VLAN subnets and routing

Hi,
A couple of years ago I had a vlan which was something like this 192.168.200.0/22. I'm looking to this again but I want to make it 192.168.0.0/16.
I've forgotten the original setup of this, so.... I'm connecting a router to a swtich. On the router interface I've assigned the IP address 192.168.1.250. If I were connecting a device that was on something like 192.168.100.1, would using 192.168.1.250 be fine as the next hop?
Thanks

I am not quite clear on what you are trying to achieve. But I do have this comment. The Cisco router should accept the configuration of 192.168.1.250 255.255.0.0. But depending on the OS of the connected hosts there may be problems where the OS considers an address in 192.168.x.x to be class C and will not accept a default gateway which it considers to be in a different network. If you were doing this in network 10.0.0.0 it would be safer than doing it in 192.168.
HTH
Rick

Similar Messages

Subnetting and router ip addresses

Hello all
Can someone tell me if you can have a network of e.g 172.19.55.0 with a mask of 255.255.252.0
Also when subnetting what ip address would you put your router on and what mask, would it have to be in the range you applied and the same mask ?
thanks all

If you have a mask 252, then the corresponding octet must be a multiple of 4 to make a network address. For example 172.19.48.0, 172.19.52.0, 172.19.56.0 etc are all valid subnet addresses.
The address 172.19.55.0 would be seen as a host address within the 172.19.52.0/22 subnet. The subnet goes from 172.19.52.0 to 172.19.55.255, but the first address (172.19.52.0) is the address if the subnet itself, and the last (172.19.55.255) is the directed broadcast address. Anything between is valid as a host address. You can put your router on any of those valid host addresses, as long as you get the mask right.
Kevin Dorrell
Luxembourg

Logical network to physical network mapping (subnets and VLANS) in SCVMM 2012 R2

In much of the blogs, documentation and literature on VMM, there are examples of deploying multiple logical networks onto one physical network i.e. Cluster (logical) + Storage (logical) + Backup (logical) + Live Migration (logical) + Management
(logical) on top of Datacenter (physical).
Does this mean it would be possible to have one (physical) flat VLAN-less network with one subnet and then have all those logical networks (with subnets and VLANs) on top of it? Even with a simple unmanaged L2 switch that doesn't support VLANs itself?
If not, just how do you map multiple logical networks to just one physical network? How does that work in practice? Is a L3 switch needed to route traffic between logical networks for example?

Hi. VMM Networking may be overwhelmed for the most, at first. But you really need to understand the modeling here and how things are related to each other. Especially if using NIC teaming in WS 2012 (and R2) together with this mix.
I suggest that you read the following whitepaper where we explain how to setup networking in VMM (also to support network virtualization, but that is absolutely not mandatory): http://gallery.technet.microsoft.com/Hybrid-Cloud-with-NVGRE-aa6e1e9a
-kn
Kristian (Virtualization and some coffee: http://kristiannese.blogspot.com )

Nat and vlans on 1841 router

i have an old 1605 router that is doing nat for me. e0/0 is my external interface. e0/1 is my internal interface 172.16.0.1 255.255.255.252
i have nat enabled on the router on the 1605r. It works fine when i directly connect a pc to the internal interface.
I have a 1841 router. interface f0/0 172.16.0.2 255.255.255.252 is connected to e0/1 on the 1605r.
Now on the f0/1 of the 1841 i have two subinteraces f0/1.1 10.0.0.1 255.240.0.0
and f0/1.2 192.168.0.1 255.255.255.0
i have dot1q encapsulation on the interfaces with vlan 1/f0/1.1 set to native.
The 2 vlans can talk fine, i can ping each machine on the vlans. But i can only ping as far as 172.16.0.2/ f0/0.
i have a static route set on 1841 router 0.0.0.0 0.0.0.0 172.16.0.1.
Can anyone tell me what im doing wrong.

I believe that the first issue is a routing question on the 1605. When anything on the VLANs of the 1841 attempts to ping to any address on the 1605 the source address of the ping will be 10.0.x.x or will be 192.168.0.x. Is there anything on the 1605 that tells it where this address space is and what interface to use to get to it?
I believe that supplying static routes on the 1605 for ip route 10.0.0.0 255.240.0.0 172.16.0.2 and ip route 192.168.0.0 255.255.255.0 172.16.0.2 will allow devices on the VLANs to ping addresses on the 1605.
If you want the devices on the VLANs to access things beyond the 1605 there is probably another issue. I am guessing that the NAT that you have configured processes the 172.16.0.0 subnet and prbably does not have anything in it about 10.0.0.0 or 192.168.0.0. You will probably have to add to the NAT logic to cover these addresses as well.
HTH
Rick

Policy based routing to host in same vlan/subnet

Hello i have nexus 7k that i have a policy based routing setup as follows for 2 vlans, 802 and 803, to set default route out to a host in vlan 802. i have applied my policy to the vlans and everything works fine for a host in vlan 803, it routes over and out properly. However when im in vlan 802 my host traffic never gets to 172.21.1.237 when pointed at the gateway 172.21.1.1. I can see the pbr statistics incrementing indicating that i am initially hitting the policy but im not sure where my traffic goes after that. I can talk to .237 direct in the vlan but i would like this to work through pbr to utilize all of my other routes and default gateway.
vlans 802
172.21.1.1/24
ip policy route-map West
vlan 803
172.21.17.1/24
ip policy route-map West
route-map West permit 10
match vlan 802-803
set ip default next-hop 172.21.1.237
Im thinking there is some kind of hairpinning problem or maybe im creating some kind of blackhole.
any help is appreciated.
thanks, scott

Scott
If the destination IP is in the same subnet as source IP then it won't be routed it will be L2 switched so it would never use the default gateway ie.
src IP 172.21.1.10 255.255.255.0
dst IP 172.21.1.237 255.255.255.0
src compares it's own IP with it's subnet mask and sees it is on the 172.21.1.x network. src then compares the destination IP with it's own subnet mask and sees it is also on the 172.21.1.x network so it simply arps out for that address and when it gets the mac address it sends it direct to the destination. It would only use the default gateway if the destination IP was on a different network.
So i don't see how you will be able to do this and i'm not sure why you are seeing hits in your PBR acl for the host in the 172.21.1.x network.
Edit - what exactly do you mean when you say -
However when im in vlan 802 my host traffic never gets to 172.21.1.237 when pointed at the gateway 172.21.1.1.
How are you doing this ie. pointing it to the default gateway because as i say it should always be able to communicate with 172.21.1.237 as it is in the same subnet.
Jon

Vlan subinterface nat and routing

hi,
i've a cisco 1800 with .248 pool public ip .The router is connected with dce on serial port to my isp and
is configured with first public ip of my subnet on fe0/0 .
I've to serve to vlan (1 and 20) with this router so i 've connected the router fe0/0 to switch trunk port
and created a subinterface fe0/0.20 with dot1q encryption and ip 192.168.40.1. I also created a dhcp pool for vlan20 interface.
Now i can go to internet trought fe/0.0 . configured vlan 20 device receive 192.168.40.0/24 ip so dhcp pool work.
vlan 20 device can ping 192.168.40.1 and 82.85.162.1 (fe0/0.20 and fe0/0) but not want to go to internet.
show ip nat traslation is empty.
this is my show ip route:
Gateway of last resort is 213.205.53.77 to network 0.0.0.0
     217.133.64.0/32 is subnetted, 1 subnets
C       217.133.64.49 is directly connected, Virtual-Access1
C    192.168.40.0/24 is directly connected, FastEthernet0/0.20
     82.0.0.0/26 is subnetted, 1 subnets
C       82.85.162.0 is directly connected, FastEthernet0/0
     213.205.53.0/32 is subnetted, 1 subnets
C       213.205.53.77 is directly connected, Virtual-Access1
S*   0.0.0.0/0 [1/0] via 213.205.53.77
this is my configuration:
Current configuration : 2586 bytes
version 12.4
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
hostname ##############
boot-start-marker
boot-end-marker
logging message-counter syslog
logging buffered 64000
no logging console
enable secret 5 ####################
aaa new-model
aaa session-id common
clock timezone GMT+1 1
clock summer-time GMT+2 recurring
no ip source-route
ip dhcp excluded-address 82.85.162.1
ip dhcp excluded-address 192.168.40.1
ip dhcp pool LAN_Roma_Eletronica
   network 82.85.162.0 255.255.255.192
   default-router 82.85.162.1
   dns-server 213.205.36.70 213.205.32.70
   lease 0 0 15
ip dhcp pool vlan20
   network 192.168.40.0 255.255.255.0
   default-router 192.168.40.1
   dns-server 8.8.8.8 8.8.4.4
   lease 0 0 15
ip cef
no ip domain lookup
ip name-server 213.205.32.70
ip name-server 213.205.36.70
multilink bundle-name authenticated
username ######### password 7 #########
archive
log config
hidekeys
interface FastEthernet0/0
ip address 82.85.162.1 255.255.255.192
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
no keepalive
interface FastEthernet0/0.20
encapsulation dot1Q 20
ip address 192.168.40.1 255.255.255.0
ip nat inside
ip virtual-reassembly
interface FastEthernet0/1
no ip address
duplex auto
speed auto
interface Serial0/0/0
bandwidth 2048
no ip address
encapsulation frame-relay IETF
no fair-queue
frame-relay traffic-shaping
hold-queue 4096 in
hold-queue 4096 out
interface Serial0/0/0.100 point-to-point
bandwidth 1600
no cdp enable
frame-relay interface-dlci 100 ppp Virtual-Template1
class FR-1600
interface Virtual-Template1
bandwidth 1600
ip address negotiated
ip tcp adjust-mss 1410
keepalive 5
ppp chap hostname #################
ppp chap password 7 ################
ppp pap sent-username ############## password 7 ##############
ppp ipcp route default
ip forward-protocol nd
no ip http server
ip nat inside source list 110 interface FastEthernet0/0 overload
map-class frame-relay FR-1600
frame-relay cir 1600000
frame-relay bc 200000
frame-relay mincir 1000000
access-list 1 permit 192.168.40.0 0.0.0.255
access-list 110 permit ip 192.168.40.0 0.0.0.255 any
control-plane
line con 0
session-timeout 60
exec-timeout 60 0
privilege level 15
line aux 0
privilege level 15
line vty 0 4
session-timeout 60
access-class 10 in
exec-timeout 60 0
scheduler allocate 20000 1000
end

There's 2 problems:
1- your "ip nat outside" location is wrong, you must put it on virtual-template1.
2-change "ip nat inside source list 110 interface FastEthernet0/0 overload" to "ip nat inside source list 110 interface virtual-template1 overload"
HTH
Houtan

Server and router on different subnets

Hello
Scenario 1.
A Server with one NIC assings DHCP addresses within the 192.168.1.x/24 network.
The internet router is on the 192.168.0.x/24 network.
How can the DHCP clients can access the Internet?
If the scenario requires adding another NIC, no problem.
Thanks
Kostas B.

Please explain your network setup further.
If you really need two subnets you must route between them and that could be achieved with OS X and two network interfaces.
Also if not using NAT in the server you need a static route in the Internet router pointing back at the second router IP on the same subnet and using that as the gw IP for the second subnet.
If you want to use VPN later using other network numbers is better.

"IP and router address not consistent with subnet mask"

Hi all,
i have one of the old Powermac G5's running os x 10.3.5 "Panther" with a dual 2.5ghz processor, 512mb or ram, 160 gig hd, and no wireless card. I've been trying to hook the computer up to my network via an Ethernet cable (I have a Linksys WRT54G series router).
the problem is this: When I go through the Network utilities using the "assist me" option, select the LAN option, put in the necessary information (IP address, subnet mask, router address, and the dns host), and select continue, this message pops up:"IP and router address not consistent with subnet mask".
What I've found is that no matter if the computer is plugged in with a cable to the Ethernet port the message comes up which is very unusual.
Thanks in advance.

Have you verified that you indeed have the proper subnet entered?
Why don't you just let the Mac obtain its ip address from the router via DHCP?

On my home wireless network, the iphone 5 won't let me enter the IP address, subnet mask and router info. I was able to enter the DNS and Search Domains. How do I open up those fields?

On my home wireless network, the iphone 5 won't let me enter the IP address, subnet mask and router info. I was able to enter the DNS and Search Domains. How do I open up those fields?

Apparently the router is not sending the info to the iphone. How can I make that happen?

How to use the private subnet between ASA and Router

Guys,
Here is the context:
I am connecting to 2 ISPs for load sharing traffic coming from my private network.
The 2 links from the ISPs terminate in the router which connects to an ASA via a private subnet, back to my private network.
I have configured PBR in the router, to prefer ISP1 for trafic coming from my internal servers X, Y, Z (public addresses, no need for the ASA to translate). The router should send any other traffic coming from the rest of my private address space, servers W, V, U (after translation by ASA) to ISP2.
So far so good. The default route defined on ASA points to the internal LAN interface of the Router (private ip address). How can I route this subnet used between the ASA and Router? Being a private address I have to translate it to something (public) before the router can send it out. But translate to what?
Alternatively I could use a public subnet. But I do not have any.How do I get aroung this?
Regards
Ndaungwe

You have IP addresses on the direct interface links to the ISP's?? You ccould use those IP addresses with NAT overload.

Need basic Help - SG300 with vlan and routing

Hi,
i need some basic help with configuring vlan/routing.
Situation:
DSL Router - Cisco 300 - XenServer
192.168.1.253 - 192.168.1.19 - 192.168.1.10 (mgmt ip)
goal is, to reach from inside xenserver vms the internet.
vms = 192.168.2.x
gateway ip = 192.168.2.1
what i did:
- configured vlan 102, tagged, with the xenserver port
- configured on xenserver a network with vlan id 102, attached to the vm
- this network is conntected to an external bond
- configured ipva4 interface: vlan102 - Static - IP 192.168.2.1 (this is the gateway ip of the vms)
- automatic configured IPv4 Route: 192.168.2.0/24 next hop 0.0.0.0, Directly connected
So at the moment i cant ping from inside a vm to the DSL Router (192.168.2.2 to 192.168.1.253)
any ideas what i misconfigured or whats wrong?
cheers,
-Marco

Hi Tom,
ok, that make sense. I can ping the router now inside vms from 192.168.2.x network.
But i cant ping external adresses, error: Destination net unreachable.
My other problem i have, i cant reach any server from outside over router portforwarding.
How do i have to configure the upload port to the dsl router? Is it a access port or a trunk
port with all vlans (tagged or untagged?) At the moment ive a tagged Trunkport with all vlans.
IPv4 Interface Table
Interface
IP Address Type
IP Address
Mask
Status
VLAN 1
Static
192.168.1.19
255.255.255.0
Valid
Should the VLAN1 ip adress not the router ip adress ? Do i need an additional vlan for
the router ? At the end i like to change the switch ip from dhcp to static (change automaticly
when switching to layer 3 mode), but ive to look for the ios commands first.
What else do i missing ?
Thanks a lot,
Marcus

Dynamic VLAN assignment and Layer 3 switching on 300 series

I have a SG300-28P switch. I just read in the Administration Guide that, when in Layer 3 mode, the switch doesn't support MAC-based VLAN or Dynamic VLAN Assignment.
So, in order to assign a client to a VLAN based on their MAC or based on the response of a RADIUS server, we have to disable layer 3 features. Without layer 3 switching, the switch is unable to act as a default gateway and forward packets between VLANs. As a result, the VLANs can't communicate in any way, or access the internet, unless a separate router is connected to every VLAN. Right?
I'm new to VLAN configuration and layer 3 switching so I wanted to check my understanding. Doesn't this limitation significantly reduce the usefulness of the DVA feature?
I may well be confused and missing something regarding how this is typically used..

Hello Glenn,
Your concept about packet forwarding is correct. With a layer 2 switch, there must be something directing traffic with multiple subnets for intervlan communication or something that provides an IP route to give the request a path back for the request.
The usefulness for the DVA feature, is not particularly limited to the switch as the switch will correctly assign the VLAN for you, as VS the L3 switch mode, you're dealing with IP addresses. In any scenario, you're going to require a router to get to the internet since the switch does not support NAT.
Additionally, if you're router does not support VLAN, the L3 switch feature would still be the solution since you should be able to make a static route pointing back to the switch to allow any subnet to traverse the single media. It would still beg the question, how to assign VLAN dynamically.
The answer, although (in my opinion is terrible) would be GVRP. But, this application would require ALL of your network cards to be GVRP Enable / Capable which most likely is not the scenario for you (or most anyone else for that matter).

VLAN's and IP's

Hi Gurus,
Below are the three VLAN's I have created on my First Switch for the first time ion my lift after watching couple of videos.I am connected to the switch using a serial to usb cable via console.
sw1#show vlan
VLAN Name                             Status    Ports
1    default                          active    Fa0/17, Fa0/18, Fa0/19, Fa0/20
                                                Fa0/21, Fa0/22, Fa0/23, Fa0/24
101 lab1                             active    Fa0/1, Fa0/2, Fa0/3, Fa0/4
                                                Fa0/5
102 lab2                             active    Fa0/6, Fa0/7, Fa0/8, Fa0/9
                                                Fa0/10
103 lab3                             active    Fa0/11, Fa0/12, Fa0/13, Fa0/14
                                                Fa0/15
1001 VLAN1001                         active
1002 fddi-default                     act/unsup
1003 token-ring-default               act/unsup
1004 fddinet-default                  act/unsup
1005 trnet-default                    act/unsup
VLAN Type SAID       MTU   Parent RingNo BridgeNo Stp BrdgMode Trans1 Trans2
1    enet 100001     1500 -      -      -        -    -        0      0
101 enet 100101     1500 -      -      -        -    -        0      0
102 enet 100102     1500 -      -      -        -    -        0      0
103 enet 100103     1500 -      -      -        -    -        0      0
VLAN Type SAID       MTU   Parent RingNo BridgeNo Stp BrdgMode Trans1 Trans2
1001 enet 101001     1500 -      -      -        -    -        0      0
1002 fddi 101002     1500 -      -      -        -    -        0      0
1003 tr    101003     1500 -      -      -        -    -        0      0
1004 fdnet 101004     1500 -      -      -        ieee -        0      0
1005 trnet 101005     1500 -      -      -        ibm -        0      0
Remote SPAN VLANs
Primary Secondary Type              Ports
OS Version and type of Switch(L2)
sw1#show version
Cisco Internetwork Operating System Software
IOS (tm) C2950 Software (C2950-I6K2L2Q4-M), Version 12.1(22)EA14, RELEASE SOFTWARE (fc1)
IP address assigned;;
interface Vlan1
no ip address
no ip route-cache
shutdown
interface Vlan101
ip address 10.0.1.1 255.255.255.0
no ip route-cache
interface Vlan102
ip address 11.0.10.10 255.255.255.0
no ip route-cache
shutdown
interface Vlan103
ip address 15.0.10.10 255.255.255.0
no ip route-cache
shutdown
IP address on my computer;
Wireless LAN adapter Wireless Network Connection:
   Connection-specific DNS Suffix . : Home
   Pv4 Address. . . . . . . . . . . : 192.168.0.12
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : 192.168.0.1
Now I cannot ping any of the IP's assigned to the VLAN's. What to do with the VLAN's I've created [stupid and dumb question]. I want to play around the switch and connect it to a Cisco router(I have 5 routers and 5 switches, all different) and create my own lab.
please advise.

The most important part of this issue is that you are using a layer 2 switch and have created multiple vlans. To route between vlans you need a layer 3 device (could be a router or could be a layer 3 switch).
The other part of the issue is that you have created 3 vlans and associated addresses with them. Your PC is in a different subnet so logically it should be in a fourth vlan. And you need a layer 3 device to route between your PC and the switch subnets/vlans.
HTH
Rick

Vlan dhcp and security

HI all.
I'm a newbie with Cisco.
I wanted to achieve something like this.
I want to make separate subnets on Layer 3 switch. I'm not using any router.
Each Interface is each vlan&subnet. So Interface fa0/2 is vlan2, interface fa0/10 is vlan10 and so on. Additionaly vlan 2 is subnet 2.x and vlan10 is subnet 10.x
I already configured Dhcp server with scopes and configured IP helper
BUT
And here starts my question.
Is that true that I have to enable IP routing between Vlans? If yes then what's the point of creating Vlans when we have to enable routing between them?
Or maybe there is a way to enable only communication with DHCP server but disable any other communication between VLans?
Let say I have DHCP server on vlan1 and want vlan5 to only communicate with DHCP server but not communicate with vlan10 and any other computersi n vlan1. Is that possible?
Thanks

The config can be as below if i understand your question :
interface vlan 2
ip address 2.x
interface Fa0/2
switchport access vlan
interface vlan 5
ip address 5.x
interface Fa0/5
switchport access vlan 5
interface vlan 1
ip address 1.x
interface fa0/1
switchport access vlan 1
ip routing
interface fa0/3
description --> DHCP Server
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 1,5,2,10
switchport mode trunk
So you have DHCP server on VLAN 1. The computer on VLAN 1 can acquire IP from DHCP Server .
This is my solution, but if i not understand your question you can answer me

Branch office setup with L3 switch and router with IOS security

Hello,
I am in the process of putting together a small branch office network and I am in need of some design advise. The network will support about 10-15 workstations/phones, 3-4 printers, and 4-5 servers. In addition we will eventually have up to 25-30 remote users connecting to the servers via remote access VPN, and there will also be 2-3 site-to-site IPSec tunnels to reach other branches.
I have a 2911 (security bundle) router and 3560 IP Base L3 switch to work with. I have attached a basic diagram of my topology. My initial design plan for the network was to setup separate VLANs for workstation, phone, printer, and server traffic. The 3560 would then be setup with SVIs to perform routing between VLANs. The port between the router and switch would be setup as a routed port, and static routes would be applied on the switch and router as necessary. The thought behind this was that I'd be utilizing the switch backplane for VLAN routing instead instead of doing router-on-a-stick.
Since there is no firewall between the switch and router my plan was to setup IOS firewalling on the router. From what I am reading ZBF is my best option for this. What I was hoping for was a way to set custom policies for each VLAN, but it seems that zones are applied per interface. Since the interface between the router and switch is a routed interface, not a trunk/subinterface(s), it doesn't seem like there would be a way for me to use ZBF to control traffic on different VLANs. From what I am gathering I would have to group all of my internal network into one zone, or I would have to scrap L3 switching all together and do router-on-a-stick if I want to be able to set separate policies for each VLAN. Am I correct in my thinking here?
I guess what I am getting at is that I really don't want to do router-on-a-stick if I have a nice switch backplane to do all of the internal routing. At the same time I obviously need some kind of firewalling done on the router, and since different VLANs have different security requirements the firewalling needs to be fairly granular.
If I am indeed correct in the above thinking what would be the best solution for my scenario? That is, how can I setup this network so that I am utilizing the switch to do L3 routing while also leveraging the firewall capabilities of IOS security?
Any input would be appreciated.
Thanks,
Austin

Thanks for the input.
1. I agree, since I have only three to four printers, they need not be in a separate VLAN. I simply was compartmentalizing VLANs by function when I initially came up with the design.
2. Here's a little more info on the phone situation. The phones are VoIP. The IP PBX is on premise, but they are currently on a completely separate ISP/network. The goal in the future is to converge the data and voice networks and setup PBR/route maps to route voice traffic out the voice ISP and data traffic out the other ISP. This leads up to #3.
3. The reason a router was purchased over a firewall was that ASA's cannot handle routing and dual ISPs very well. PBR is not supported at all on an ASA, and dual ISPs can only be setup in an active/standby state. Also, an ASA Sec+ does not have near the VPN capabilities that the 2911 security does. The ASA Sec+ would support only 25 concurrent IPSec connections while the 2911 security is capable of doing an upwards of 200 IPSec connections.
Your point about moving the SVI's to a firewall to perform filtering between VLANs makes sense, however, wouldn't this be the same thing as creating subinterfaces on a router? In both cases you are moving routing from the switch backplane to the firewall/routing device, which is what I am trying to avoid.

VLAN subnets and routing

Similar Messages

Maybe you are looking for