Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1594
Views
0
Helpful
2
Replies

General DHCP and secondary vlan questions and discussion

NormMuelleman
Level 1
Level 1

‎08-05-2013 09:58 PM - edited ‎03-07-2019 02:46 PM

I've been reading for 45 minutes since getting off night shift, trying to find a definitive answer to a question. This has lead me to researching

ip address 192.168.30.1 255.255.255.0  secondary     

This started innocently enough with someone asking about VLANs. Trying to keep it simple, I replied that a VLAN separates collision domains. It keeps PC's within one virtual lan segment. So you could have several vlans on a switch, say vlan 10, vlan 20, and devices in 10 are separated from 20. But then we got into router on a stick, SVI, etc. And the question was proposed:

"How many ip addresses can be assigned to a vlan"?. And there-in lies the path less traveled

The initial response was "well, one". That started an argument from a young man that wasn't in the conversation. He said "no, you can have multiple ip's to a vlan using the secondary vlan".

So, being pretty tired, and cranky, I started to try and argue my point. But then I was second-guessing myself. So, a little review:

Let's say I have VLAN 10. I configure the switch:

ip routing

...

vlan 10

desc The Best VLAN

exit

interface vlan 10

ip address 192.168.10.1 255.255.255.0

no shut

So, I've assigned ONE ip address to vlan 10. Not two....not 20...just one. Am I wrong in this logic? I know this is being way simple, but bare with me...

Now granted, vlan 10 is going to have devices assigned to it in various ports. And a port in access mode can have ONE vlan..but then we change that rule and we say it can have ONE ACCESS vlan, and ONE VOICE vlan. Another topic, another day... back to our story:

So, the devices are getting their IP addresses from a DHCP server. I'm talking real-world. Most enterprise locations use a Microsoft or Linux or whatever server to assign IP addresses from a DHCP server. If the DHCP is NOT on the same network segment, we add in the ip helper address. That basically "boosts" the dhcp to get to the correct network segment and hit the DHCP server. So, here's my point and questions|:

Yes, a range of IP's are assigned in the DHCP scope for VLAN 10, say 192.168.10.0/24. Of course, you'll reserve the 192.168.10.1 for VLAN 10's ip address. Again, you've assigned it ONE IP address, correct? But you've given it a range to hand out to other devices within the vlan.

But then this led me into the SECONDARY command. Again, VLAN 10 has the /24 assigned to it in the DHCP server. Life is good..but oh oh...you've run out of IP addresses in the vlan 10 scope! Now what? So, you make vlan 10 192.168.20.0/24 in DHCP. Then, you go into your distro switch, and do

interface vlan 10

ip address 192.168.10.1 255.255.255.0

ip address 192.168.20.1 255.255.255.0 secondary 

ip helper address 10.10.10.1

This is where I'm kinda stuck:

1. We've given vlan 10 ip address of 192.168.10.1 initially. So, one ip address, correct?

2. We've now given it a secondary address...so it's got TWO ip addresses now? Or does it just have 1, and a sudo-address?

3. Ok, I need to modify our scenario a bit for this question: let's say you've got the one address, but are about to exhaust the scope, so you put in the secondary address. DHCP will continue giving out addresses in the original /24 until it's exhausted, correct? That's when the secondary kicks in, with the three unanswered DHCP requests?

4. And you can only have 4 secondary addresses per SVI, correct?

5. Finally, you need to put the secondary ip address range in your eigrp network statements for proper routing. But someone said that any routing  updates only come in on the primary address; if you try and move network segments, the secondary addresses get "lost"?

Finally, I'm looking for some feedback from REAL WORLD set-ups. This job is the first place where I've seen them rely on this secondary address so much. Everyplace else just adjusts the vlan scope, or makes it big enough for expansion, and can adjust the DHCP scopes accordingly. Is this a "best practice" so to speak? And can the secondary addresses be discontigeious ?

Thanks for your time in reading and responding in advance!

Labels:
0 Helpful
2 Replies 2

Leo Laohoo
Hall of Fame
Hall of Fame

‎08-05-2013 10:01 PM

You can define MULTIPLE "secondary" IP Address to a single VLAN.

Not common practice, but it's do-able. 

0 Helpful

Richard Burts
Hall of Fame
Hall of Fame
In response to Leo Laohoo

‎08-06-2013 06:09 AM

I agree with Leo that you can assign multiple secondary addresses on a single vlan interface. I am not sure where the original poster got the impression that there is a limit of 4 secondary addresses but that is not the case.

I also note some ambiguity in the phrasing of the original post. There are several references to secondary vlan. There is not such a thing as secondary vlan but there are secondary addresses that can be within a vlan.

There was a passing reference to having a data vlan and a voice vlan. The voice vlan is a sort of exception to the rule that an access port can have only a single vlan on it. In general it is true that an access port can have only a single vlan on it. The Cisco voice vlan does create an exception to that rule. But the voice vlan is a separate vlan and is not secondary to the data vlan.

I will also offer a comment about secondary addresses and dynamic routing protocols. It is true for the modern routing protocols such as OSPF and EIGRP that they can advertise the subnets of secondary addresses. But it is also true for these protocols that they form neighbor relationships only on the primary IP address and that the source address for any advertisement will be the primary address and not any secondary address.

HTH

Rick

HTH

Rick
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card