I have 3 entities in my network. A server,switch and an appliance which acts as a DHCP/PXE server. When the server starts up, the DHCP server has to PXE boot the server. A seperate VLAN(1234) is assigned for PXE boot installation and a IP range is associated with this VLAN(192.168.123.1 - 192.168.123.254). Subnet - 192.168.123.0. I attached my Appliance interface to VLAN 1234 but assigned the IP address as 192.168.122.3 and DHCP IP range as 192.168.122.50 - 192.168.122.100. Please note that these IP ranges are not in the scope of IP addresses defined for the VLAN 1234. i.e it is not in the subnet 192.168.123.0, but these IP addresses belong to another subnet which is associated with another VLAN. But still the server could successfully PXE boot,I am not sure how though. Can anybody please explain how could I attach my appliance to VLAN 1234 with an IP address which is not in the scope of its associated subnet?
1 Answer
A VLAN is a layer 2 concept, it doesn't have any knowledge of layer 3. Each VLAN consists of a number of ports assigned to that VLAN and a MAC address table, for that VLAN only. It is definitely possible to use more than one subnet on the same VLAN as you are doing (although see the caveats later in the answer). All the VLAN cares about is learning the MAC addresses of the devices in that VLAN and forwarding traffic between those devices. This forwarding is done at layer 2, so it only inspects the destination MAC address of the frame. It doesn't care about the IP addresses in the IP packet the frame is carrying.
The confusion is possibly because a lot of switches are layer 3 and they allow you to assign an IP address to a VLAN, sometimes referred to as a VLAN Interface or Switched Virtual Interface (SVI). If you assign an IP address to a VLAN on a layer 3 switch, it acts as though you have added a router to the VLAN with that IP address. Any traffic reaching the SVI can then be routed, but the routing process is a layer 3 process. If the IP address is acting as a default gateway for a PC on the VLAN, the VLAN is only concerned with passing frames between the PCs and the SVI by carrying out forwarding based on the destination MAC address of the frame. Once it reaches the SVI, a separate layer 3 process is involved in forwarding the traffic at layer 3 (IP based).
So, although it is bad practice, you can have different subnets on the same VLAN, just as you can have different subnets on the same physical LAN switch that doesn't support VLANs.
If you have multiple subnets on the same VLAN and you need devices on those subnets to speak to other subnets, you can assign more than one IP address to the VLAN Interface. The other address is sometimes referred to as secondary in the CLI. One thing you can't do is have an IP address from the same subnet on two different VLAN interfaces on the same switch, as the router will not know how to forward traffic for that subnet, it will not know which interface the end destination lives on as it sees them both as the same subnet and doesn't know about individual hosts.
I think in your case, you are using a subnet inside a VLAN that is also assigned to another VLAN interface on the switch? If this is the case, and those devices do not need to speak to other subnets then this will work. A couple of issues could arise from this:
If a device in the subnet wants to speak to a device in the same IP subnet on the other VLAN, communication will not be possible as they are separate VLANs. The devices on one VLAN will ARP for the devices on the other VLAN directly, and as they are separate VLANs the ARP broadcast will not reach the destination device.
Another issue is if you want to speak to another subnet. It will not be possible to add an SVI to the VLAN if that subnet exists on another SVI, so there will be no default gateway for the subnet.
-
Thanks for the detailed explanation Karl. If VLAN does not restrict the attached devices to have an ip address from an another subnet which is not associated with this VLAN, then what exactly is the reason behind associating a single subnet to a VLAN during creation? I know it helps during troubleshooting, is that the only reason? Commented Jul 7, 2018 at 7:41
-
What switch make/model are you using? Does your switch ask you to define an IP/mask or a range, or both? If it is an IP/mask, then it will be to act as a default gateway for the clients on the VLAN, so see my comments about SVI. If you are defining a range, it may be associated with DHCP. If the switch acted as a DHCP server for the VLAN, it would give out those addresses. If you let me know the switch make/model I can let you know further.– user27899Commented Jul 7, 2018 at 7:49
-
We are using Cisco 3164 switches. For a given VLAN, we have a subnet id,subnet mask and the static range(one ip for attaching my appliance to VLAN and remaining used for DHCP ). But what I have done is that I have attached my appliance to the VLAN but I have given the IP from another subnet(which is not associated with this VLAN to attach my appliance to VLAN and also for DHCP range).So the the host which I am trying to PXE boot will also get the IP from this IP range. So my question again is what exactly does it mean to associate a subnet to a VLAN? Is default gateway the only significance? Commented Jul 7, 2018 at 8:16
-
Usually, yes, the only significance is default gateway. Are these Cisco Nexus 3164? If you edit you answer to include the specific IP commands I can tell you exactly what they do– user27899Commented Jul 7, 2018 at 8:34
-
I am not aware of the IP commands since I dont work on these stuff.We usually use the network configuration given by our network admin I was just trying to understand VLAN configurations better. Your answer made things more clear for me. Thanks! Commented Jul 7, 2018 at 8:56