Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Same Secondary ip range in two different VLANs for "local" VoIP phones?

I currently have separate VLANs for faculty, staff, and students, with ACLs allowing access to different internal resources. We have a Catalyst 4507 as our L2/L3 core switch, and all our access switches are L2 only, with trunk ports to the core, and user ports statically assigned to different VLANs based on physical location, e.g. staff office jacks are on the STAFF VLAN.

We are not yet using any external VoIP phones, but for some remote buildings, we use VoIP on our STAFF VLAN for the connection from the phone to our PBX. From the PBX onwards, it is a normal phone call, not VoIP. (These buildings are too far to allow our "digital" phones to work via the standard analog phone line, though an analog phone would work). The PBX is a Samsung system, so we are not using any Cisco VoIP features, merely an IP connection from an ethernet jack for the phone to reach the PBX. (That's why I'm asking in the network group rather than the phones group.)

We use DCHP for our normal user address assignment, but for our small number of VoIP phones, I've manually assigned them IP addresses. Also, to avoid messing with my DHCP ranges, I've added a secondary ip range to the STAFF VLAN for the phones. Then, in the STAFF VLAN ACL, I allow the phones IP range to reach the PBX vlan, but not anywhere else.

So far this works! (BUT, is it a Bad Idea or The Wrong Way To Do IT? If so, please explain.)

e.g. for the STAFF VLAN I have:

interface Vlan100

description STAFF NETWORK

ip address 10.9.10.1 255.255.255.0 secondary

ip address 10.100.0.1 255.255.254.0

ip access-group STAFF in

ip helper-address 10.1.1.10

where 10.100.0.0/23 is the usual staff computers range, and 10.9.10.0/24 is the range I added for VoIP phones, and 10.1.1.10 is our DCHP server.

Next, I need to add some FACULTY "internal" VoIP phones. My question is, can I add the same secondary IP range to the faculty VLAN also, or will that do strange things by bridging the two VLANS somehow?

e.g., given

interface Vlan200

description FACULTY NETWORK

ip address 10.200.0.1 255.255.254.0

ip access-group FACULTY in

ip helper-address 10.1.1.10

Can I add the same "ip address 10.9.10.1 255.255.255.0 secondary" to this VLAN, or do I need to pick a different range for the faculty phones?

The benefit of having the same shared secondary address range for phones is that I could configure a VoIP phone with a 10.9.10.xx IP, and have it work for either staff or faculty, rather than, say, 10.9.10.0/24 for STAFF phones, and 10.9.20.0/24 for FACULTY phones.

In general, I guess I'm not really understanding how secondary addresses affect broadcast domains and such. Since the packets from the different VLANs are tagged when they get trunked to the core switch, it seems it should keep 10.9.10.xx each phone address in the proper vlan, no matter which sort of jack a phone is plugged into.

Or, would there be some sort of routing issue from having 10.9.10.xxx devices in both VLAN 100 and VLAN 200 trying to communicate with the PBX VLAN? (Except at the core, our network is only L2).

Thanks for any clues you can share,

Steve Bohrer

  • LAN Switching and Routing
Everyone's tags (3)
1 ACCEPTED SOLUTION

Accepted Solutions
Hall of Fame Super Silver

Re: Same Secondary ip range in two different VLANs for "local" V

Steve

Yes there would be routing issues if you configure the same secondary address range in two different VLANs. Probably the best way to explain it is to think of a phone that has address 10.9.10.51. Its traffic will get to the PBX just fine. But what will happen when the PBX wants to send something back to the phone? It will send the packet to either the staff VLAN or to the faculty VLAN (but not to both). And so there is about a 50% chance that it will send the packet to the wrong VLAN.

HTH

Rick

3 REPLIES
Hall of Fame Super Silver

Re: Same Secondary ip range in two different VLANs for "local" V

Steve

Yes there would be routing issues if you configure the same secondary address range in two different VLANs. Probably the best way to explain it is to think of a phone that has address 10.9.10.51. Its traffic will get to the PBX just fine. But what will happen when the PBX wants to send something back to the phone? It will send the packet to either the staff VLAN or to the faculty VLAN (but not to both). And so there is about a 50% chance that it will send the packet to the wrong VLAN.

HTH

Rick

New Member

Re: Same Secondary ip range in two different VLANs for "local" V

Thanks Richard. I didn't know if this would be a routing issue, or just a layer 2 ARP issue. "sh arp" on my 4500 shows that it knows the MAC, IP address, and VLAN of every device on our network, so I thought that might be enough.

But, I guess it is actually building a routing table to handle all the VLANs, as "sh ip route" lists every ip range I use as "directly connected, Vlan xx". That bit would probably break if I tried the same range in two different VLANs!

Do you know if it would give an error when I tried to add the overlapping IP ranges, or would it just be unable to reliably route to those devices? (I guess I could try it during a maintenance window sometime and see how it breaks.)

Steve

Hall of Fame Super Silver

Re: Same Secondary ip range in two different VLANs for "local" V

Steve

In general Cisco layer 3 devices will give an error message if you attempt to configure overlapping IP addresses on two interfaces. I have not checked that on a 4507 and so am not authoritative on this question. But I would predict that you would get an error message if you did try to configure it.

And even if the 4507 lets you configure it, putting the same IP subnet as secondary on two different layer 3 interfaces will create problems. The problems have some aspects of ARP behavior and some aspects of routing behavior. The 4507 is acting as a layer 3 switch which supplies the routing function that allows devices in different VLANs to communicate with each other. Part of making this work is to create a routing table which it uses to forward traffic from one VLAN to another VLAN. If we think of the example I suggested in my first post, we can think of a phone at 10.9.10.51 in VLAN 100. It sends traffic to its default gateway 10.9.10.1 in the staff VLAN. The switch forwards the traffic to the PBX. Now the PBX wants to send traffic back to the phone at 10.9.10.51 and sends it to its gateway. Now the switch has a packet with destination address in the 10.9.10 subnet. Should it look for ARP entries in VLAN 100 or in VLAN 200. If the switch chooses to look in VLAN 200 it will not find the ARP entry. It will send an ARP request into VLAN 200, which will not receive any response (because the phone is in VLAN 100) and the switch will drop the packet with an error of host not reachable.

HTH

Rick

2859
Views
0
Helpful
3
Replies