Overlapping IP Address In Different Subnets?

Can I overlap IP address's if they are in different subnets?

ie...

172.17.2.0/22 - hosts 172.17.2.1 - 172.17.4.254
172.17.4.0/23 - hosts 172.17.4.1 - 172.17.5.254

If this is not a problem, how are these access-lists affected?

access-list 90 permit ip 172.17.0.0 255.255.254.0 172.17.2.0 255.255.254.0
access-list 90 permit ip 172.17.0.0 255.255.254.0 172.17.2.0 255.255.253.0
access-list 100 permit ip 172.17.0.0 255.255.254.0 172.17.4.0 255.255.254.0

Both Networks are in different locations. These access-lists are used for the IPSec Tunnels.

Thanks.
AaronLeibermanAsked:
Who is Participating?

Improve company productivity with a Business Account.Sign Up

x
 
pseudocyberConnect With a Mentor Commented:
Here are the two ranges - /22 and /23.


IP Address       : 172.16.2.0
Address Class    : Classless /23
Network Address  : 172.16.2.0

Subnet Address   : 172.16.2.0
Subnet Mask      : 255.255.254.0
Subnet bit mask  : nnnnnnnn.nnnnnnnn.nnnnnnnh.hhhhhhhh
Subnet Bits      : 23
Host Bits        : 9
Possible Number of Subnets : 1
Hosts per Subnet : 510


IP Address       : 172.16.2.0
Address Class    : Classless /22
Network Address  : 172.16.0.0
Subnet      Mask               Subnet Size      Host Range                       Broadcast
172.16.2.0      255.255.254.0      510      172.16.2.1  to  172.16.3.254      172.16.3.255


Subnet Address   : 172.16.0.0
Subnet Mask      : 255.255.252.0
Subnet bit mask  : nnnnnnnn.nnnnnnnn.nnnnnnhh.hhhhhhhh
Subnet Bits      : 22
Host Bits        : 10
Possible Number of Subnets : 1
Hosts per Subnet : 1022


Subnet      Mask                Subnet Size      Host Range                      Broadcast
172.16.0.0      255.255.252.0      1022      172.16.0.1  to  172.16.3.254      172.16.3.255
0
 
JFrederick29Commented:
No, because the subnets overlap they really aren't different subnets.  Why do you have different networks using overlapping addresses?

Why not use 172.17.0.0/22 and 172.17.4.0/22 for the two networks.
0
 
AaronLeibermanAuthor Commented:
Currently all office's each have a 172.17.0.0/23 subnets, giving them all aprox 512 address's.

The problem is, our corporate office, on the 172.17.2.0/23 subnet has run out of IP on its Lan, so an engineer has proposed to /22 only this particular office. The only problem i see is that this will create an overlap of IP space, even though they are on unique subnets. I agree with you. We don't route between office's. Instead we PIX-to-PIX tunnel using access-lists to pass data.

Would you be able to supply me with information on why you can't have overlapping IP's on the uniqe subnets?

Thanks for the help, much appreciated!
0
NEW Internet Security Report Now Available!

WatchGuard’s Threat Lab is a group of dedicated threat researchers committed to helping you stay ahead of the bad guys by providing in-depth analysis of the top security threats to your network.  Check out this quarters report on the threats that shook the industry in Q4 2017.

 
ChrisDentCommented:

The problem is...

If you have two branches with the same IP range then how will the main site route traffic?

In effect you'll have two different (equally weighted) routes to the same (logical) network. The main site would have no way of telling the difference.
0
 
friekedCommented:
You CAN have overlapping subnets at different locations.
Just use NAT to translate them to different addresses.
See the following document "Using NAT in overlapping networks"
http://www.cisco.com/en/US/tech/tk648/tk361/technologies_configuration_example09186a0080093f30.shtml
0
 
AaronLeibermanAuthor Commented:
Isn't that what the subnet will do. Tell the host if its on a local subnet or let the host know if it needs to pass the IP packets to a router.
0
 
pseudocyberCommented:
172.17.2.0/22 - hosts 172.17.2.1 - 172.17.4.254
172.17.4.0/23 - hosts 172.17.4.1 - 172.17.5.254

Take for instance when a machine on 172.17.4.0/23 wants to talk to 172.17.4.10/22.  What's the first thing it will do?  It will compare the destination address with it's own subnet mask and ask itself, is this destination address on a different network?  The answer will be, no, it's on the SAME network.  So, instead of changing the layer 2 destination address to that of the default gateway (assuming it already knows the layer 2 MAC address), it will send an ARP for the layer 2 address of the destination.  Then, if in fact 172.17.4.10/23 is an active machine on the network, it will respond with it's MAC and the source will address the packet to it and it will get it and now know what it's for and the real destination will never get the traffic.  

But what if 172.17.4.10/22 isn't active - not assigned or turned off.  Then it will never respond to the ARP request and the sender would just forget about it - assuming the destination is not listening.  The app would time out and may generate an error, or hang.

A solution to this would be NAT on one side or the other with the PIXes.

HTH
0
 
JFrederick29Commented:
The NAT overlapping technique should only be used as a temporary solution until the network is renumbered...

If you have plan to renumber the network, I know it isn't a simple task but if you do, make sure to use a number of addresses you will never exceed.  You are using private addresses so go crazy...

Site 1:

10.1.0.0 255.255.0.0

Site 2:

10.2.0.0 255.255.0.0

Site 3:

10.3.0.0 255.255.0.0

This will give you 65000 addresses per network.
0
 
pseudocyberCommented:
Using a /16 network is fine for a few networks ... however if you have more than a handful, it may benefit you to put some thought into a good renumbering design which could take advantage of route summarization.  Just a thought.
0
 
friekedCommented:
AaronLeiberman: You can't define multiple routes for the same address space.
0
 
JFrederick29Commented:
Good point, but I was under the impression there were only 3 locations.  Still, if the company has exponential growth, it's definitely a thought to be taken seriously.
0
 
ChrisDentCommented:

As Frieked mentions, NAT will achieve the overlapping Subnets. In effect you'd could hide the IP Address Range behind a single address, this is great if you have a shortage of IP addresses. But how you use it depends on how your network is supposed to work.

Subnetting is a method of splitting large IP ranges into smaller ones. But these ranges don't carry a unique identifier.

So for example:

Take a device on the 172.17.2.1 address sending to 172.17.4.1.

Destination 172.17.4.0 Mask 255.255.254.0 Gateway <local interface (Directly connected)>
Destination 172.17.2.0 Mask 255.255.253.0 Gateway <Router / Firewall>

Sending a request to the routing table for 172.17.4.1 would route to the directly attached network and not even ask the remote network. 172.17.4.1 is, after all, in the local range. Now while those two might be on seperate sites the device responsible for routing the traffic to those sites will end up with the same question and you will have problems.

Why not start using the Class A Range, 10.0.0.0 and subnetting that one up?
0
 
PennGwynCommented:
First of all, 172.17.2.0/22 spans 172.17.0.0 - 172.17.3.255, and *NOT* 172.17.2.0-172.17.4.255 (which is, in any case, only 768 addresses and not 1024).

My suggestion would be to renumber this office as 172.18.0.0/22, or even /16, OR give it a second /23 subnet and route between that and the existing.

There's a certain amount that can be done with NAT to overcome some overlaps, but (a) I wouldn't mix that with VPNs, and (b) even if that gets you around the overlap, you don't have much room for flexibility.

0
 
AaronLeibermanAuthor Commented:
Actually, riddle me this one. What is even more messed up is that they have the followiing subnet breakdown as follows.

172.17.0.0/23 office A
172.17.2.0/23 office Corporate - the one out of space and wanted to move to a /22
172.17.4.0/23 office B
172.17.6.0/23 office C

if they re-subnet 172.17.2.0/23 to a /22 what does that now everlap with? isn't this a supernet now?

btw: I agree with all of you regarding the  NAT but not with the VPN and to als use a 172.18.0.0 or use a /16.

HELP!!!
0
 
AaronLeibermanAuthor Commented:
Thanks for the help.
0
 
AaronLeibermanAuthor Commented:
Even though we are not using the /23 subnet that the new /22 would overlap with, could someone tell me a good reason not do this besides it not being a good scalable or best practice solution? Thanks.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.