Inter VLAN routing

Answered Question
Jun 2nd, 2008

I have subnetted a class B address space (172.16.0.0 /16) into class C subnets. I have created VLANs for each subnet and SVI's for each VLAN.

InterVLAN routing works fine, with one exception. The end users had been previously setup to use a subnet mask of 255.255.0.0 (the network was using a flat 172.16.0.0 address space). Since I subnetted, the end users didn't have to change their subnet mask or gateways.

On the core switch my SVI's look like this.

Interface Vlan 5

ip address 172.16.5.1 255.255.255.0

Interface Vlan 6

ip address 172.16.6.1 255.255.255.0

Each access layer switch has the associated vlan in its database and is trunking to the core perfectly.

So why can a user in vlan 5, use the vlan 6 SVI IP address as a gateway address and talk to the rest of the network?

I have this problem too.
0 votes
Correct Answer by andrew.butterworth about 8 years 7 months ago

What Rick said, sorry I went to bed after I made the 1st post...

If you disable proxy-arp on the SVI (or on any Layer-3 interface) then the router will stop responding to ARP's except it's own (except obviously where HSRP, GLBP or VRRP are used, however they are not really proxy-arps).

Andy

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4.3 (3 ratings)
Loading.
Jon Marshall Mon, 06/02/2008 - 15:26

Jason

Remember that a host uses it's own subnet mask/IP address and the destination IP address in deciding whether the remote device is on the same subnet or not. So

User device in vlan 5 = 172.16.5.10 255.255.0.0

So this device thinks it is on network 172.16.0.0/16. If you tell the device it's default-gateway is 172.16.6.1 then it doesn't have an issue because

172.16.6.1 with the devices subnet mask of 255.255.0.0 means that 172.16.6.1 is on the network 172.16.0.0/16.

Remember that the device only knows it's own subnet mask so it compares the destination address against it's own subnet mask.

Change the user subnet on thde device in vlan 5 to be 255.255.255.0 and leave the default-gateway to be 172.16.6.1 and it won't work.

You need to update all the subnet masks or you will get weird results.

Hope this makes sense.

Jon

andrew.butterworth Mon, 06/02/2008 - 15:28

proxy-arp

Unless you have disabled it on the SVI interfaces, proxy-arp will be masking this. On the PC's with the /16 mask check their ARP tables, they will have lots of entries that they think are on the same broadcast domain (172.16.0.0/16) with the same MAC address (it will be the SVI MAC of the VLAN they are in).

What happens is the SVI will respond to ARP's for networks it knows about, the PC's will broadcast directly for devices in the same network, however you have a mis-match of subnet masks.

It will work and we have used it as an enabler for address migrations, however you should really fix it and then disable proxy-arp as it is a bit of a security hole.

HTH

Andy

Jason Fraioli Mon, 06/02/2008 - 15:44

I guess that's what I was really driving at Andrew. Disabling proxy-arp should make it so that if their subnet mask does not conform to the vlan's subnet, then they should be dead in the water correct?

Richard Burts Mon, 06/02/2008 - 17:49

Jason

You are exactly correct. If you disable proxy arp then they should be dead in the water.

HTH

Rick

Correct Answer
andrew.butterworth Tue, 06/03/2008 - 01:02

What Rick said, sorry I went to bed after I made the 1st post...

If you disable proxy-arp on the SVI (or on any Layer-3 interface) then the router will stop responding to ARP's except it's own (except obviously where HSRP, GLBP or VRRP are used, however they are not really proxy-arps).

Andy

Actions

This Discussion