K9COP Premium Member join:2005-09-17 |
K9COP
Premium Member
2011-Aug-27 8:48 pm
How to set two different subnets to communicate?I know this is probably a very simple question but how do I have a LAN that has two different subnets that can seamlessly communicate with each other. I am thinking if you get too many clients that they use up all the IP addresses in a specific subnet and need to expand to a new subnet.
I know this probably is just some settings in the router but I have never done it. |
|
hardly Premium Member join:2004-02-10 USA |
hardly
Premium Member
2011-Aug-27 9:22 pm
Is your lan larger than a private Class A network? » en.wikipedia.org/wiki/Pr ··· _network |
|
|
to K9COP
I am buchering this, but this is a stepping stone to help you understand the difference Example 1... LAN 1: IP range = 192.168.1.x Subnet mask: 255.255.255.0 Default gateway = 192.168.1.1 LAN 2: IP range = 192.168.2.x Subnet mask: 255.255.255.0 Default gateway = 192.168.2.1 ...for these two to talk, the default gateway of each is actually a single router or a switch that's capable of routing multiple subnets. There is usually another router/firewall then capable of traffic going out to the Internet. ...if these two LANs are in physically different buildings, then usually a L2L VPN tunnel and NAT routing is used so they can talk. or Example 2... 1 BIG LAN: IP range = 192.168.x.x Subnet mask: 255.255.0.0 Default gateway = 192.168.x.x ...because the subnet mask allows it, more than 254 IPs are available across the LAN, such as 192.168.1.x, 192.168.2.x, 192.168.3.x, etc. Some SOHO/residential grade routers will not allow/work if you try and set a subnet other than 255.255.255.0 Chances are, you wouldn't really want to make your network this big with a SM of 255.255.0.0 so here are some other options... 255.255.254.0 = 510 addresses 255.255.252.0 = 1022 addresses 255.255.248.0 = 2046 addresses 255.255.240.0 = 4094 addresses ...there are more options, see » www.subnet-calculator.co ··· cidr.phpand » www.subnetmask.infoIf you are re-doing your LAN because you have run out of addresses, and your going to implement Example 2, then all things must be changed to use the new subnet mask (don't leave existing things with 255.255.255.0 or you will have problems) If this is not what you were getting at, please explain what your trying to do. |
|
cramer Premium Member join:2007-04-10 Raleigh, NC Westell 6100 Cisco PIX 501
|
to K9COP
This depends on your exact setup. From your description I'll assume you are looking at what Cisco calls "secondary" addressing, linux/bsd/etc call it aliases... this is two (or more) subnets natively on the same lan. You simply need a router that can hairpin traffic -- which is a violation of RFCs, but just about everything will do it.
If each subnet is within a VLAN, then it's a pure routing setup. There's no layer 3 overlap.
[*OR* you can tell every machine about all of those networks. This is usually not entirely possible. DHCP clients being the hardest to setup.] |
|
K9COP Premium Member join:2005-09-17 |
to supergeeky
this is exactly what I was looking for. This should get me started. |
|
cdruGo Colts MVM join:2003-05-14 Fort Wayne, IN |
to supergeeky
said by supergeeky:...for these two to talk, the default gateway of each is actually a single router or a switch that's capable of routing multiple subnets. There is usually another router/firewall then capable of traffic going out to the Internet. Unless the router has multiple interfaces. Which many do. ...if these two LANs are in physically different buildings, then usually a L2L VPN tunnel and NAT routing is used so they can talk. Or any one of dozens of different types of dedicated point to point connections. The tunnel is convenient if they are both on the internet, but if they aren't, then it's not practical. I'd venture a guess to say that the majority of connections between routers that aren't handling general internet traffic is handling traffic over dedicated links of various types, not VPN traffic. |
|
|
K9COP Premium Member join:2005-09-17 |
K9COP
Premium Member
2011-Aug-29 12:45 am
Let me expand my question one more step. Let us say that I have a client machine that is on a LAN and it's IP address is 10.227.0.5 but all of my other computers are on a seperate LAN, 10.169.169.0/24. What settings do I need to input on the router of the 10.169.169.* LAN so that the machines can communicate with the 10.227.0.5 machine? |
|
cdruGo Colts MVM join:2003-05-14 Fort Wayne, IN |
cdru
MVM
2011-Aug-29 12:48 am
said by K9COP:Let me expand my question one more step. Let us say that I have a client machine that is on a LAN and it's IP address is 10.227.0.5 but all of my other computers are on a seperate LAN, 10.169.169.0/24. What settings do I need to input on the router of the 10.169.169.* LAN so that the machines can communicate with the 10.227.0.5 machine? 10.169.169.0 machines will either need a route setup on each machine pointing to the router that handles traffic destined to the subnet that contains 10.227.0.5, or the default gateway will need a route pointing to that router (if it doesn't handle it already). |
|
K9COP Premium Member join:2005-09-17 |
K9COP
Premium Member
2011-Aug-29 12:57 am
Sorry I forgot to add one more thing. I do not want the 10.227.0.5 machine to be able to see the other machines on the other subnet. Only one way traffic if that makes sense? |
|
cdruGo Colts MVM join:2003-05-14 Fort Wayne, IN |
cdru
MVM
2011-Aug-29 8:11 am
said by K9COP:Sorry I forgot to add one more thing. I do not want the 10.227.0.5 machine to be able to see the other machines on the other subnet. Only one way traffic if that makes sense? No that doesn't. Presuming TCP communications, such an implementation would not work. The receiver must ACKnowledge the packets received. Without that, there will be no flow of data. |
|
K9COP Premium Member join:2005-09-17 |
K9COP
Premium Member
2011-Aug-29 12:15 pm
Yes I agree that the ACK would not occur. I am trying to figure out the best way for the 10.169.169.* machines to communicate with the 10.227.0.* subnet, specifically the 10.227.0.5 machine without putting the 10.169.169.* subnet at risk for exposure on the other network. Does that make sense? |
|
cdruGo Colts MVM join:2003-05-14 Fort Wayne, IN |
cdru
MVM
2011-Aug-29 1:46 pm
said by K9COP:Yes I agree that the ACK would not occur. I am trying to figure out the best way for the 10.169.169.* machines to communicate with the 10.227.0.* subnet, specifically the 10.227.0.5 machine without putting the 10.169.169.* subnet at risk for exposure on the other network. Does that make sense? You firewall it off. You block all ports unless they absolutely need to be open. You create a web service so communications go through essentially a proxy and not directly. You haven't specified what you are trying to send. Having a UDP video stream is quite a bit different than an interactive telnet session is quite a bit different than a HTTP request. |
|
K9COP Premium Member join:2005-09-17 |
K9COP
Premium Member
2011-Aug-29 3:04 pm
Sorry for not being more specific. Basically the only thing I would need to access on that machine is a web interface GUI that utilizes a specific port number to access. So at the firewall level set it up to block everything except for the port number to interface with the GUI? |
|
|
to K9COP
If both 10.169.169.x and 10.227.0.x machines are in different interfaces of the same firewall/router, then just use NAT with specific port ACLs to allow them to talk.
I can't get more detailed then that because you haven't said what mfg./equipment your using. |
|
jester121 Premium Member join:2003-08-09 Lake Zurich, IL |
Why NAT? Just ACLs should do it, once the routers are configured correctly, no? |
|
|
True, depending on equipment...
I frequent Cisco ASA's which under v8.3 and later, basically everything becomes a NAT statement -hey, not my idea! |
|