VLANs / tagging and subnets between sites

Say you have two networks for example with multiple subnets separated by the internet with a site to site link such as a VPN or direct link from an ISP, if you assign the same VLAN numbers on a Cisco device at each site for example could that create any conflicts?

for example,
say SiteA has multiple subnets in the range of 10.10.16.1 /21, using L3 switching (then connected to a router for outbound/internet) each subnet is on it's own VLAN so,
10.10.16.0/24 is on VLAN 16
10.10.17.0/24 is on VLAN 17
etc.

SiteB also has multiple subnets in the range of 10.11.16.1/21, also using L3 switching then connected to a router
10.11.16.0/24 is on VLAN 16
10.11.17.0/24 is on VLAN 17

would there be any issues with the VLAN assignments? would there be communication (assuming no ACLs assigned and no firewall rules) between say VLAN 16? would the 10.11.16.0/24 subnet be able to ping the 10.10.16.0/24 subnet successfully (assuming NAT was configured)?

question would be does the VLAN specific tagging stop at each router?
AMtekAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

AkinsdNetwork AdministratorCommented:
if you assign the same VLAN numbers on a Cisco device at each site for example could that create any conflicts?
Yes - They would be considered two separate vlans even though they have the same name and range. There's a way to make this work using DNS and double NATing but that's an unecessary manipultation if it can be avoided.

With your design, if a device D1 from Site A with IP address 10.11.16.2 wants to ping a device D2 with IP address 10.11.16.3 in Site B. The reply will come instead from a Device D3 in site A with the same IP 10.11.16.3
AMtekAuthor Commented:
the goal is to have them separate, as I'd like to have easy to remember and quick to recognize subnets and VLANs at different sites but wanted since i don't currently have a test environment to make sure there was no overlapping or problems that could arise by using the same VLAN numbers at several sites.

the goal is to have:

A group of subnets at each site with a range with something like 10.10.16.0/21 and a VLAN assigned to each subnet based on the third octet number with L3 switching, then the second octet is based on the location (SiteA = 10.10. or SiteB = 10.11. etc.)
so for ex...

Site A (for NAT/ACLs to include all subnets, assign 10.10.16.0/21)
10.10.16.0/24 assigned to VLAN 16 - Client Data
10.10.17.0/24 assigned to VLAN 17 - Servers
10.10.18.0/24 assigned to VLAN 18 - Phones
etc.

then Site B (for NAT/ACLs to include all subnets, assign 10.11.16.0/21)
10.11.16.0/24 assigned to VLAN 16 - Client Data
10.11.17.0/24 assigned to VLAN 17 - Servers
10.11.18.0/24 assigned to VLAN 18 - Phones
etc.

so if a request comes from Site B from a client computer for example from the 10.11.16.0/24 subnet and wants to access a server on Site A from the 10.10.17.0/24 subnet, then routing, ACLs, and NAT is what gets it there (or denies).

Wanted to make sure if there is a VLAN 16 assigned on Site A on the 10.10.16.0/24 subnet on specific ports and those packets are tagged with a VLAN, it wouldn't cause a conflict or open the world with VLAN 16 on Site B with 10.11.16.0/24.

so the goal is lets say all VoIP phones at each site is on 'VLAN 18', Site A wouldn't get confused with Site B because the VLAN tag was still on the packet.

so this is to administratively make my life easier
JustInCaseCommented:
It is OK to have the same VLAN numbers on two different locations. Tag is only locally significant in most configurations. Phone VLAN should should have least VLAN number of all VLANs if it is possible (reason is STP).
Need More Insight Into What’s Killing Your Network

Flow data analysis from SolarWinds NetFlow Traffic Analyzer (NTA), along with Network Performance Monitor (NPM), can give you deeper visibility into your network’s traffic.

ElvorfinCommented:
The VLAN tags would only be in the packet if the 2 switches were directly connect to each other using an interswitch trunk. Then VLANs 16, 17 and 18 would be "connected" to each other.

But as you are connecting the site via a router (over the internet i presume) the VLAN IDs are only relevant to the local switch.
AkinsdNetwork AdministratorCommented:
You can implement the subnets as you have laid it out but be aware that the only way you will be able to communicate from one device in one site to another device in another site is through DNS in conjunction with double NATing.
If there's no inter-connectivity requirements between devices in different sites, then you may get away with your setup, if not, be prepared for some configuration nightmares

The VLAN names are not the problem but the IP ranges.
The example below would still give you the same thing you're looking for without complications.
A. Site A (for NAT/ACLs to include all subnets, assign 10.10.16.0/21)
10.10.16.0/24 assigned to VLAN 16 - Client Data
10.10.17.0/24 assigned to VLAN 17 - Servers
10.10.18.0/24 assigned to VLAN 18 - Phones
etc.

then Site B (for NAT/ACLs to include all subnets, assign 10.11.26.0/21)
10.11.26.0/24 assigned to VLAN 26 - Client Data
10.11.27.0/24 assigned to VLAN 27 - Servers
10.11.28.0/24 assigned to VLAN 28 - Phones
JustInCaseCommented:
@akinsd
Looks like you overlooked that one location starts with 10.10.x.x and other location starts with 10.11.x.x IP ranges are different, so there is no need for double tagging.
As long as tunneling is L3 it will be OK (as long as VLAN tag on one location is stripped before forwarding packets to other location).
AMtekAuthor Commented:
so based loosely on the above examples, does anyone have a preferred setup and why?
AkinsdNetwork AdministratorCommented:
Thanks for pointing that out Pedrag
Yes, it was an oversight. I thought the addresses were the same range and that the author wanted to extend each vlan across sites. See my 1st comment below
With your design, if a device D1 from Site A with IP address 10.11.16.2 wants to ping a device D2 with IP address 10.11.16.3 in Site B
With that said, there is no problem with the design and I apologize for the confusion.
JustInCaseCommented:
@akinds No problem, that happens sometimes. :)

As for preferred design.... Your starting design is OK, I can only suggest again that voice VLAN number should be lowest.
AMtekAuthor Commented:
thanks to both, appreciate the info

@predrag
is there a reason why? just curious
JustInCaseCommented:
For network range and choosing VLAN numbers - it is similar, but your approach seems more logical, and it is easier to remember by analogy where is what in network with other part of network - so, that could mean less checking documentation and faster learning network topology for other engineers (even for you - few years from now if you need to change or maintain network).
For Voice VLAN number - when STP is changing topology STP recovers by order - VLAN 0, VLAN 1, VLAN 2, and since voice is very sensitive (if spanning-tree portfast is configured on ports [Cisco swiches automatically enable portfast on voice VLAN], and you use RSTP or MSTP in your network - so your network can converge fast), when STP topology is changing there will be cracking or some other anomalies in active calls, but there should be no dropped calls if voice VLAN is the first to recover. Probably there will be no big difference if there are just few VLANs configured, but networks grow by time, and if you don't pickup VLAN with some small number now - later it will be much harder to do so.

I am not sure - is this sound like explanation, or creating more confusion.
:)

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
AMtekAuthor Commented:
nope, no confusion - exactly what I was thinking (spanning-tree) and yes i have portfast configured on the access ports. think i have the concept of STP just not a ton of experience with it

the goal of course was to be able to as you mentioned recognize the location/site and vlan by the IP address quickly without checking documentation.

thank you both for the info, much appreciated
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Networking

From novice to tech pro — start learning today.