06-02-2008 03:18 PM - edited 03-05-2019 11:22 PM
I have subnetted a class B address space (172.16.0.0 /16) into class C subnets. I have created VLANs for each subnet and SVI's for each VLAN.
InterVLAN routing works fine, with one exception. The end users had been previously setup to use a subnet mask of 255.255.0.0 (the network was using a flat 172.16.0.0 address space). Since I subnetted, the end users didn't have to change their subnet mask or gateways.
On the core switch my SVI's look like this.
Interface Vlan 5
ip address 172.16.5.1 255.255.255.0
Interface Vlan 6
ip address 172.16.6.1 255.255.255.0
Each access layer switch has the associated vlan in its database and is trunking to the core perfectly.
So why can a user in vlan 5, use the vlan 6 SVI IP address as a gateway address and talk to the rest of the network?
Solved! Go to Solution.
06-03-2008 01:02 AM
What Rick said, sorry I went to bed after I made the 1st post...
If you disable proxy-arp on the SVI (or on any Layer-3 interface) then the router will stop responding to ARP's except it's own (except obviously where HSRP, GLBP or VRRP are used, however they are not really proxy-arps).
Andy
06-02-2008 03:26 PM
Jason
Remember that a host uses it's own subnet mask/IP address and the destination IP address in deciding whether the remote device is on the same subnet or not. So
User device in vlan 5 = 172.16.5.10 255.255.0.0
So this device thinks it is on network 172.16.0.0/16. If you tell the device it's default-gateway is 172.16.6.1 then it doesn't have an issue because
172.16.6.1 with the devices subnet mask of 255.255.0.0 means that 172.16.6.1 is on the network 172.16.0.0/16.
Remember that the device only knows it's own subnet mask so it compares the destination address against it's own subnet mask.
Change the user subnet on thde device in vlan 5 to be 255.255.255.0 and leave the default-gateway to be 172.16.6.1 and it won't work.
You need to update all the subnet masks or you will get weird results.
Hope this makes sense.
Jon
06-02-2008 03:28 PM
proxy-arp
Unless you have disabled it on the SVI interfaces, proxy-arp will be masking this. On the PC's with the /16 mask check their ARP tables, they will have lots of entries that they think are on the same broadcast domain (172.16.0.0/16) with the same MAC address (it will be the SVI MAC of the VLAN they are in).
What happens is the SVI will respond to ARP's for networks it knows about, the PC's will broadcast directly for devices in the same network, however you have a mis-match of subnet masks.
It will work and we have used it as an enabler for address migrations, however you should really fix it and then disable proxy-arp as it is a bit of a security hole.
HTH
Andy
06-02-2008 03:44 PM
I guess that's what I was really driving at Andrew. Disabling proxy-arp should make it so that if their subnet mask does not conform to the vlan's subnet, then they should be dead in the water correct?
06-02-2008 05:49 PM
Jason
You are exactly correct. If you disable proxy arp then they should be dead in the water.
HTH
Rick
06-03-2008 01:02 AM
What Rick said, sorry I went to bed after I made the 1st post...
If you disable proxy-arp on the SVI (or on any Layer-3 interface) then the router will stop responding to ARP's except it's own (except obviously where HSRP, GLBP or VRRP are used, however they are not really proxy-arps).
Andy
06-03-2008 01:43 AM
Hi Jason,
This document details the behaviour of having Proxy-Arp on Routers/SVI interfaces.
http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080094adb.shtml
HTH
Shaheen
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: