[c-nsp] Busting up VLANs and bridging

Steve Bertrand steve at ibctech.ca
Thu Jan 28 20:43:23 EST 2010 

Security Team wrote:
> What is the "right" way to combine IP layer 3 traffic so that it can go to
> multiple VLANs? I'm working with a Catalyst 65xx setup.
> 
> For example, I am starting from a working setup that looks something like
> this:
> 
> interface GigabitEthernet4/1
>  speed auto
>  switchport
>  switchport access vlan 247
> !
> interface GigabitEthernet4/2
>  speed auto
>  switchport
>  switchport access vlan 248
> !
> interface Vlan247
>  ip address 192.168.247.1 255.255.255.0
> !
> interface Vlan248
>  ip address 192.168.248.1 255.255.255.0
> 
> Now, if I wanted to actually have a server 192.168.247.36 in Vlan247, but I
> want to make that server become a bridge so that I can give it other IP
> addresses in other blocks how would I do that?
> 
> So let's say the *.247.36 IP of the server is working, but I want to change
> my setup so that the server also has 192.168.248.64/29 on it (i.e. I am
> busting up the .248. Netblock from a /24 to smaller blocks that will be on
> different servers).
> 
> How would I go about doing this?

Are you trying to come up with a strategy to make this a permanent
migration? It really depends on what you are attempting to do, and how
many hosts you already have in .248.64/29. Assuming none:

You could carve up the /24 for .248 into:

192.168.248.0/26
192.168.248.72/29
192.168.248.80/29
192.168.248.88/29
192.168.248.96/28
192.168.248.112/28
192.168.248.128/25

...and add them as secondaries on the vlan248 interface. Although not
the ultimate solution, you could even leave all of the hosts on that
vlan int with their existing 'default gateway', as the interface will
still accept it. (please forgive me if my numbers are wrong... it was
off the top of my head).

You could then assign 192.168.248.64/29 as a secondary onto vlan 247,
and add the same as a secondary address on the same NIC as the .247
address on the server.

I've used this sort of tactic during renumbering transitions, and it
works well. Documentation is *very* important however ;)

I just read David's message, and that will work as well, if your server
NIC can handle hardware VLAN, and assuming that the second VLAN doesn't
connect to a different piece of network infrastructure as the first.

Either way, slicing a /29 out of a /24 will require you to divide up .248.

Steve

...

More information about the cisco-nsp mailing list