New Member

Question

same network on different vlans

Forum|Forum|11 years ago
July 22, 2014
10 replies
8114 views

hi, we have a requirement to build some deployment vlans. users can then install images on servers within that vlan and the route through to the internet to do windows updates etc. the issue is that the servers go to sites and all sites are different businesses with our standard networking configured. each server ip address is 192.168.1.10 and the gateway is 192.168.1.1. This issue is that we need to build around 5 servers at the same time and it would be nice to not have to change the ip on 4 of the servers and they would be on the same vlan i understand that its not possible to add the same gateway\network multiple times on the firewall but i was wondering if i could some how create 4 vlans on the same port (virtual vlans) and then do some nat magic or something but to be honest not quite sire the best way to go about this. at the moment they put the servers on the same vlan and change the ip addresses but it would be nice not to do that. fortigate 90D but we are moving to a 200 soon. thanks

ede_pfau

SuperUser

hi, just to clarify: you have 5 servers on one wire and want to address them individually. I' d say you will have to give them 5 distinct IP addresses, regardless of the VLAN ID. How would you otherwise direct the return traffic to the individual server? You can use NAT to re-assign IP addresses to different subnets but the ' original' address has to be unique. The least amount of effort would be to assign distinct addresses from the same subnet, or use DHCP. You could even script the switch from DHCP to static IP address. And, before emnoc posts, who uses the 192.168.[0-2] subnets for real stuff??? This is asking for trouble later. Just my .02â‚¬.

emnoc

New Member

Agreed Static/DHCP address or even secondaries for if you are doing a temp move around would be my guess. You could configure secondaries for the final network the servers will be on, configure the 5 on the same wire and then redistribute them to their final positions in your LAN.

phillblAuthor

New Member

hi, thanks for the replies. i think i forgot to add a part. the separated vlans are a staging area. all these servers go out to sites that are on their own private network behind a firewall/router. the are not part of our network, just a standard build we sell to the clients. this is why all the servers have the same ip addresses. so that when the servers are out on site, all our clients have a standard build to make trouble shooting easier. does that make sense? thanks

ede_pfau

SuperUser

I fully got your concept right from the start. Nonetheless, you cannot have 5 servers with the same IP address at the same time on your network. And again, using the first 192.168 subnets is calling for trouble. It might work for you for a while, until a VPN is needed or such. But you didn' t ask for layout hints, got it.

emnoc

New Member

How I worked this in one env, was with secondaries. We craft the new site LAN as secondary. Plugged the server up, configured with them with the correct netmask/gateway dns,etc.... and then all the build team had todo was shutdown and box the server up for UPS shipment to the new site. Once the stage and build was done, we just remove the secondary and repeat for the next new site and build with the next new block. Is that what your looking for or trying todo?

netmin

New Member

I know a lot of people doing strange network things for various reasons. So...not that I would do it this way or recommend it, but technically you can configure up to 10 independent VDOMs that can have VLAN interfaces on a common physical interface.

emnoc

New Member

But the problem with that, you can run out of ports very quickly and more so on a lower end model. So you have upto 14+ plus ports and how may ports does the client have on his switch that freed ? Seems like a lot of work if you ask me.

netmin

New Member

Hmmm - I would still only need one physical port on the LAN side. 1 root vdom that provides internet access up to 9 subordinate vdoms with inter-vdom links that nat outbound to the root vdom all subordinate vdom VLANs on one physical interface in the root vdom But as mentioned, I wouldn' t do this just for a ' nice to have'

phillblAuthor

New Member

hi, thanks for all your replies, i did think of vdom but to be honest its not worth the complexity for such a simple task that engineers can do as a work around. i agree, if they need to build 5 servers at once they can change the ip on four and at the last minute change it back to what it needs to be. ede_pfau, im a bit confused as to why you say not to use the 192.168 subnets. most networks i have worked in use these. why would this be calling for trouble? again. thanks for all your help

emnoc

New Member

ede_pfau, im a bit confused as to why you say not to use the 192.168 subnets. most networks i have worked in use these. why would this be calling for trouble?

I' m not edu_pfau , but you answered question with the statement you made in the above bold outline.The 192.168.0-2.0/24 is commonly used. So you will run into collisions sooner or later, as you build out. Most device default to this range also ( dlink, sonicwall, heck even fortinet ) so I typicall suggest to start way about that range like 192.168.100+.0/24 and the same for 10.0.0.0/8 or 172.16.0.0/12 If you proceed to use this range, than you sooner or later will be posting a question like the posting below this one about " double nat" , etc..... Try to avoid that range. Emnoc ROEs when using rfc1918 address; rule #1 maybe the netwokr bigger than you think you need.It isn' t like you have to justify usages to ARIN RIPE LATINIC or AFRINIC on why you used a /23 or smaller prefix rule#2 Avoid the low of whatever rfc1918 block since that the most common used blocks others or default blocks by SOHO/SMB devices

ede_pfau

SuperUser

Nicely put. We' ve seen several requests here when people used the default ranges in their networks, then the company expanded and suddenly they needed a VPN between sites with the same network addresses on both sides. One other example: in one of my customer' s network they used the 192.168.1 range (that was before my time :) One day, an employee brought in a Belkin NAS and connected it to a wall LAN socket. Worked immediately, only trouble was it offered addresses by DHCP (built-in server). That took quite some time to find out the reason for malfunctions with client PCs and then locate the device. You just don' t want devices to have internet (and/or internal) connectivity just by plugging it in.

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded