dslreports logo
 
    All Forums Hot Topics Gallery
spc
Search similar:


uniqs
44236

K9COP
Premium Member
join:2005-09-17

K9COP

Premium Member

How to set two different subnets to communicate?

I know this is probably a very simple question but how do I have a LAN that has two different subnets that can seamlessly communicate with each other. I am thinking if you get too many clients that they use up all the IP addresses in a specific subnet and need to expand to a new subnet.

I know this probably is just some settings in the router but I have never done it.
hardly
Premium Member
join:2004-02-10
USA

hardly

Premium Member

Is your lan larger than a private Class A network?

»en.wikipedia.org/wiki/Pr ··· _network
supergeeky
join:2003-05-09
United State

supergeeky to K9COP

Member

to K9COP
I am buchering this, but this is a stepping stone to help you understand the difference

Example 1...

LAN 1:
IP range = 192.168.1.x
Subnet mask: 255.255.255.0
Default gateway = 192.168.1.1

LAN 2:
IP range = 192.168.2.x
Subnet mask: 255.255.255.0
Default gateway = 192.168.2.1

...for these two to talk, the default gateway of each is actually a single router or a switch that's capable of routing multiple subnets. There is usually another router/firewall then capable of traffic going out to the Internet.
...if these two LANs are in physically different buildings, then usually a L2L VPN tunnel and NAT routing is used so they can talk.

or

Example 2...

1 BIG LAN:
IP range = 192.168.x.x
Subnet mask: 255.255.0.0
Default gateway = 192.168.x.x

...because the subnet mask allows it, more than 254 IPs are available across the LAN, such as 192.168.1.x, 192.168.2.x, 192.168.3.x, etc. Some SOHO/residential grade routers will not allow/work if you try and set a subnet other than 255.255.255.0

Chances are, you wouldn't really want to make your network this big with a SM of 255.255.0.0 so here are some other options...

255.255.254.0 = 510 addresses
255.255.252.0 = 1022 addresses
255.255.248.0 = 2046 addresses
255.255.240.0 = 4094 addresses
...there are more options, see »www.subnet-calculator.co ··· cidr.php
and »www.subnetmask.info

If you are re-doing your LAN because you have run out of addresses, and your going to implement Example 2, then all things must be changed to use the new subnet mask (don't leave existing things with 255.255.255.0 or you will have problems)

If this is not what you were getting at, please explain what your trying to do.
cramer
Premium Member
join:2007-04-10
Raleigh, NC
Westell 6100
Cisco PIX 501

cramer to K9COP

Premium Member

to K9COP
This depends on your exact setup. From your description I'll assume you are looking at what Cisco calls "secondary" addressing, linux/bsd/etc call it aliases... this is two (or more) subnets natively on the same lan. You simply need a router that can hairpin traffic -- which is a violation of RFCs, but just about everything will do it.

If each subnet is within a VLAN, then it's a pure routing setup. There's no layer 3 overlap.

[*OR* you can tell every machine about all of those networks. This is usually not entirely possible. DHCP clients being the hardest to setup.]

K9COP
Premium Member
join:2005-09-17

K9COP to supergeeky

Premium Member

to supergeeky
this is exactly what I was looking for. This should get me started.

cdru
Go Colts
MVM
join:2003-05-14
Fort Wayne, IN

cdru to supergeeky

MVM

to supergeeky
said by supergeeky:

...for these two to talk, the default gateway of each is actually a single router or a switch that's capable of routing multiple subnets. There is usually another router/firewall then capable of traffic going out to the Internet.

Unless the router has multiple interfaces. Which many do.

...if these two LANs are in physically different buildings, then usually a L2L VPN tunnel and NAT routing is used so they can talk.

Or any one of dozens of different types of dedicated point to point connections. The tunnel is convenient if they are both on the internet, but if they aren't, then it's not practical. I'd venture a guess to say that the majority of connections between routers that aren't handling general internet traffic is handling traffic over dedicated links of various types, not VPN traffic.

K9COP
Premium Member
join:2005-09-17

K9COP

Premium Member

Let me expand my question one more step. Let us say that I have a client machine that is on a LAN and it's IP address is 10.227.0.5 but all of my other computers are on a seperate LAN, 10.169.169.0/24. What settings do I need to input on the router of the 10.169.169.* LAN so that the machines can communicate with the 10.227.0.5 machine?

cdru
Go Colts
MVM
join:2003-05-14
Fort Wayne, IN

cdru

MVM

said by K9COP:

Let me expand my question one more step. Let us say that I have a client machine that is on a LAN and it's IP address is 10.227.0.5 but all of my other computers are on a seperate LAN, 10.169.169.0/24. What settings do I need to input on the router of the 10.169.169.* LAN so that the machines can communicate with the 10.227.0.5 machine?

10.169.169.0 machines will either need a route setup on each machine pointing to the router that handles traffic destined to the subnet that contains 10.227.0.5, or the default gateway will need a route pointing to that router (if it doesn't handle it already).

K9COP
Premium Member
join:2005-09-17

K9COP

Premium Member

Sorry I forgot to add one more thing. I do not want the 10.227.0.5 machine to be able to see the other machines on the other subnet. Only one way traffic if that makes sense?

cdru
Go Colts
MVM
join:2003-05-14
Fort Wayne, IN

cdru

MVM

said by K9COP:

Sorry I forgot to add one more thing. I do not want the 10.227.0.5 machine to be able to see the other machines on the other subnet. Only one way traffic if that makes sense?

No that doesn't. Presuming TCP communications, such an implementation would not work. The receiver must ACKnowledge the packets received. Without that, there will be no flow of data.

K9COP
Premium Member
join:2005-09-17

K9COP

Premium Member

Yes I agree that the ACK would not occur. I am trying to figure out the best way for the 10.169.169.* machines to communicate with the 10.227.0.* subnet, specifically the 10.227.0.5 machine without putting the 10.169.169.* subnet at risk for exposure on the other network. Does that make sense?

cdru
Go Colts
MVM
join:2003-05-14
Fort Wayne, IN

cdru

MVM

said by K9COP:

Yes I agree that the ACK would not occur. I am trying to figure out the best way for the 10.169.169.* machines to communicate with the 10.227.0.* subnet, specifically the 10.227.0.5 machine without putting the 10.169.169.* subnet at risk for exposure on the other network. Does that make sense?

You firewall it off. You block all ports unless they absolutely need to be open. You create a web service so communications go through essentially a proxy and not directly.

You haven't specified what you are trying to send. Having a UDP video stream is quite a bit different than an interactive telnet session is quite a bit different than a HTTP request.

K9COP
Premium Member
join:2005-09-17

K9COP

Premium Member

Sorry for not being more specific. Basically the only thing I would need to access on that machine is a web interface GUI that utilizes a specific port number to access. So at the firewall level set it up to block everything except for the port number to interface with the GUI?
supergeeky
join:2003-05-09
United State

supergeeky to K9COP

Member

to K9COP
If both 10.169.169.x and 10.227.0.x machines are in different interfaces of the same firewall/router, then just use NAT with specific port ACLs to allow them to talk.

I can't get more detailed then that because you haven't said what mfg./equipment your using.

jester121
Premium Member
join:2003-08-09
Lake Zurich, IL

jester121

Premium Member

Why NAT? Just ACLs should do it, once the routers are configured correctly, no?
supergeeky
join:2003-05-09
United State

supergeeky

Member

True, depending on equipment...

I frequent Cisco ASA's which under v8.3 and later, basically everything becomes a NAT statement -hey, not my idea!