Solved

Overlapping IP Address In Different Subnets?

Posted on 2004-09-13
17
1,298 Views
Last Modified: 2008-01-16
Can I overlap IP address's if they are in different subnets?

ie...

172.17.2.0/22 - hosts 172.17.2.1 - 172.17.4.254
172.17.4.0/23 - hosts 172.17.4.1 - 172.17.5.254

If this is not a problem, how are these access-lists affected?

access-list 90 permit ip 172.17.0.0 255.255.254.0 172.17.2.0 255.255.254.0
access-list 90 permit ip 172.17.0.0 255.255.254.0 172.17.2.0 255.255.253.0
access-list 100 permit ip 172.17.0.0 255.255.254.0 172.17.4.0 255.255.254.0

Both Networks are in different locations. These access-lists are used for the IPSec Tunnels.

Thanks.
0
Comment
Question by:AaronLeiberman
  • 5
  • 3
  • 3
  • +3
17 Comments
 
LVL 43

Expert Comment

by:JFrederick29
Comment Utility
No, because the subnets overlap they really aren't different subnets.  Why do you have different networks using overlapping addresses?

Why not use 172.17.0.0/22 and 172.17.4.0/22 for the two networks.
0
 

Author Comment

by:AaronLeiberman
Comment Utility
Currently all office's each have a 172.17.0.0/23 subnets, giving them all aprox 512 address's.

The problem is, our corporate office, on the 172.17.2.0/23 subnet has run out of IP on its Lan, so an engineer has proposed to /22 only this particular office. The only problem i see is that this will create an overlap of IP space, even though they are on unique subnets. I agree with you. We don't route between office's. Instead we PIX-to-PIX tunnel using access-lists to pass data.

Would you be able to supply me with information on why you can't have overlapping IP's on the uniqe subnets?

Thanks for the help, much appreciated!
0
 
LVL 1

Expert Comment

by:ChrisDent
Comment Utility

The problem is...

If you have two branches with the same IP range then how will the main site route traffic?

In effect you'll have two different (equally weighted) routes to the same (logical) network. The main site would have no way of telling the difference.
0
 
LVL 3

Expert Comment

by:frieked
Comment Utility
You CAN have overlapping subnets at different locations.
Just use NAT to translate them to different addresses.
See the following document "Using NAT in overlapping networks"
http://www.cisco.com/en/US/tech/tk648/tk361/technologies_configuration_example09186a0080093f30.shtml
0
 

Author Comment

by:AaronLeiberman
Comment Utility
Isn't that what the subnet will do. Tell the host if its on a local subnet or let the host know if it needs to pass the IP packets to a router.
0
 
LVL 3

Expert Comment

by:frieked
Comment Utility
0
 
LVL 27

Expert Comment

by:pseudocyber
Comment Utility
172.17.2.0/22 - hosts 172.17.2.1 - 172.17.4.254
172.17.4.0/23 - hosts 172.17.4.1 - 172.17.5.254

Take for instance when a machine on 172.17.4.0/23 wants to talk to 172.17.4.10/22.  What's the first thing it will do?  It will compare the destination address with it's own subnet mask and ask itself, is this destination address on a different network?  The answer will be, no, it's on the SAME network.  So, instead of changing the layer 2 destination address to that of the default gateway (assuming it already knows the layer 2 MAC address), it will send an ARP for the layer 2 address of the destination.  Then, if in fact 172.17.4.10/23 is an active machine on the network, it will respond with it's MAC and the source will address the packet to it and it will get it and now know what it's for and the real destination will never get the traffic.  

But what if 172.17.4.10/22 isn't active - not assigned or turned off.  Then it will never respond to the ARP request and the sender would just forget about it - assuming the destination is not listening.  The app would time out and may generate an error, or hang.

A solution to this would be NAT on one side or the other with the PIXes.

HTH
0
 
LVL 43

Expert Comment

by:JFrederick29
Comment Utility
The NAT overlapping technique should only be used as a temporary solution until the network is renumbered...

If you have plan to renumber the network, I know it isn't a simple task but if you do, make sure to use a number of addresses you will never exceed.  You are using private addresses so go crazy...

Site 1:

10.1.0.0 255.255.0.0

Site 2:

10.2.0.0 255.255.0.0

Site 3:

10.3.0.0 255.255.0.0

This will give you 65000 addresses per network.
0
Highfive Gives IT Their Time Back

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 
LVL 27

Expert Comment

by:pseudocyber
Comment Utility
Using a /16 network is fine for a few networks ... however if you have more than a handful, it may benefit you to put some thought into a good renumbering design which could take advantage of route summarization.  Just a thought.
0
 
LVL 3

Expert Comment

by:frieked
Comment Utility
AaronLeiberman: You can't define multiple routes for the same address space.
0
 
LVL 43

Expert Comment

by:JFrederick29
Comment Utility
Good point, but I was under the impression there were only 3 locations.  Still, if the company has exponential growth, it's definitely a thought to be taken seriously.
0
 
LVL 1

Expert Comment

by:ChrisDent
Comment Utility

As Frieked mentions, NAT will achieve the overlapping Subnets. In effect you'd could hide the IP Address Range behind a single address, this is great if you have a shortage of IP addresses. But how you use it depends on how your network is supposed to work.

Subnetting is a method of splitting large IP ranges into smaller ones. But these ranges don't carry a unique identifier.

So for example:

Take a device on the 172.17.2.1 address sending to 172.17.4.1.

Destination 172.17.4.0 Mask 255.255.254.0 Gateway <local interface (Directly connected)>
Destination 172.17.2.0 Mask 255.255.253.0 Gateway <Router / Firewall>

Sending a request to the routing table for 172.17.4.1 would route to the directly attached network and not even ask the remote network. 172.17.4.1 is, after all, in the local range. Now while those two might be on seperate sites the device responsible for routing the traffic to those sites will end up with the same question and you will have problems.

Why not start using the Class A Range, 10.0.0.0 and subnetting that one up?
0
 
LVL 11

Expert Comment

by:PennGwyn
Comment Utility
First of all, 172.17.2.0/22 spans 172.17.0.0 - 172.17.3.255, and *NOT* 172.17.2.0-172.17.4.255 (which is, in any case, only 768 addresses and not 1024).

My suggestion would be to renumber this office as 172.18.0.0/22, or even /16, OR give it a second /23 subnet and route between that and the existing.

There's a certain amount that can be done with NAT to overcome some overlaps, but (a) I wouldn't mix that with VPNs, and (b) even if that gets you around the overlap, you don't have much room for flexibility.

0
 

Author Comment

by:AaronLeiberman
Comment Utility
Actually, riddle me this one. What is even more messed up is that they have the followiing subnet breakdown as follows.

172.17.0.0/23 office A
172.17.2.0/23 office Corporate - the one out of space and wanted to move to a /22
172.17.4.0/23 office B
172.17.6.0/23 office C

if they re-subnet 172.17.2.0/23 to a /22 what does that now everlap with? isn't this a supernet now?

btw: I agree with all of you regarding the  NAT but not with the VPN and to als use a 172.18.0.0 or use a /16.

HELP!!!
0
 
LVL 27

Accepted Solution

by:
pseudocyber earned 400 total points
Comment Utility
Here are the two ranges - /22 and /23.


IP Address       : 172.16.2.0
Address Class    : Classless /23
Network Address  : 172.16.2.0

Subnet Address   : 172.16.2.0
Subnet Mask      : 255.255.254.0
Subnet bit mask  : nnnnnnnn.nnnnnnnn.nnnnnnnh.hhhhhhhh
Subnet Bits      : 23
Host Bits        : 9
Possible Number of Subnets : 1
Hosts per Subnet : 510


IP Address       : 172.16.2.0
Address Class    : Classless /22
Network Address  : 172.16.0.0
Subnet      Mask               Subnet Size      Host Range                       Broadcast
172.16.2.0      255.255.254.0      510      172.16.2.1  to  172.16.3.254      172.16.3.255


Subnet Address   : 172.16.0.0
Subnet Mask      : 255.255.252.0
Subnet bit mask  : nnnnnnnn.nnnnnnnn.nnnnnnhh.hhhhhhhh
Subnet Bits      : 22
Host Bits        : 10
Possible Number of Subnets : 1
Hosts per Subnet : 1022


Subnet      Mask                Subnet Size      Host Range                      Broadcast
172.16.0.0      255.255.252.0      1022      172.16.0.1  to  172.16.3.254      172.16.3.255
0
 

Author Comment

by:AaronLeiberman
Comment Utility
Thanks for the help.
0
 

Author Comment

by:AaronLeiberman
Comment Utility
Even though we are not using the /23 subnet that the new /22 would overlap with, could someone tell me a good reason not do this besides it not being a good scalable or best practice solution? Thanks.
0

Featured Post

Better Security Awareness With Threat Intelligence

See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

Join & Write a Comment

Suggested Solutions

I've written instructions for one router type, but this principle may be useful for others of the same brand and even other brands of router. Problem: I had an issue especially with mobile devices that refused to use DNS information supplied via…
If your business is like most, chances are you still need to maintain a fax infrastructure for your staff. It’s hard to believe that a communication technology that was thriving in the mid-80s could still be an essential part of your team’s modern I…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now