2 different subnets on single vlan

Unanswered Question
Nov 7th, 2007

I have this setup.

2 3750G switches stacked.

I have 2 servers with IP and connected into port g1/0/1 and g1/0/2 respectivily on switch1 both in vlan 100

I have another 2 servers with IP and connected into port g2/0/1 and g2/0/2 respectivily on switch2 both also in vlan 100.

I need to keep this same vlan across the stack. In theory servers on same subnet in vlan 100 should be able to communicate properly, or am I wrong?

What can I do to prevent broadcasts from propagating between subnets of this single vlan?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 3 (2 ratings)
Edison Ortiz Wed, 11/07/2007 - 08:53

They aren't in the same subnet since their subnet mask only allows 2 hosts (/30).

If you want them to communicate on the same Vlan 100, you need to use /16 as the subnet mask.

If you want to leave the subnet as it is, you can change the switchport as layer3 and have a point-to-point connectivity to the servers.

The servers will need to have the switchport IP as their default gateway and IP routing must be enabled in the switch.

cisconoobie Wed, 11/07/2007 - 09:17

Thanks for quick reply,

I dont want the servers on 10.0/30 subnet from communicating with the 20.0/30 subnet with respect to broadcasts.

I know that they wont be able to communicate because of the Layer 2 but broadcasts will still flood the whole vlan.

So my question is how can I properly isolate the subnets in this particular vlan?

Edison Ortiz Wed, 11/07/2007 - 10:20

>So my question is how can I properly isolate the subnets in this particular vlan?

You can't isolate them as long as they are part of the same Vlan regardless of the IP subnet.

Richard Burts Wed, 11/07/2007 - 09:24


Perhaps I read the post from Sparky slightly differently than you do. The first pair of servers are in the same logical subnet and in the same VLAN so they should communicate with each other fine. And the second pair of servers are in the same logical subnet and in the same VLAN so they should communicate with each other fine.

But I agree with you that there are flaws in this implementation. First, since the subnets are /30 they only allow two hosts and with two servers in the subnet there is nothing to act as a gateway and to provide access to "remote" addresses. Also this implementation breaks the assumption that there is a correlation between subnet and VLAN. We tend to assume that a correlation exists and that a subnet is related to a VLAN and a VLAN is related to a subnet. But VLAN is a layer 2 concept and subnet is a layer 3 concept and they are not necessarily related. There is no rule that says that a VLAN have only 1 subnet (though that is common practice). A VLAN interface with a primary IP address and a secondary IP address would certainly support 2 (or more) subnets.

Note that this implementation does not provide the isolation that we tend to assume when we talk about subnets. We generally assume that devices in 1 subnet do not communicate directly with devices in a different subnet (because we tend to assume that each subnet is a separate broadcast domain). But this implementation puts both subnets into the same broadcast domain. So the first pair of servers will hear all the broadcasts (including ARP) from the second pair of servers and any of these servers could communicate directly with any other of the servers - certainly not bounded by the subnet.


There is no way to isolate the broadcasts within the same VLAN. The basic definition of VLAN is that it is a broadcast domain. And any broadcast generated will be flooded thoughout the entire broadcast domain. The only way to restrict the broadcasts is to create 2 VLANs.



Edison Ortiz Wed, 11/07/2007 - 09:26


Indeed you are right. Blame my fast reading abilities :)

I automatically assumed the other host in the /30 subnet would be the switch.

Richard Burts Wed, 11/07/2007 - 09:30


Indeed that is a very logical assumption. And ultimately I believe that it would be a better implementation. But it is not what was asked in the original post.



cisconoobie Wed, 11/07/2007 - 11:01

I cant have 2 vlans.

Would Private Vlans work in this situation?

or Mac-address access lists?

Richard Burts Wed, 11/07/2007 - 11:13


Before we talk about what would work in this situation perhaps you can clarify what you are trying to accomplish and what the constraints are? If we understood that we could give much better answers.



luislo Wed, 11/07/2007 - 15:02

Dear Pals,

Please, let me say you that IMHO you're partially wrong. You can to use Cisco PVLANs to workarround this troubles.


... in addiction to the RFC 3069 - "VLAN Aggregation for Efficient IP Address Allocation" could be applied in this case to use the same address space into two differents broadcast domains with a common routed port to forward traffic between two VLANs.






pkaretnikov Wed, 11/07/2007 - 11:16

It seems that you will actualy need to implement private vlans in order to accomplish what you want. It's not pretty but it would allow you to isolate layer 2 in fun and exciting ways. Of course you did sya you need to keep them in the same vlan so that may not suit your needs either. Other than that you would have to set up some extensive and annoying mac based ACLs.

I don't think there is a nice, good, easy answer with the requirements you set forth. Are you sure you need to keep all four servers in the same vlan?

cisconoobie Wed, 11/07/2007 - 11:30

Yes I need same vlan becasue of the eWAN setup I have.

ISP-Router connects to the 3750G on vlan 100 (port g1/0/1)

BSD Router connects to the 3750G on vlan 100 (port g1/0/2)

ISP-Router2 connects to the 3750G on vlan 100 (Port g2/0/1)

BSD Router connects to the 3750G on vlan 100 (port g2/0/2)

In order for this eWAN connection to work, I need to pass vlan 100 traffic to the ISP either via a trunk or access mode. A trunk in this case will not work so I have to use mode access.

One of my option is to break the 3750G stack and use the switches on their own but I dont want to do that since stacking is superior.

I have this implementation working off 2 seperate 3750G each having int vlan 100 with their IPs.

What I would really like to do is keep the 2 x 3750G stacked and allow each bsd router to connect back to its respective ISP Router on vlan 100.

Please advise.

Edison Ortiz Wed, 11/07/2007 - 12:00

>In order for this eWAN connection to work, I need to pass vlan 100

>traffic to the ISP either via a trunk or access mode. A trunk in this case will not

>work so I have to use mode access.

Can you tell us why the trunk solution will not work ?

pkaretnikov Wed, 11/07/2007 - 13:23

Under the circumstances assuming the following:

- 3750s will stay stacked

- vlan 100 MUST be used for all four ports

- each /30 network must stay seperate

I would have to say that private vlans are still the best solution. Set up 2 communities and they can both exist in vlan 100 while not sharing broadcast traffic.


I hope that helps.

intelide3 Wed, 11/07/2007 - 21:36


sure - you can do that - no problem (also by stacking those 2 3750). but you will still get the broadcast for those 2 subnets in 1 vlan. just like putting 2 different nic and ip address in one managable switch, and there is no way to separate that broadcast.

so - you have the third nic for the BSD to put back into the switch for routing your LAN right?


pls rate :)

jorgenolla Wed, 11/07/2007 - 16:25

vlan 100 with 2 servers:

vlan 100 with 2 servers:

These does not allow for another host in either of the subnets; meaning the two hosts will only be able to communicate to each other, since there is no address space for a gateway of last resort in either of the subnets. And still the actual broadcast domain will flood all four ports.

Private Vlan's will work to brake the broadcast domain; but you still don't have the address space for the gateway of last resort in either of the subnets.

cisconoobie Thu, 11/08/2007 - 16:03

I wont need a gateway of last resort.

The 10.1/30 server will get via 10.2/30

The 20.1/30 server will get via 20.2/30

I will try creating 2 communities and see what happens.

These servers are bgp peers.


This Discussion