09-09-2007 10:26 PM - edited 03-05-2019 06:22 PM
Hi,
two switches are interconnected between eachother and one switch is connected to a router.the two switches each has diffrent subnetmask say A & B under one common subnet.if i want to route only the hosts in A to other networks...then wat sud b configured on the interface connecting switch to the router?
do help me i nthis issue...
Solved! Go to Solution.
09-11-2007 04:36 AM
You can, but you need to get it right.
To restrict the raffic, you really need to be using an access list on a router, which means you need to have the bits you want to protect in different VLANs.
You have 172.20.0.0/23.
You seem to need 96 addresses for users in one area, 255 for users in another and 160 for servers.
This does mot fit nicely for subnetting if those are really what you want.
To do this, the nearest fit I can come up with is
172.20.0.0/24 users1
172.20.1.0/26 users2
172.20.1.64/27 users3
172.20.1.96/27 servers1
172.20.1.128/25 servers2
This can all be advertised into the rest of the network at 172.20.0.0/23
That will give a similar number of user and server addresses. You then use your L3 in the 3750 to route between these VLANs, and can use access lists to control what traffic is allowed where.
Just "deemimg" them to be in different subnets won't work well. you need to get the traffic through the router to get an access list to work on it.
09-09-2007 10:39 PM
Hi
Could you provide some IP addressing to clarify what you mean.
Jon
09-10-2007 11:06 PM
09-11-2007 12:22 AM
You appear to have quite a flaw in your addressing usage. You refer to 172.20.0/23. That range includes 172.20.0.0 - 172.20.1.255. You also appear to be using inconsistent masks:
1st 172.20.1.1 -- 1.96 /23 for user's
2nd 172.20.1.97 -- 1.254 /24 for server's
the networks referred to are 172.20.0/23 and 172.20.1.0/24, but the address rages mentioned both fall within the 172.20.1.0/24 subnet.
Whoever planned this does not understand IP addressing.
09-11-2007 02:47 AM
Hai paul,
i want to make sure....whether can we divide a subnet into groups using subnet mask and restrict access between any 2 groups while rest hav access between them....
regs
sakthi
09-11-2007 02:55 AM
sakthi
It does not work to just assign different masks and attempt to restrict access based on mask. Within a VLAN devices should have a consistent subnet mask. If devices use different masks within the same VLAN it does not enhance control and may introduce other problems.
For most purposes we can consider a VLAN and a subnet as meaning the same thing. A VLAN is a subnet and a subnet is a VLAN. There are a few exceptions but in general things work better when we consider that a VLAN is a subnet and that a subnet is a VLAN. If you follow this principle then it never creates a problem.
HTH
Ric
09-11-2007 04:36 AM
You can, but you need to get it right.
To restrict the raffic, you really need to be using an access list on a router, which means you need to have the bits you want to protect in different VLANs.
You have 172.20.0.0/23.
You seem to need 96 addresses for users in one area, 255 for users in another and 160 for servers.
This does mot fit nicely for subnetting if those are really what you want.
To do this, the nearest fit I can come up with is
172.20.0.0/24 users1
172.20.1.0/26 users2
172.20.1.64/27 users3
172.20.1.96/27 servers1
172.20.1.128/25 servers2
This can all be advertised into the rest of the network at 172.20.0.0/23
That will give a similar number of user and server addresses. You then use your L3 in the 3750 to route between these VLANs, and can use access lists to control what traffic is allowed where.
Just "deemimg" them to be in different subnets won't work well. you need to get the traffic through the router to get an access list to work on it.
09-11-2007 09:31 PM
Thank u for all your valued support ...
I will stick to "Vlan = a subnet "principle by richard.
I got the point clearly from subnetting example by paul.
I will proceed with access list further...and if i stuck somewhere,i will come back to u paul....
thank u very much
09-11-2007 11:50 PM
You are welcome. With a little knowledge of the groups you have, you may be able to plan the subnet addressing far better than I did - all I did was best fit on what you have. The varied masks as I suggested is inelegant, and would be confusing for somone later.
Tidier would be to look at what you really need, and selecting a signle mask that will fit most groups best - - for example if you only have 80 or so servers, and in that bottom group of users there are only 90 or so, consider a /25 mask - that gives you four even sized groups out of your /23. Maybe even conside going to a /26 if the numbers work OK on the groups of uses and servers.
Smaller subnets give more granularity for control either ina ccess lists ir in case of a problem - it is a lot easier to shut off a group of 40 users or so if one has a virus that is affecting the network (eg code red or sql slammer types) than 400!
The old position of switch where you can, route where you must leading to large subnets is obsolete as most routing now is done by hardware switching so does not have the performance issues of old process switching.
Small subnets give more contro, and better performance as fewer devices see traffic they don't need - like broadcasts.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: