Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

routing isues

Hi,

two switches are interconnected between eachother and one switch is connected to a router.the two switches each has diffrent subnetmask say A & B under one common subnet.if i want to route only the hosts in A to other networks...then wat sud b configured on the interface connecting switch to the router?

do help me i nthis issue...

1 ACCEPTED SOLUTION

Accepted Solutions

Re: routing isues

You can, but you need to get it right.

To restrict the raffic, you really need to be using an access list on a router, which means you need to have the bits you want to protect in different VLANs.

You have 172.20.0.0/23.

You seem to need 96 addresses for users in one area, 255 for users in another and 160 for servers.

This does mot fit nicely for subnetting if those are really what you want.

To do this, the nearest fit I can come up with is

172.20.0.0/24 users1

172.20.1.0/26 users2

172.20.1.64/27 users3

172.20.1.96/27 servers1

172.20.1.128/25 servers2

This can all be advertised into the rest of the network at 172.20.0.0/23

That will give a similar number of user and server addresses. You then use your L3 in the 3750 to route between these VLANs, and can use access lists to control what traffic is allowed where.

Just "deemimg" them to be in different subnets won't work well. you need to get the traffic through the router to get an access list to work on it.

8 REPLIES
Hall of Fame Super Blue

Re: routing isues

Hi

Could you provide some IP addressing to clarify what you mean.

Jon

New Member

Re: routing isues

HI thank u fo rreplying...

herewith i hav attached the diagram....hope it is clear...

regs

Re: routing isues

You appear to have quite a flaw in your addressing usage. You refer to 172.20.0/23. That range includes 172.20.0.0 - 172.20.1.255. You also appear to be using inconsistent masks:

1st 172.20.1.1 -- 1.96 /23 for user's

2nd 172.20.1.97 -- 1.254 /24 for server's

the networks referred to are 172.20.0/23 and 172.20.1.0/24, but the address rages mentioned both fall within the 172.20.1.0/24 subnet.

Whoever planned this does not understand IP addressing.

New Member

Re: routing isues

Hai paul,

i want to make sure....whether can we divide a subnet into groups using subnet mask and restrict access between any 2 groups while rest hav access between them....

regs

sakthi

Hall of Fame Super Silver

Re: routing isues

sakthi

It does not work to just assign different masks and attempt to restrict access based on mask. Within a VLAN devices should have a consistent subnet mask. If devices use different masks within the same VLAN it does not enhance control and may introduce other problems.

For most purposes we can consider a VLAN and a subnet as meaning the same thing. A VLAN is a subnet and a subnet is a VLAN. There are a few exceptions but in general things work better when we consider that a VLAN is a subnet and that a subnet is a VLAN. If you follow this principle then it never creates a problem.

HTH

Ric

Re: routing isues

You can, but you need to get it right.

To restrict the raffic, you really need to be using an access list on a router, which means you need to have the bits you want to protect in different VLANs.

You have 172.20.0.0/23.

You seem to need 96 addresses for users in one area, 255 for users in another and 160 for servers.

This does mot fit nicely for subnetting if those are really what you want.

To do this, the nearest fit I can come up with is

172.20.0.0/24 users1

172.20.1.0/26 users2

172.20.1.64/27 users3

172.20.1.96/27 servers1

172.20.1.128/25 servers2

This can all be advertised into the rest of the network at 172.20.0.0/23

That will give a similar number of user and server addresses. You then use your L3 in the 3750 to route between these VLANs, and can use access lists to control what traffic is allowed where.

Just "deemimg" them to be in different subnets won't work well. you need to get the traffic through the router to get an access list to work on it.

New Member

Re: routing isues

Thank u for all your valued support ...

I will stick to "Vlan = a subnet "principle by richard.

I got the point clearly from subnetting example by paul.

I will proceed with access list further...and if i stuck somewhere,i will come back to u paul....

thank u very much

Re: routing isues

You are welcome. With a little knowledge of the groups you have, you may be able to plan the subnet addressing far better than I did - all I did was best fit on what you have. The varied masks as I suggested is inelegant, and would be confusing for somone later.

Tidier would be to look at what you really need, and selecting a signle mask that will fit most groups best - - for example if you only have 80 or so servers, and in that bottom group of users there are only 90 or so, consider a /25 mask - that gives you four even sized groups out of your /23. Maybe even conside going to a /26 if the numbers work OK on the groups of uses and servers.

Smaller subnets give more granularity for control either ina ccess lists ir in case of a problem - it is a lot easier to shut off a group of 40 users or so if one has a virus that is affecting the network (eg code red or sql slammer types) than 400!

The old position of switch where you can, route where you must leading to large subnets is obsolete as most routing now is done by hardware switching so does not have the performance issues of old process switching.

Small subnets give more contro, and better performance as fewer devices see traffic they don't need - like broadcasts.

140
Views
0
Helpful
8
Replies