Segmenting only with VLAN (no subnetting) on an LACP network


I was having a discussion with one of our network engineers regarding the possibility to save time and IP addresses when segmenting to different networks, by only using VLANs instead of subnetting + using VLANs.

his method: subnet to create a new network, assign a VLAN to that network on the switchport and all machines interfaces (VMs)
my thoughts: do not subnet, just assign the VLANs to the switchport and the machines

Since our assigned addresses are real world routable IP addresses, my suggestion could save a lot of IPs, if for example you need to set up a new network for 5 machines, you automatically subnet to an 8 ip network and lose 3 ips. and even if not, then you will still always leave room for upscaling and lose IP addresses.
Also, without subnetting, it's less effort and time.

Now, I do know from googling that my method can work, and you don't HAVE TO subnet + VLAN to segregate your network.
However, what he claims is that they cannot do that, because of a protocol restriction - running Link Aggregation Control Protocol does not allow this kind of configuration.
I tried to put the pieces together as to how and why the use of LACP would prevent such configuration, but I'm clueless.

Any thoughtS?
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Actually I don't know what LACP has to do with it.

You can't do what you want because of the way layer 2 (MAC) and layer 3 (IP) work.

Where did you read that you can have multiple VLAN's all  on the same IP network?

A "lan" is a layer 2 network.  A VLAN is nothing more than a virtual layer 2 network.   Layer 2 uses MAC addresses to communicate between devices.  No layer 2 traffic can cross between separate layer 2 networks.  That is, if you have VLAN10 and VLAN20, no traffic at layer 2 will cross those VLAN's.  Broadcast traffic for VLAN10 will NEVER get to VLAN20 and broadcast traffic from VLAN20 will NEVER get to VLAN10.    

A IP network is a layer 3 network.  A layer 3 network is identified based on IP address and network/subnet mask.  In order for traffic to cross between layer 3 networks you must have a layer 3 "router" to forward traffic between two different IP networks.

All devices that are on the same layer 3 network, must be on the same layer 2 network.  Why, because when host#1 with IP address #1 wants to talk to host#2 with IP address #2 and they are on the same IP network, host#1 will send a ARP out asking "what is the mac address of the device with IP address #2."  An arp is a layer 2 broadcast.  Going back to lan/vlan, no layer 2 traffic crosses LAN/VLAN boundaries.

So if host#1 and host#2 are on different layer 2 networks host#2 will never see the arp request and thus never respond.
shootboxAuthor Commented:
Each of the machines on each VLAN will have a default gateway (router/firewall) on which routing rules will be configured so that, for example, a Webserver on VLAN1 can reach the SQL server on VLAN2 on a specific port.

why would I also need VLAN1 to be on a different NETWORK (subnet) than VLAN2 for that?

It seems that I would have to enable Proxy Arp for that, which is a feature I don't really know.

but be that as it may, that still does not rule out the option of segmenating only by VLANs instead of VLAN+Subnetting. seems that Private VLAN is also an alternative?
O.K. Lets say:

Webserver is on VLAN1 and its IP address is
SQL Server is on VLAN2 and its IP address is

Because they are on the same IP network, they want to talk directly to each other, so they will not use any gateway/router.

Since they are on the same subnet.  When Webserver want to talk to SQL server is sends out an arp asking what is the mac address of  An arp is a layer 2 broadcast, that is the destination MAC address is ff:ff:ff:ff:ff:ff.  The problem is that layer 2 broadcasts NEVER leave the VLAN.  So the SQL server will never see the arp and thus never respond.

The link you provide clearly show 3 VLAN's and each VLAN is a unique IP network and shows how routing (L3 function) works.  You don't route when you are part of the same IP network.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial

Not 100% sure what you mean by "a Webserver on VLAN1 can reach the SQL server on VLAN2 on a specific port."

If you mean tcp port, a tcp port is only part of what it uses.  It must use the IP address also.

Which IP hosts in the same subnet normally need to be part of the same VLAN.

PVLAN's are unique and can be used to to create what appears to be unique VLAN's where hosts can be part of the same IP network.  However this is really not easy to setup and use as you have to create mapping's to allow one PVLAN to communicate with another.
shootboxAuthor Commented:
The ARP resolution issue makes the most sense :) thanks
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Network Architecture

From novice to tech pro — start learning today.