fantastic! Thanks for the reply, that does help tremendously.

So, one last question. According to the summarization that you had mentioned, am I correct in assuming that I can setup either OSPF or EIGRP (or both) with a single 172.16.0.0/16 network, and that will allow traffic from external routers within my WAN to communicate with individual subnets/vlans (such as 172.16.101.0/24 and 172.16.102.0/24) while only advertising a single route?

That would be a great route to go (no pun intended).

0 Helpful

Go to solution
Richard Burts
Hall of Fame
Hall of Fame
In response to ryanelewis

‎01-22-2013 10:22 AM

Ryan

It depends on how the network is designed and implemented. But given the correct design and implementation, then yes it is possible to have your router advertise to the WAN a single route 172.16.0.0/16 and to be able to route to separate subnets (172.16.101.0/24, 172.16.102.0/24, etc).

The design question can get complex but the simple version would be something like: all subnets of 172.16.0.0/16 are routed through LAN interface(s) of the router and there are no subnets of 172.16.0.0/16 that are reached through the WAN interface(s) of the router.

It can be done with either EIGRP or OSPF. It is somewhat easier with EIGRP. With OSPF it is necessary to assure that the router is an Area Border Router and that the WAN is in some OSPF area and the LAN is in a different OSPF area.

HTH

Rick

HTH

Rick
0 Helpful

Go to solution
paul driver
VIP
VIP

‎01-22-2013 10:53 AM

Hello Ryan,

going back to the original question regarding

The idea here is that I would be able to give Dept B's PCs access to Dept A's printers, without giving them access to Dept A's PCs

Have you thought of using active directory to create OU's with global/local groups policys and applying these to provide the necessary access you have stated.

This way your routing is still  in place and users under your control in one area have access to devices in another area by strict policy deployment.

This is  assuming you have A/D and  file & print servers are on unix/wintel boxes.

res

Paul


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul
0 Helpful

Go to solution
ryanelewis
Level 1
Level 1
In response to paul driver

‎02-18-2013 06:40 AM

Thanks for the suggestion. That's so obvious it's a "Doh!" kinda of moment. Actually, I never really thought of it before, since the migration from Novell to AD was very sloppy within my organization, was done log before I came along, and was riddled with statements such as "Let me google that...". Needless to say, printers were never placed into our current domain, so I never thought of it as an option.

It does seem like the most logical choice though.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card