Segmenting only with VLAN (no subnetting) on an LACP network

Posted on 2013-09-18
Medium Priority
Last Modified: 2013-09-21

I was having a discussion with one of our network engineers regarding the possibility to save time and IP addresses when segmenting to different networks, by only using VLANs instead of subnetting + using VLANs.

his method: subnet to create a new network, assign a VLAN to that network on the switchport and all machines interfaces (VMs)
my thoughts: do not subnet, just assign the VLANs to the switchport and the machines

Since our assigned addresses are real world routable IP addresses, my suggestion could save a lot of IPs, if for example you need to set up a new network for 5 machines, you automatically subnet to an 8 ip network and lose 3 ips. and even if not, then you will still always leave room for upscaling and lose IP addresses.
Also, without subnetting, it's less effort and time.

Now, I do know from googling that my method can work, and you don't HAVE TO subnet + VLAN to segregate your network.
However, what he claims is that they cannot do that, because of a protocol restriction - running Link Aggregation Control Protocol does not allow this kind of configuration.
I tried to put the pieces together as to how and why the use of LACP would prevent such configuration, but I'm clueless.

Any thoughtS?
Question by:shootbox
  • 3
  • 2
LVL 57

Expert Comment

ID: 39505526
Actually I don't know what LACP has to do with it.

You can't do what you want because of the way layer 2 (MAC) and layer 3 (IP) work.

Where did you read that you can have multiple VLAN's all  on the same IP network?

A "lan" is a layer 2 network.  A VLAN is nothing more than a virtual layer 2 network.   Layer 2 uses MAC addresses to communicate between devices.  No layer 2 traffic can cross between separate layer 2 networks.  That is, if you have VLAN10 and VLAN20, no traffic at layer 2 will cross those VLAN's.  Broadcast traffic for VLAN10 will NEVER get to VLAN20 and broadcast traffic from VLAN20 will NEVER get to VLAN10.    

A IP network is a layer 3 network.  A layer 3 network is identified based on IP address and network/subnet mask.  In order for traffic to cross between layer 3 networks you must have a layer 3 "router" to forward traffic between two different IP networks.

All devices that are on the same layer 3 network, must be on the same layer 2 network.  Why, because when host#1 with IP address #1 wants to talk to host#2 with IP address #2 and they are on the same IP network, host#1 will send a ARP out asking "what is the mac address of the device with IP address #2."  An arp is a layer 2 broadcast.  Going back to lan/vlan, no layer 2 traffic crosses LAN/VLAN boundaries.

So if host#1 and host#2 are on different layer 2 networks host#2 will never see the arp request and thus never respond.

Author Comment

ID: 39506166
Each of the machines on each VLAN will have a default gateway (router/firewall) on which routing rules will be configured so that, for example, a Webserver on VLAN1 can reach the SQL server on VLAN2 on a specific port.

why would I also need VLAN1 to be on a different NETWORK (subnet) than VLAN2 for that?

It seems that I would have to enable Proxy Arp for that, which is a feature I don't really know.

but be that as it may, that still does not rule out the option of segmenating only by VLANs instead of VLAN+Subnetting. seems that Private VLAN is also an alternative?
LVL 57

Accepted Solution

giltjr earned 2000 total points
ID: 39507824
O.K. Lets say:

Webserver is on VLAN1 and its IP address is
SQL Server is on VLAN2 and its IP address is

Because they are on the same IP network, they want to talk directly to each other, so they will not use any gateway/router.

Since they are on the same subnet.  When Webserver want to talk to SQL server is sends out an arp asking what is the mac address of  An arp is a layer 2 broadcast, that is the destination MAC address is ff:ff:ff:ff:ff:ff.  The problem is that layer 2 broadcasts NEVER leave the VLAN.  So the SQL server will never see the arp and thus never respond.

The link you provide clearly show 3 VLAN's and each VLAN is a unique IP network and shows how routing (L3 function) works.  You don't route when you are part of the same IP network.
LVL 57

Expert Comment

ID: 39507832

Not 100% sure what you mean by "a Webserver on VLAN1 can reach the SQL server on VLAN2 on a specific port."

If you mean tcp port, a tcp port is only part of what it uses.  It must use the IP address also.

Which IP hosts in the same subnet normally need to be part of the same VLAN.

PVLAN's are unique and can be used to to create what appears to be unique VLAN's where hosts can be part of the same IP network.  However this is really not easy to setup and use as you have to create mapping's to allow one PVLAN to communicate with another.


Author Closing Comment

ID: 39512438
The ARP resolution issue makes the most sense :) thanks

Featured Post

Train for your Pen Testing Engineer Certification

Enroll today in this bundle of courses to gain experience in the logistics of pen testing, Linux fundamentals, vulnerability assessments, detecting live systems, and more! This series, valued at $3,000, is free for Premium members, Team Accounts, and Qualified Experts.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

WARNING:   If you follow the instructions here, you will wipe out your VTP and VLAN configurations.  Make sure you have backed up your switch!!! I recently had some issues with a few low-end Cisco routers (RV325) and I opened a case with Cisco TA…
This article will show how Aten was able to supply easy management and control for Artear's video walls and wide range display configurations of their newsroom.
If you're a developer or IT admin, you’re probably tasked with managing multiple websites, servers, applications, and levels of security on a daily basis. While this can be extremely time consuming, it can also be frustrating when systems aren't wor…
NetCrunch network monitor is a highly extensive platform for network monitoring and alert generation. In this video you'll see a live demo of NetCrunch with most notable features explained in a walk-through manner. You'll also get to know the philos…

607 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question