Inter VLAN routing

Answered Question
Jun 2nd, 2008
User Badges:

I have subnetted a class B address space (172.16.0.0 /16) into class C subnets. I have created VLANs for each subnet and SVI's for each VLAN.


InterVLAN routing works fine, with one exception. The end users had been previously setup to use a subnet mask of 255.255.0.0 (the network was using a flat 172.16.0.0 address space). Since I subnetted, the end users didn't have to change their subnet mask or gateways.


On the core switch my SVI's look like this.


Interface Vlan 5

ip address 172.16.5.1 255.255.255.0


Interface Vlan 6

ip address 172.16.6.1 255.255.255.0


Each access layer switch has the associated vlan in its database and is trunking to the core perfectly.


So why can a user in vlan 5, use the vlan 6 SVI IP address as a gateway address and talk to the rest of the network?

Correct Answer by andrew.butterworth about 8 years 12 months ago

What Rick said, sorry I went to bed after I made the 1st post...


If you disable proxy-arp on the SVI (or on any Layer-3 interface) then the router will stop responding to ARP's except it's own (except obviously where HSRP, GLBP or VRRP are used, however they are not really proxy-arps).


Andy

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4.3 (3 ratings)
Loading.
Jon Marshall Mon, 06/02/2008 - 15:26
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Jason


Remember that a host uses it's own subnet mask/IP address and the destination IP address in deciding whether the remote device is on the same subnet or not. So


User device in vlan 5 = 172.16.5.10 255.255.0.0


So this device thinks it is on network 172.16.0.0/16. If you tell the device it's default-gateway is 172.16.6.1 then it doesn't have an issue because


172.16.6.1 with the devices subnet mask of 255.255.0.0 means that 172.16.6.1 is on the network 172.16.0.0/16.


Remember that the device only knows it's own subnet mask so it compares the destination address against it's own subnet mask.


Change the user subnet on thde device in vlan 5 to be 255.255.255.0 and leave the default-gateway to be 172.16.6.1 and it won't work.


You need to update all the subnet masks or you will get weird results.


Hope this makes sense.


Jon

andrew.butterworth Mon, 06/02/2008 - 15:28
User Badges:
  • Gold, 750 points or more

proxy-arp


Unless you have disabled it on the SVI interfaces, proxy-arp will be masking this. On the PC's with the /16 mask check their ARP tables, they will have lots of entries that they think are on the same broadcast domain (172.16.0.0/16) with the same MAC address (it will be the SVI MAC of the VLAN they are in).

What happens is the SVI will respond to ARP's for networks it knows about, the PC's will broadcast directly for devices in the same network, however you have a mis-match of subnet masks.

It will work and we have used it as an enabler for address migrations, however you should really fix it and then disable proxy-arp as it is a bit of a security hole.


HTH


Andy

Jason Fraioli Mon, 06/02/2008 - 15:44
User Badges:

I guess that's what I was really driving at Andrew. Disabling proxy-arp should make it so that if their subnet mask does not conform to the vlan's subnet, then they should be dead in the water correct?


Richard Burts Mon, 06/02/2008 - 17:49
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Jason


You are exactly correct. If you disable proxy arp then they should be dead in the water.


HTH


Rick

Correct Answer
andrew.butterworth Tue, 06/03/2008 - 01:02
User Badges:
  • Gold, 750 points or more

What Rick said, sorry I went to bed after I made the 1st post...


If you disable proxy-arp on the SVI (or on any Layer-3 interface) then the router will stop responding to ARP's except it's own (except obviously where HSRP, GLBP or VRRP are used, however they are not really proxy-arps).


Andy

Actions

This Discussion