one subnet and multiple vlans, proxy arp

Answered Question
May 23rd, 2010

Hi  every body

I was reading my book about  what are the best practice when it comes to vlans.  The book says   ' though not the best practice,  you can design a network to use one subnet on multiple vlans and use routers with proxy arp enabled to forward traffic between hosts in those vlans"

Just for concept and out of curiosity,  i am wondering  how i could design such network.

Let say we have a switch, sw1  with two vlans  , vlan1 and vlan2.  Both vlans  use the same network say 10.0.0.0/8

The problem is if i have to connect router to the switch, how should i connect it?    let say our router has two ethernets port, f1 and f2.  i put f1 in vlan1 and f2 in vlan2.  But  they both require different  network number i.e  we can not configure f1 and f2  with same network (10.0.0.0/8)  . Both ports must be in different  network/subnets.

so the question is how such network can be designed?

thanks and have a good day.

I have this problem too.
0 votes
Correct Answer by Jon Marshall about 6 years 6 months ago

Sarah

The book says   ' though not the best practice,  you can design a network to use one subnet on multiple vlans and use routers with proxy arp enabled to forward traffic between hosts in those vlans"

The problem is if i have to connect router to the switch, how should i connect it?    let say our router has two ethernets port, f1 and f2.  i put f1 in vlan1 and f2 in vlan2.  But  they both require different  network number i.e  we can not configure f1 and f2  with same network (10.0.0.0/8)  . Both ports must be in different  network/subnets.

so the question is how such network can be designed?

That really is an excellent question. The answer is if you are onlu using one router it can't in the way you describe because of the very issue you outline ie. a router cannot have 2 ethernet interfaces out of the same IP subnet. Even if you used a different mask you would still get overlapping subnet issues when you tried to configure it.

The only time i have seen multiple vlans with the same subnet is when you are configuring devices such as the Firewall Services module in transparent mode ie.


vlan 10 -> FWSM -> vlan 11

vlan 10 and vlan 11 both use the same subnet because in transparent mode the FWSM is acting as a L2 device not L3. You have to use different vlans because if you used the same vlan either side you would get an STP loop.

Jon

Correct Answer by Federico Coto F... about 6 years 6 months ago

Sara,

Just some comments to try to help...

VLANs are a layer 2 concept.

IP subnets are a layer 3 concept.

This means that technically you can have multiple IP subnets residing in the same VLAN (however not a recommended practice)

If you're talking about the interfaces of a router, those interfaces are layer 3 interfaces, therefore you cannot assign two different interfaces to belong to the same IP subnet.

The concept of proxy ARP is not a recommended practice either, but can help in situations where hosts don't have a default gateway configured or are configured incorrectly.

i.e

If host A has an IP 10.0.0.2 255.0.0.0 tries to reach anything on the 10.x.x.x network (even though it does not actually belong to the entire 10.0.0.0/8 network), it will send an ARP broadcast to determine the MAC address of the destination IP.

Since the destination IP (let's say 10.254.5.5/24) resides on a separate subnet, the router will accept the ARP and will respond to host A with its own MAC address to send the packet to the correct destination (assuming that the router knows how to reach the destination host).

Proxy ARP will respond to ARP requests with its own MAC address.

You can have routers configured with secondary addresses as well on the same interfaces.

Hope to give a little help.

Federico.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
Correct Answer
Federico Coto F... Sun, 05/23/2010 - 21:10

Sara,

Just some comments to try to help...

VLANs are a layer 2 concept.

IP subnets are a layer 3 concept.

This means that technically you can have multiple IP subnets residing in the same VLAN (however not a recommended practice)

If you're talking about the interfaces of a router, those interfaces are layer 3 interfaces, therefore you cannot assign two different interfaces to belong to the same IP subnet.

The concept of proxy ARP is not a recommended practice either, but can help in situations where hosts don't have a default gateway configured or are configured incorrectly.

i.e

If host A has an IP 10.0.0.2 255.0.0.0 tries to reach anything on the 10.x.x.x network (even though it does not actually belong to the entire 10.0.0.0/8 network), it will send an ARP broadcast to determine the MAC address of the destination IP.

Since the destination IP (let's say 10.254.5.5/24) resides on a separate subnet, the router will accept the ARP and will respond to host A with its own MAC address to send the packet to the correct destination (assuming that the router knows how to reach the destination host).

Proxy ARP will respond to ARP requests with its own MAC address.

You can have routers configured with secondary addresses as well on the same interfaces.

Hope to give a little help.

Federico.

Correct Answer
Jon Marshall Mon, 05/24/2010 - 00:38

Sarah

The book says   ' though not the best practice,  you can design a network to use one subnet on multiple vlans and use routers with proxy arp enabled to forward traffic between hosts in those vlans"

The problem is if i have to connect router to the switch, how should i connect it?    let say our router has two ethernets port, f1 and f2.  i put f1 in vlan1 and f2 in vlan2.  But  they both require different  network number i.e  we can not configure f1 and f2  with same network (10.0.0.0/8)  . Both ports must be in different  network/subnets.

so the question is how such network can be designed?

That really is an excellent question. The answer is if you are onlu using one router it can't in the way you describe because of the very issue you outline ie. a router cannot have 2 ethernet interfaces out of the same IP subnet. Even if you used a different mask you would still get overlapping subnet issues when you tried to configure it.

The only time i have seen multiple vlans with the same subnet is when you are configuring devices such as the Firewall Services module in transparent mode ie.


vlan 10 -> FWSM -> vlan 11

vlan 10 and vlan 11 both use the same subnet because in transparent mode the FWSM is acting as a L2 device not L3. You have to use different vlans because if you used the same vlan either side you would get an STP loop.

Jon

Actions

This Discussion