[c-nsp] Busting up VLANs and bridging

Matt Buford matt at overloaded.net
Sun Jan 31 05:27:58 EST 2010


On Thu, Jan 28, 2010 at 6:44 PM, Security Team <cisco at peakpeak.com> wrote:

> What is the "right" way to combine IP layer 3 traffic so that it can go to
> multiple VLANs? I'm working with a Catalyst 65xx setup.
>
> For example, I am starting from a working setup that looks something like
> this:
>
> interface GigabitEthernet4/1
>  speed auto
>  switchport
>  switchport access vlan 247
> !
> interface GigabitEthernet4/2
>  speed auto
>  switchport
>  switchport access vlan 248
> !
> interface Vlan247
>  ip address 192.168.247.1 255.255.255.0
> !
> interface Vlan248
>  ip address 192.168.248.1 255.255.255.0
>
> Now, if I wanted to actually have a server 192.168.247.36 in Vlan247, but I
> want to make that server become a bridge so that I can give it other IP
> addresses in other blocks how would I do that?
>
> So let's say the *.247.36 IP of the server is working, but I want to change
> my setup so that the server also has 192.168.248.64/29 on it (i.e. I am
> busting up the .248. Netblock from a /24 to smaller blocks that will be on
> different servers).
>
> How would I go about doing this?
>

In general, you should not try to break up a larger subnet that is already
on another interface unless you remove the larger subnet from the existing
interface.  Having more specifics carved out of a subnet on an interface is
messy and just a bad idea.  However, it can be done.

ip route 192.168.248.64 255.255.255.248 192.168.247.36

Then, on your server 192.168.248.36, bring up a secondary IP 192.168.248.65
mask 255.255.255.248.  It should just work.

Some might ask, "How will other servers on VLAN 248 reach 192.168.24.65?
 Won't they think it is local and try to ARP it with a broadcast on VLAN
248?"  Yes, they will.  However, because the 6500 has a more specific route
leading elsewhere and proxy ARP isn't disabled, the 6500 will answer ARPs on
VLAN 248 for 192.168.248.64/29 IPs with the 6500's own MAC.  Hosts on VLAN
248 will then send packets destined for that smaller subnet to the router,
which will then forward it on to follow the static route out VLAN 247.

You can also do this to route /32s elsewhere.  Just configure the secondary
IP on the server with a netmask of 255.255.255.255.  Windows won't let you
enter an interface IP with a /32 mask, but most/all Unix systems will.

If you need to do it for a short term problem, fine, but I really suggest
you rethink what you are trying to do if this is something you want
permanent.


More information about the cisco-nsp mailing list