cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
803
Views
8
Helpful
6
Replies

Inter VLAN routing

Jason Fraioli
Level 3
Level 3

I have subnetted a class B address space (172.16.0.0 /16) into class C subnets. I have created VLANs for each subnet and SVI's for each VLAN.

InterVLAN routing works fine, with one exception. The end users had been previously setup to use a subnet mask of 255.255.0.0 (the network was using a flat 172.16.0.0 address space). Since I subnetted, the end users didn't have to change their subnet mask or gateways.

On the core switch my SVI's look like this.

Interface Vlan 5

ip address 172.16.5.1 255.255.255.0

Interface Vlan 6

ip address 172.16.6.1 255.255.255.0

Each access layer switch has the associated vlan in its database and is trunking to the core perfectly.

So why can a user in vlan 5, use the vlan 6 SVI IP address as a gateway address and talk to the rest of the network?

1 Accepted Solution

Accepted Solutions

What Rick said, sorry I went to bed after I made the 1st post...

If you disable proxy-arp on the SVI (or on any Layer-3 interface) then the router will stop responding to ARP's except it's own (except obviously where HSRP, GLBP or VRRP are used, however they are not really proxy-arps).

Andy

View solution in original post

6 Replies 6

Jon Marshall
Hall of Fame
Hall of Fame

Jason

Remember that a host uses it's own subnet mask/IP address and the destination IP address in deciding whether the remote device is on the same subnet or not. So

User device in vlan 5 = 172.16.5.10 255.255.0.0

So this device thinks it is on network 172.16.0.0/16. If you tell the device it's default-gateway is 172.16.6.1 then it doesn't have an issue because

172.16.6.1 with the devices subnet mask of 255.255.0.0 means that 172.16.6.1 is on the network 172.16.0.0/16.

Remember that the device only knows it's own subnet mask so it compares the destination address against it's own subnet mask.

Change the user subnet on thde device in vlan 5 to be 255.255.255.0 and leave the default-gateway to be 172.16.6.1 and it won't work.

You need to update all the subnet masks or you will get weird results.

Hope this makes sense.

Jon

proxy-arp

Unless you have disabled it on the SVI interfaces, proxy-arp will be masking this. On the PC's with the /16 mask check their ARP tables, they will have lots of entries that they think are on the same broadcast domain (172.16.0.0/16) with the same MAC address (it will be the SVI MAC of the VLAN they are in).

What happens is the SVI will respond to ARP's for networks it knows about, the PC's will broadcast directly for devices in the same network, however you have a mis-match of subnet masks.

It will work and we have used it as an enabler for address migrations, however you should really fix it and then disable proxy-arp as it is a bit of a security hole.

HTH

Andy

I guess that's what I was really driving at Andrew. Disabling proxy-arp should make it so that if their subnet mask does not conform to the vlan's subnet, then they should be dead in the water correct?

Jason

You are exactly correct. If you disable proxy arp then they should be dead in the water.

HTH

Rick

HTH

Rick

What Rick said, sorry I went to bed after I made the 1st post...

If you disable proxy-arp on the SVI (or on any Layer-3 interface) then the router will stop responding to ARP's except it's own (except obviously where HSRP, GLBP or VRRP are used, however they are not really proxy-arps).

Andy

Hi Jason,

This document details the behaviour of having Proxy-Arp on Routers/SVI interfaces.

http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080094adb.shtml

HTH

Shaheen

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: