routing isues

Answered Question
Sep 9th, 2007
User Badges:

Hi,

two switches are interconnected between eachother and one switch is connected to a router.the two switches each has diffrent subnetmask say A & B under one common subnet.if i want to route only the hosts in A to other networks...then wat sud b configured on the interface connecting switch to the router?


do help me i nthis issue...

Correct Answer by paul.matthews about 9 years 8 months ago

You can, but you need to get it right.


To restrict the raffic, you really need to be using an access list on a router, which means you need to have the bits you want to protect in different VLANs.


You have 172.20.0.0/23.


You seem to need 96 addresses for users in one area, 255 for users in another and 160 for servers.


This does mot fit nicely for subnetting if those are really what you want.


To do this, the nearest fit I can come up with is


172.20.0.0/24 users1

172.20.1.0/26 users2

172.20.1.64/27 users3

172.20.1.96/27 servers1

172.20.1.128/25 servers2


This can all be advertised into the rest of the network at 172.20.0.0/23


That will give a similar number of user and server addresses. You then use your L3 in the 3750 to route between these VLANs, and can use access lists to control what traffic is allowed where.


Just "deemimg" them to be in different subnets won't work well. you need to get the traffic through the router to get an access list to work on it.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Jon Marshall Sun, 09/09/2007 - 22:39
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Hi


Could you provide some IP addressing to clarify what you mean.


Jon

paul.matthews Tue, 09/11/2007 - 00:22
User Badges:
  • Silver, 250 points or more

You appear to have quite a flaw in your addressing usage. You refer to 172.20.0/23. That range includes 172.20.0.0 - 172.20.1.255. You also appear to be using inconsistent masks:


1st 172.20.1.1 -- 1.96 /23 for user's

2nd 172.20.1.97 -- 1.254 /24 for server's


the networks referred to are 172.20.0/23 and 172.20.1.0/24, but the address rages mentioned both fall within the 172.20.1.0/24 subnet.


Whoever planned this does not understand IP addressing.

sakthicisco Tue, 09/11/2007 - 02:47
User Badges:

Hai paul,

i want to make sure....whether can we divide a subnet into groups using subnet mask and restrict access between any 2 groups while rest hav access between them....


regs

sakthi

Richard Burts Tue, 09/11/2007 - 02:55
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

sakthi


It does not work to just assign different masks and attempt to restrict access based on mask. Within a VLAN devices should have a consistent subnet mask. If devices use different masks within the same VLAN it does not enhance control and may introduce other problems.


For most purposes we can consider a VLAN and a subnet as meaning the same thing. A VLAN is a subnet and a subnet is a VLAN. There are a few exceptions but in general things work better when we consider that a VLAN is a subnet and that a subnet is a VLAN. If you follow this principle then it never creates a problem.


HTH


Ric

Correct Answer
paul.matthews Tue, 09/11/2007 - 04:36
User Badges:
  • Silver, 250 points or more

You can, but you need to get it right.


To restrict the raffic, you really need to be using an access list on a router, which means you need to have the bits you want to protect in different VLANs.


You have 172.20.0.0/23.


You seem to need 96 addresses for users in one area, 255 for users in another and 160 for servers.


This does mot fit nicely for subnetting if those are really what you want.


To do this, the nearest fit I can come up with is


172.20.0.0/24 users1

172.20.1.0/26 users2

172.20.1.64/27 users3

172.20.1.96/27 servers1

172.20.1.128/25 servers2


This can all be advertised into the rest of the network at 172.20.0.0/23


That will give a similar number of user and server addresses. You then use your L3 in the 3750 to route between these VLANs, and can use access lists to control what traffic is allowed where.


Just "deemimg" them to be in different subnets won't work well. you need to get the traffic through the router to get an access list to work on it.

sakthicisco Tue, 09/11/2007 - 21:31
User Badges:

Thank u for all your valued support ...


I will stick to "Vlan = a subnet "principle by richard.


I got the point clearly from subnetting example by paul.

I will proceed with access list further...and if i stuck somewhere,i will come back to u paul....


thank u very much

paul.matthews Tue, 09/11/2007 - 23:50
User Badges:
  • Silver, 250 points or more

You are welcome. With a little knowledge of the groups you have, you may be able to plan the subnet addressing far better than I did - all I did was best fit on what you have. The varied masks as I suggested is inelegant, and would be confusing for somone later.


Tidier would be to look at what you really need, and selecting a signle mask that will fit most groups best - - for example if you only have 80 or so servers, and in that bottom group of users there are only 90 or so, consider a /25 mask - that gives you four even sized groups out of your /23. Maybe even conside going to a /26 if the numbers work OK on the groups of uses and servers.


Smaller subnets give more granularity for control either ina ccess lists ir in case of a problem - it is a lot easier to shut off a group of 40 users or so if one has a virus that is affecting the network (eg code red or sql slammer types) than 400!


The old position of switch where you can, route where you must leading to large subnets is obsolete as most routing now is done by hardware switching so does not have the performance issues of old process switching.


Small subnets give more contro, and better performance as fewer devices see traffic they don't need - like broadcasts.

Actions

This Discussion