Re: Multiple VLANs over single subnet

procurvenewbee · ‎04-23-2007

Is this possible to create multiple VLANs on a switch (2600 series) but they all are in same subnet and then connect to another uplink switch (5400) with 802.1q circuit. All VLANs users will need to share the same DHCP pool, so the gateway address on the 5400 need to be in the same subnet as well. I believe this should be possible as VLANs are L2 and they can share L3 address space. Assuming VLAN 10, 20 and 30 on an edge switch (no ip address) and VLAN 40 on core switch (ip address in the subnet to serve as gateway, in dhcp scope for the users).

Please let me know if this is possible. It is like setting up private VLANs on Cisco switches, so that different ports within same VLAN can not communicate to other set of ports within the same VLAN. I thought, I may be able to do it still simpler with my approach above.

Thanks

Mohieddin Kharnoub · ‎04-23-2007

Hi

Multiple Vlans in the Same IP Subnet is possible and its used in many cases like the Hospitality Billing solutions, where you have all the Guests in the same subnet, but each one is his own Vlan and his Vlan ID is used to map him to his room number.

Simply, on the 2600, create all the Vlans you need without any IP, then on the Uplink to the Core tagg all the Vlans.
On the Core (routing switch), just add an IP Helper-Address to point to your DHCP server.

But i think your concern is security, where some ports can;t communicate with other ports even all these ports in the same Vlan.

If this is the case, you need a Source port filtering feature not multiple Vlans.
Check this, it will give you enough info with examples:
ftp://ftp.hp.com/pub/networking/software/Security-Oct2005-59906024-Chap09-Port_Security.pdf

Good Luck !!!

Science for Everyone

Jonathan Axford · ‎04-23-2007

Good Morning,

Each Layer 2 VLAN needs to be in a seperate Layer 3 subnet.

It will not be possible to successfully have a single IP subnet that spans multiple VLANs as far as i know!

I am unsure of the concept of private VLANs so i can't help you there.

You can use the 5300 series as router and as the default gateway for each of the seperate VLANs on the edge switches, connect each switch to the 5300 using dot1q trunks and create VLAN interfaces on the 5300 with a default gateway for each VLAN.

Switch on IP routing for the 5300 and make sure you have the Ip helper-address command configured on each VLAN interface to allow the clients to get DHCP addresses from the server.

Hope i am on the right track...

Cheers

Jonboy

Where there is a will there is a way...

Jonathan Axford · ‎04-24-2007

Hmmmm, my apologies.

I can see the concept now. The clients will not need to communicate with each other, therefore no routing will be needed between VLANs.

Where there is a will there is a way...

procurvenewbee · ‎04-24-2007

So Mohieddin, you are with me on this that I still need to also assign an IP address within the subnet to core switch VLAN interface, so that DHCP server can know as to which scope to use to handover the address. Also I will need address on core switch, as Core switch needs to route to all this group of VLANs. Core switch has additonal subnets and inter VLAN routing is required from other VLANs on the core to this group of VLANs. Also my requirement is to block communication between these VLANs in the same subnet but within a particular VLAN, there is no blockage within the ports.

Please confirm so that I can plan on implementing the changes. It will take me couple of days to get this done as they are on remote sites and I need to schedule some maintennace window.

Thanks

Mohieddin Kharnoub · ‎04-24-2007

Hi

My dear, what i said in my previous post was L2 Vlans, and its a special case used in may cases like Transparent Firewalls, Billing Solutions, IDP device working in Sniff mode.....

But not the type on the Vlans you are planning for.

What you need is L3 Vlans, means as Jonathan said, each Vlan need an IP Address.

Just think about it, say you have created Vlan20 and 30, now whats the Difference between both Vlans in DHCP scopes, if you need both Vlans to be in the same subnet??? so you are now
1: Confusing the DHCP server and it will probably ask for a Kobian cigar.
2: you said that you need to set an IP for each Vlan and enable routing between them on the core switch, OK ...Life is Good, but what do you need to route?

Solution:
Private VLANs provide Layer 2 isolation between ports within the same Vlan, and that is available on some cisco switches, but not on HP.
anyway if you can explain what you need exactly, somebody for sure in this forum will provide you a solution for your requirments.

Good Luck !!!

Science for Everyone

procurvenewbee · ‎04-24-2007

Sorry if I did not make it clear. All I want is that I have multiple subnets and I need to route between them. All that is good and working. Each user gets a dhcp address withing their own VLAN. Now there is a need to add another subnet and withing that subnet, multiple groups of users, just to separate those each group from another one, I thought to put them into a separate VLAN, but these all VLANs (or groups), they will be covered by a single DHCP scope, can not further segment that scope. Example, I have a 192.168.5.0/24 and this scope will be used to provide DHCP addresses to 3 VLANs (10, 20, 30). These 3 VLANs will be on a 2626 switch. I will not assign any address to these VLANs on this switch and then they will be tagged to uplink to a 5406 switch (which will have these VLANs created as well, with ip helper-address of dhcp server). Now I have say 10 more VLANs, say in 10.x.x.x and those users need to talk to the three new VLANs. If I do not assign any IP on the core switch to these VLANs, I can not route to these, but I also can not assign same subnet addresses to these three VLANs. In that case, how do I create layer 2 VLANs within a single layer 3 subnet, without having to chop the /24 into say a /25 and two /26s.

Thanks

Mohieddin Kharnoub · ‎04-24-2007

Hi

I don't think you are short of IP Addresses to Chop the 192.168.5.0/24 to /26 or /27 even it will solve your problem :)

But also, you still can't so what your are planning for, because technically you need a L3 Vlans each one in different broadcast domain - Subnet, so you are segregating them and you will be able to route between them on the core.

So i think you need 3 Vlans, 3 Subnets and 3 DHCP Scopes.
And i think that will be better for you if you have any policies for these new groups, like Security policies, so you can use ACLs between the 3 new Vlans based on IP Addresses.

Good Luck !!!

Science for Everyone

nizar ahamed · ‎09-21-2008

We are implementing new setup.we have around 6 vlans on same subnet.for ex: the ranges of ip is 172.16.20.1/24 to 172.16.26.1/24.here only the range of ip address is changing but not the subnet.i would like to create different scopes for each vlan and that vlan should pool the ip address from same scope.for example i created vlan in switch vlan10 and dhcp scope in server vlan10.Is it possible to do like this.can any one help me.as for as i know we cannot create different scope for same subnet.plz help me this is very urgent.........

André Beck · ‎09-21-2008

Hi,

"Multiple VLANs over single subnet" is impossible as it's a head-over-heels layering violation. You said it yourself: VLANs are Layer 2 entities (essentially they are broadcast domains with the speciality that a modern switch can be partitioned into multiple of them and has optimizations for hauling them over to other such partitioned switches without needing an individual link per broadcast domain). IP networks (please phase out the term subnet, it's obsolete wording from the age of classful addressing, which ended more than a decade ago), on the other hand, are Layer 3 entities. You establish IP networks on top of (or within, as I prefer the wording) broadcast domains, not the other way around.

So you can have more than one IP network within a single broadcast domain, but that's not what you want. What you separate on L2 cannot transparently find together on L3 except by introducing explicit routing.

Private VLANs are something entirely different. They are single broadcast domains (not multiple, as you propose), but they have sophisticated additional filtering rules that break the basic transitive concept of broadcast domains (if A can reach B, and B can reach C, this implies A can reach C). You cannot easily emulate them.

And BTW, there is no such thing as "L3 VLANs". What this reference talks about are Switch Virtual Interfaces (SVIs) - L3 entities (like IPv4 interfaces) that are not sitting on top of a MAC/LLC (L2) sitting on top of a real PHY (L1), but instead sitting on a virtual MAC/LLC that is anchored into a VLAN within the same switch. It doesn't "make the VLAN L3", it just plugs an L3 interface into the VLAN just as if you plug a real physical router interface into an access port for this VLAN on your physical switch - just without all the extra boxes and cables. The VLAN is still an L2 entity, but now you have also established an IP network on top of (aka within) it, or rather a connected route to it. For it to become a network, there should be some other participants in that broadcast domain assuming the same IP parameters ;)

HTH,
Andre.

Categories

Company

Local Language

Forums

Discussions

Forums

Discussions

Discussions

Forums

Discussions

Forums

Discussions

Forums

Forums

Discussions

Forums

Discussions

Forums

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Community

Resources

Other HPE Sites

Discussions

Forums

Blogs

Re: Multiple VLANs over single subnet

Multiple VLANs over single subnet