Why can't devices on different VLANs, but on the same subnet, communicate? The 2019 Stack Overflow Developer Survey Results Are In Announcing the arrival of Valued Associate #679: Cesar Manara Planned maintenance scheduled April 17/18, 2019 at 00:00UTC (8:00pm US/Eastern)Virtual Local Area NetworkMultiple VLANs with same subnet behind single ASAHow does switch treat ingress tagged packet?How can hosts on two different VLANs communicate?Multiple Subnets in a VLANDifferent but overlapping Variable Length Subnet ranges on the same segmentAbout VLAN using different network, but VLAN ID is sameHow do VLANs differ between connected switches vs a single switch?Routing Between 2 different vlans but same subnetHow to turn off auto-routing between interfaces in same router ? is there any command for that?How can all devices connected to the router be in the same subnet?
What is the padding with red substance inside of steak packaging?
how can a perfect fourth interval be considered either consonant or dissonant?
60's-70's movie: home appliances revolting against the owners
For what reasons would an animal species NOT cross a *horizontal* land bridge?
Deal with toxic manager when you can't quit
How to determine omitted units in a publication
How do you keep chess fun when your opponent constantly beats you?
What information about me do stores get via my credit card?
Do ℕ, mathbbN, BbbN, symbbN effectively differ, and is there a "canonical" specification of the naturals?
The following signatures were invalid: EXPKEYSIG 1397BC53640DB551
How do I design a circuit to convert a 100 mV and 50 Hz sine wave to a square wave?
Why not take a picture of a closer black hole?
Can withdrawing asylum be illegal?
Why can't wing-mounted spoilers be used to steepen approaches?
Was credit for the black hole image misappropriated?
Is it ethical to upload a automatically generated paper to a non peer-reviewed site as part of a larger research?
How did the audience guess the pentatonic scale in Bobby McFerrin's presentation?
Didn't get enough time to take a Coding Test - what to do now?
Is every episode of "Where are my Pants?" identical?
What to do when moving next to a bird sanctuary with a loosely-domesticated cat?
Why don't hard Brexiteers insist on a hard border to prevent illegal immigration after Brexit?
Why doesn't a hydraulic lever violate conservation of energy?
Are there continuous functions who are the same in an interval but differ in at least one other point?
Is this wall load bearing? Blueprints and photos attached
Why can't devices on different VLANs, but on the same subnet, communicate?
The 2019 Stack Overflow Developer Survey Results Are In
Announcing the arrival of Valued Associate #679: Cesar Manara
Planned maintenance scheduled April 17/18, 2019 at 00:00UTC (8:00pm US/Eastern)Virtual Local Area NetworkMultiple VLANs with same subnet behind single ASAHow does switch treat ingress tagged packet?How can hosts on two different VLANs communicate?Multiple Subnets in a VLANDifferent but overlapping Variable Length Subnet ranges on the same segmentAbout VLAN using different network, but VLAN ID is sameHow do VLANs differ between connected switches vs a single switch?Routing Between 2 different vlans but same subnetHow to turn off auto-routing between interfaces in same router ? is there any command for that?How can all devices connected to the router be in the same subnet?
I have a question about switching. I have two devices connected to a switch with IP addresses 192.168.5.20 and 192.168.5.10. Both devices have the same prefix, /24. That means they are on the same subnet.
If I split these devices on different VLANs (10 and 20) on the switch, it will not communicate although they are on same subnet. Why does that happen?
switch vlan subnet
edited yesterday
Peter Mortensen
1475
asked yesterday
Jim PapJim Pap
8214
New contributor
Jim Pap is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
|
show 2 more comments
I have a question about switching. I have two devices connected to a switch with IP addresses 192.168.5.20 and 192.168.5.10. Both devices have the same prefix, /24. That means they are on the same subnet.
If I split these devices on different VLANs (10 and 20) on the switch, it will not communicate although they are on same subnet. Why does that happen?
switch vlan subnet
edited yesterday
Peter Mortensen
1475
asked yesterday
Jim PapJim Pap
8214
New contributor
Jim Pap is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
3
You need a router to route between different Vlans. Also, when doing that, you cannot have the same IP subnet on those two Vlans.
– Cown
yesterday
5
Hello Jim Pap and welcome ... It's like you plugged your two hosts into two different switches, one labelled "LAN 10" and the other labelled "LAN 20". Configuring VLANs on your switch divides your switch into multiple, virtual, switches.
– jonathanjo
yesterday
2
This question is somewhat of a tautology. They can't because they can't, by design. The creation of separate VLANs logically segments the switched internetwork. You now need to use some form of inter-VLAN routing for these devices to communicate.
– WakeDemons3
yesterday
@Cown you can most definitely have the same IP on multiple VLANS although it may not be beneficial to do so
– Matt Douhan
17 hours ago
@MattDouhan Unless the Vlans are in different VRF's or some other separator, then no, that is not possible, at least not on Cisco. Please prove it.
– Cown
12 hours ago
|
show 2 more comments
I have a question about switching. I have two devices connected to a switch with IP addresses 192.168.5.20 and 192.168.5.10. Both devices have the same prefix, /24. That means they are on the same subnet.
If I split these devices on different VLANs (10 and 20) on the switch, it will not communicate although they are on same subnet. Why does that happen?
switch vlan subnet
edited yesterday
Peter Mortensen
1475
asked yesterday
Jim PapJim Pap
8214
New contributor
Jim Pap is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
I have a question about switching. I have two devices connected to a switch with IP addresses 192.168.5.20 and 192.168.5.10. Both devices have the same prefix, /24. That means they are on the same subnet.
If I split these devices on different VLANs (10 and 20) on the switch, it will not communicate although they are on same subnet. Why does that happen?
switch vlan subnet
switch vlan subnet
edited yesterday
Peter Mortensen
1475
asked yesterday
Jim PapJim Pap
8214
New contributor
Jim Pap is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
edited yesterday
Peter Mortensen
1475
asked yesterday
Jim PapJim Pap
8214
New contributor
Jim Pap is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
edited yesterday
Peter Mortensen
1475
edited yesterday
Peter Mortensen
1475
edited yesterday
Peter Mortensen
1475
1475
asked yesterday
Jim PapJim Pap
8214
New contributor
Jim Pap is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
asked yesterday
Jim PapJim Pap
8214
asked yesterday
Jim PapJim Pap
8214
8214
New contributor
Jim Pap is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
New contributor
Jim Pap is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
Jim Pap is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
3
You need a router to route between different Vlans. Also, when doing that, you cannot have the same IP subnet on those two Vlans.
– Cown
yesterday
5
Hello Jim Pap and welcome ... It's like you plugged your two hosts into two different switches, one labelled "LAN 10" and the other labelled "LAN 20". Configuring VLANs on your switch divides your switch into multiple, virtual, switches.
– jonathanjo
yesterday
2
This question is somewhat of a tautology. They can't because they can't, by design. The creation of separate VLANs logically segments the switched internetwork. You now need to use some form of inter-VLAN routing for these devices to communicate.
– WakeDemons3
yesterday
@Cown you can most definitely have the same IP on multiple VLANS although it may not be beneficial to do so
– Matt Douhan
17 hours ago
@MattDouhan Unless the Vlans are in different VRF's or some other separator, then no, that is not possible, at least not on Cisco. Please prove it.
– Cown
12 hours ago
|
show 2 more comments
3
You need a router to route between different Vlans. Also, when doing that, you cannot have the same IP subnet on those two Vlans.
– Cown
yesterday
5
Hello Jim Pap and welcome ... It's like you plugged your two hosts into two different switches, one labelled "LAN 10" and the other labelled "LAN 20". Configuring VLANs on your switch divides your switch into multiple, virtual, switches.
– jonathanjo
yesterday
2
This question is somewhat of a tautology. They can't because they can't, by design. The creation of separate VLANs logically segments the switched internetwork. You now need to use some form of inter-VLAN routing for these devices to communicate.
– WakeDemons3
yesterday
@Cown you can most definitely have the same IP on multiple VLANS although it may not be beneficial to do so
– Matt Douhan
17 hours ago
@MattDouhan Unless the Vlans are in different VRF's or some other separator, then no, that is not possible, at least not on Cisco. Please prove it.
– Cown
12 hours ago
3
3
You need a router to route between different Vlans. Also, when doing that, you cannot have the same IP subnet on those two Vlans.
– Cown
yesterday
You need a router to route between different Vlans. Also, when doing that, you cannot have the same IP subnet on those two Vlans.
– Cown
yesterday
5
5
Hello Jim Pap and welcome ... It's like you plugged your two hosts into two different switches, one labelled "LAN 10" and the other labelled "LAN 20". Configuring VLANs on your switch divides your switch into multiple, virtual, switches.
– jonathanjo
yesterday
Hello Jim Pap and welcome ... It's like you plugged your two hosts into two different switches, one labelled "LAN 10" and the other labelled "LAN 20". Configuring VLANs on your switch divides your switch into multiple, virtual, switches.
– jonathanjo
yesterday
2
2
This question is somewhat of a tautology. They can't because they can't, by design. The creation of separate VLANs logically segments the switched internetwork. You now need to use some form of inter-VLAN routing for these devices to communicate.
– WakeDemons3
yesterday
This question is somewhat of a tautology. They can't because they can't, by design. The creation of separate VLANs logically segments the switched internetwork. You now need to use some form of inter-VLAN routing for these devices to communicate.
– WakeDemons3
yesterday
@Cown you can most definitely have the same IP on multiple VLANS although it may not be beneficial to do so
– Matt Douhan
17 hours ago
@Cown you can most definitely have the same IP on multiple VLANS although it may not be beneficial to do so
– Matt Douhan
17 hours ago
@MattDouhan Unless the Vlans are in different VRF's or some other separator, then no, that is not possible, at least not on Cisco. Please prove it.
– Cown
12 hours ago
@MattDouhan Unless the Vlans are in different VRF's or some other separator, then no, that is not possible, at least not on Cisco. Please prove it.
– Cown
12 hours ago
|
show 2 more comments
7 Answers
7
active
oldest
votes
One of the things VLAN's do is take a physical switch and break them up into multiple smaller "virtual" switches.
Meaning this Physical depiction of One switch and Two VLANs:
Is identical in operation to this Logical depiction of the same topology:
Even if the IP addresses in the 2nd image were in the same Subnet, you'll notice there is no "link" between the two virtual switches (i.e., VLANs), and therefore no possible way Hosts A/B can communicate with Hosts C/D.
In order for the hosts in the 2nd image to communicate with one another, you would need some sort of device to facilitate the communication from one "switch" to the other. The device that exists for that purpose is a Router -- hence, a Router is required for traffic to cross a VLAN boundary:
And due to how Router's work, each router interface must have it's own, unique IP Subnet. That is why every VLAN traditionally requires it's own unique IP subnet -- because if any communication is to happen between those VLANs, unique subnets will be required.
The images above are from my blog, you can read more about VLANs as a concept here, and about Routing between VLANs here.
answered yesterday
EddieEddie
9,93022563
2
Trap for the unwary: Do not try to actually split a switch that way, THEN connect VLANs via untagged ports - unless you know exactly how the STP and CAM implementations in that switch are set up.
– rackandboneman
yesterday
1
@rackandboneman That is good advice. But, a point of clarity, the images in my post represent only one physical switch. The "two switch image" is the logical representation of one physical switch with two VLANs.
– Eddie
yesterday
" each router interface must have it's own, unique IP Subnet.", that may be true for some router implementations, it's not universally true. At least on Linux you can assign the same subnet to multiple interfaces, then use a combination of proxy arp and /32 routes to make traffic flow between them.
– Peter Green
10 hours ago
add a comment |
The whole point of Virtual LAN, is to create separate Layer 2 LANs on a single physical device.
It is like building an armored and sonic-proof wall in a room to create 2 rooms. The people in each half of the room can no longer communicate with the people in the other half of the former room.
So you have two hosts on two distinct L2 networks without anything to allow them to communicate.
Note that in most cases it makes no sense to use the same subnet on two different VLANs. The standard case is to associate an IP network with a VLAN.
edited yesterday
Cown
6,99131031
answered yesterday
JFLJFL
12.2k11442
I'm hard-pressed to think of any case where using the same subnet on two different VLANs makes sense. Pretend you're a router, and you get a packet destined for 192.168.5.15. Which VLAN is that?
– Monty Harder
yesterday
@MontyHarder Depends. From which network (virtual or not) does it come?
– Deduplicator
yesterday
1
@Deduplicator I'm not sure why it matters what the source IP of the packet is. How do you know what VLAN an IP is if you're using the same IP range for two or more VLANs? It just doesn't make sense.
– Monty Harder
yesterday
@MontyHarder I do have the case: I have interconnections to providers that use the same addressing, and those are made on the same switches. Since I talk to both (via different routers) and they do not talk to each other that is just fine.
– JFL
20 hours ago
@MontyHarder Actually, it is very common to have the same subnet on many different LANs (and hence VLANs). RFC1918 private addresses are re-used in millions of LANs. You could very well have several separately NATed networks on the same VLAN. This probably happens ad nauseam in hosting environments. But those networks are indeed considered completely independent.
– jcaron
18 hours ago
|
show 2 more comments
IP subnets logically group hosts - hosts within the same subnet use their layer-2 connection to directly talk to each other. Talking to hosts on another subnet requires the use of a gateway/router.
VLANs physically group hosts - hosts within the same VLAN/broadcast domain/L2 segment can talk to each other directly. Hosts in different VLANs can't. (Don't beat me up - physically group isn't really correct but it marks my point.)
So, when two hosts are in the same IP subnet but on different VLANs/broadcast domains/L2 networks they can't communicate: the source host assumes the destination in within its local L2 network and therefore it tries to ARP the destination address (or NDP resolve for IPv6).
ARP works by sending a request as broadcast to the local L2 network and the host with the requested IP address answers with its MAC address. Since the destination host is outside the local network it never hears the ARP request and ARP fails.
Even if the source would somehow know the destination's MAC address and build a frame addressed to that MAC it would never reach the destination since it's outside the L2 network still. MACs from outside the local L2 network are meaningless and useless.
answered yesterday
Zac67Zac67
32.8k22163
add a comment |
I expect you to have good understanding about Subnet masking. When you have separate VLANs you have to have unique ip address range with subnets.It is not essential.
VLANs is a separate LAN but it is a virtual.Additionally Virtual LAN for separating Networks in Same Switch.It will create separate broadcast domain in your switch. But when you create virtual LANs with Same ip it is useless.
In addition to that you need to configure Intervlan Routing on your switch.
answered yesterday
serverAdmin123serverAdmin123
3407
2
No it's not impossible to have multiple VLANs with same subnet . It's unusual and somewhat discouraged but it's totally possible.
– JFL
yesterday
I will edit my answer thanks
– serverAdmin123
yesterday
@JFL True, it is possible, using either VRF's or some other form of separator, but i've yet to see any use case for this. Please enlighten me.
– Cown
yesterday
@JFL same issue for me as well. I just now tried in cisco packet tracer, with intervlan routing. I don't know whether issue with Cisco packet tracer. It is not work. I agree with cown. it is possible in VRF.
– serverAdmin123
yesterday
1
@Cown I didn't say it was a good idea nor it was possible to made them communicate togtether (but still it's possible with NAT). But I have some use cases. For example I have interconnection with providers that pass through some overlapping RFC1918 networks. Those are connected to the same switches in different VLANs and don't communicate with each others.
– JFL
yesterday
|
show 2 more comments
Complementary to the existing answers, which cover the question from a design and theory point of view ...
Instead of asking "why don't they communicate?", let's ask "what happens when they try to communicate?"
First, what does it mean to configure a VLAN on a switch? In our example there are some sockets configured as VLAN 10, and some configured VLAN 20. The definition of a VLAN is that only sockets on the same VLAN are connected. What that means is that a frame received on a port in a given VLAN is only ever sent to ports of the same VLAN.
10 10 20 20 10 20 VLAN of port
1 2 3 4 5 6 Port number
===+===+===+===+===+===+===
| | | | | |
A B C D E F Hosts
In this diagram we have six hosts, ports 1, 2, 5 are on VLAN 10, ports 3, 4, 6 are on VLAN 20.
Suppose host A is statically configured as 192.168.5.10/24 and F is statically configured as 192.168.5.20/24, from the question. Suppose B to E have other static configuration addresses (doesn't matter what they are).
If A pings 192.168.5.20, it determines it's in the same /24, so the first thing that happens is an ARP request: WHO HAS 192.168.5.20, sent as an ethernet broadcast.
The switch receives the broadcast on port 1. This is VLAN 10, so it sends the broadcast out of ports 2 and 5, the other ports in VLAN 10. Hosts B and E receive the ARP request and ignore it as it's not their address.
That's it.
There will be no ARP reply; the next thing that happens will be a timeout on A, followed by subsequent repeat ARP requests, until the application gives up.
A host plugged into anything other than a VLAN 10 port will see nothing at all, whatever its IP address. This obviously includes F, which is 192.168.5.20.
answered yesterday
jonathanjojonathanjo
12.2k1937
add a comment |
Consider what happens when you have a LAN at home and a computer with IP 192.168.2.1. Your friend down the road also has a LAN at his home and a computer with IP 192.168.2.2. They're on the same subnet, so why can't they talk to each other?
In such an example, the cause is different than you're asking about.
But a VLAN achieves the same result — it segments a network, at the second layer.
My point is that we can easily see that the fact "IP addresses are in the same subnet" is not sufficient for determining whether packets may route between them. The underlying topology has a part to play as well.
Taking this to its extreme, at the lowest layer you need some physical material (well, okay, or air :D) to actually transport the data. Your computers can be in the same house on the same subnet but not be physically connected (or have a wireless link) and then you wouldn't expect packets to be routed.
answered 12 hours ago
Lightness Races in OrbitLightness Races in Orbit
27016
add a comment |
The point of the VLANs is to have network segmentation. You could also achieve the same (some caveats aside) using subnets. Since your subnet is split into 2 different VLANs, your devices can not communicate on L2 network. You can setup IRB interface on the switch to allow communication between the VLANs. Alternatively, you can route the traffic via a firewall and allow selective communication between the VLANs. Ideally, you should design your network to have different subnets for each of the VLANs and then Firewall the traffic between VLANs. Hope this helps.
answered yesterday
RickyRicky
1
New contributor
Ricky is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
1
Nonononono don’t use IRB in this situation... the problem is that the switch should never have been configured with two vlans across the same subnet. The best answer is put all hosts in one subnet in the same vlan.
– Mike Pennington
yesterday
add a comment |
Your Answer
StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "496"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);
else
createEditor();
);
function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
noCode: true, onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);
);
Jim Pap is a new contributor. Be nice, and check out our Code of Conduct.
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fnetworkengineering.stackexchange.com%2fquestions%2f58364%2fwhy-cant-devices-on-different-vlans-but-on-the-same-subnet-communicate%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
7 Answers
7
active
oldest
votes
7 Answers
7
active
oldest
votes
active
oldest
votes
active
oldest
votes
One of the things VLAN's do is take a physical switch and break them up into multiple smaller "virtual" switches.
Meaning this Physical depiction of One switch and Two VLANs:
Is identical in operation to this Logical depiction of the same topology:
Even if the IP addresses in the 2nd image were in the same Subnet, you'll notice there is no "link" between the two virtual switches (i.e., VLANs), and therefore no possible way Hosts A/B can communicate with Hosts C/D.
In order for the hosts in the 2nd image to communicate with one another, you would need some sort of device to facilitate the communication from one "switch" to the other. The device that exists for that purpose is a Router -- hence, a Router is required for traffic to cross a VLAN boundary:
And due to how Router's work, each router interface must have it's own, unique IP Subnet. That is why every VLAN traditionally requires it's own unique IP subnet -- because if any communication is to happen between those VLANs, unique subnets will be required.
The images above are from my blog, you can read more about VLANs as a concept here, and about Routing between VLANs here.
answered yesterday
EddieEddie
9,93022563
2
Trap for the unwary: Do not try to actually split a switch that way, THEN connect VLANs via untagged ports - unless you know exactly how the STP and CAM implementations in that switch are set up.
– rackandboneman
yesterday
1
@rackandboneman That is good advice. But, a point of clarity, the images in my post represent only one physical switch. The "two switch image" is the logical representation of one physical switch with two VLANs.
– Eddie
yesterday
" each router interface must have it's own, unique IP Subnet.", that may be true for some router implementations, it's not universally true. At least on Linux you can assign the same subnet to multiple interfaces, then use a combination of proxy arp and /32 routes to make traffic flow between them.
– Peter Green
10 hours ago
add a comment |
One of the things VLAN's do is take a physical switch and break them up into multiple smaller "virtual" switches.
Meaning this Physical depiction of One switch and Two VLANs:
Is identical in operation to this Logical depiction of the same topology:
Even if the IP addresses in the 2nd image were in the same Subnet, you'll notice there is no "link" between the two virtual switches (i.e., VLANs), and therefore no possible way Hosts A/B can communicate with Hosts C/D.
In order for the hosts in the 2nd image to communicate with one another, you would need some sort of device to facilitate the communication from one "switch" to the other. The device that exists for that purpose is a Router -- hence, a Router is required for traffic to cross a VLAN boundary:
And due to how Router's work, each router interface must have it's own, unique IP Subnet. That is why every VLAN traditionally requires it's own unique IP subnet -- because if any communication is to happen between those VLANs, unique subnets will be required.
The images above are from my blog, you can read more about VLANs as a concept here, and about Routing between VLANs here.
answered yesterday
EddieEddie
9,93022563
2
Trap for the unwary: Do not try to actually split a switch that way, THEN connect VLANs via untagged ports - unless you know exactly how the STP and CAM implementations in that switch are set up.
– rackandboneman
yesterday
1
@rackandboneman That is good advice. But, a point of clarity, the images in my post represent only one physical switch. The "two switch image" is the logical representation of one physical switch with two VLANs.
– Eddie
yesterday
" each router interface must have it's own, unique IP Subnet.", that may be true for some router implementations, it's not universally true. At least on Linux you can assign the same subnet to multiple interfaces, then use a combination of proxy arp and /32 routes to make traffic flow between them.
– Peter Green
10 hours ago
add a comment |
One of the things VLAN's do is take a physical switch and break them up into multiple smaller "virtual" switches.
Meaning this Physical depiction of One switch and Two VLANs:
Is identical in operation to this Logical depiction of the same topology:
Even if the IP addresses in the 2nd image were in the same Subnet, you'll notice there is no "link" between the two virtual switches (i.e., VLANs), and therefore no possible way Hosts A/B can communicate with Hosts C/D.
In order for the hosts in the 2nd image to communicate with one another, you would need some sort of device to facilitate the communication from one "switch" to the other. The device that exists for that purpose is a Router -- hence, a Router is required for traffic to cross a VLAN boundary:
And due to how Router's work, each router interface must have it's own, unique IP Subnet. That is why every VLAN traditionally requires it's own unique IP subnet -- because if any communication is to happen between those VLANs, unique subnets will be required.
The images above are from my blog, you can read more about VLANs as a concept here, and about Routing between VLANs here.
answered yesterday
EddieEddie
9,93022563
One of the things VLAN's do is take a physical switch and break them up into multiple smaller "virtual" switches.
Meaning this Physical depiction of One switch and Two VLANs:
Is identical in operation to this Logical depiction of the same topology:
Even if the IP addresses in the 2nd image were in the same Subnet, you'll notice there is no "link" between the two virtual switches (i.e., VLANs), and therefore no possible way Hosts A/B can communicate with Hosts C/D.
In order for the hosts in the 2nd image to communicate with one another, you would need some sort of device to facilitate the communication from one "switch" to the other. The device that exists for that purpose is a Router -- hence, a Router is required for traffic to cross a VLAN boundary:
And due to how Router's work, each router interface must have it's own, unique IP Subnet. That is why every VLAN traditionally requires it's own unique IP subnet -- because if any communication is to happen between those VLANs, unique subnets will be required.
The images above are from my blog, you can read more about VLANs as a concept here, and about Routing between VLANs here.
answered yesterday
EddieEddie
9,93022563
answered yesterday
EddieEddie
9,93022563
answered yesterday
EddieEddie
9,93022563
answered yesterday
EddieEddie
9,93022563
9,93022563
2
Trap for the unwary: Do not try to actually split a switch that way, THEN connect VLANs via untagged ports - unless you know exactly how the STP and CAM implementations in that switch are set up.
– rackandboneman
yesterday
1
@rackandboneman That is good advice. But, a point of clarity, the images in my post represent only one physical switch. The "two switch image" is the logical representation of one physical switch with two VLANs.
– Eddie
yesterday
" each router interface must have it's own, unique IP Subnet.", that may be true for some router implementations, it's not universally true. At least on Linux you can assign the same subnet to multiple interfaces, then use a combination of proxy arp and /32 routes to make traffic flow between them.
– Peter Green
10 hours ago
add a comment |
2
Trap for the unwary: Do not try to actually split a switch that way, THEN connect VLANs via untagged ports - unless you know exactly how the STP and CAM implementations in that switch are set up.
– rackandboneman
yesterday
1
@rackandboneman That is good advice. But, a point of clarity, the images in my post represent only one physical switch. The "two switch image" is the logical representation of one physical switch with two VLANs.
– Eddie
yesterday
" each router interface must have it's own, unique IP Subnet.", that may be true for some router implementations, it's not universally true. At least on Linux you can assign the same subnet to multiple interfaces, then use a combination of proxy arp and /32 routes to make traffic flow between them.
– Peter Green
10 hours ago
2
2
Trap for the unwary: Do not try to actually split a switch that way, THEN connect VLANs via untagged ports - unless you know exactly how the STP and CAM implementations in that switch are set up.
– rackandboneman
yesterday
Trap for the unwary: Do not try to actually split a switch that way, THEN connect VLANs via untagged ports - unless you know exactly how the STP and CAM implementations in that switch are set up.
– rackandboneman
yesterday
1
1
@rackandboneman That is good advice. But, a point of clarity, the images in my post represent only one physical switch. The "two switch image" is the logical representation of one physical switch with two VLANs.
– Eddie
yesterday
@rackandboneman That is good advice. But, a point of clarity, the images in my post represent only one physical switch. The "two switch image" is the logical representation of one physical switch with two VLANs.
– Eddie
yesterday
" each router interface must have it's own, unique IP Subnet.", that may be true for some router implementations, it's not universally true. At least on Linux you can assign the same subnet to multiple interfaces, then use a combination of proxy arp and /32 routes to make traffic flow between them.
– Peter Green
10 hours ago
" each router interface must have it's own, unique IP Subnet.", that may be true for some router implementations, it's not universally true. At least on Linux you can assign the same subnet to multiple interfaces, then use a combination of proxy arp and /32 routes to make traffic flow between them.
– Peter Green
10 hours ago
add a comment |
The whole point of Virtual LAN, is to create separate Layer 2 LANs on a single physical device.
It is like building an armored and sonic-proof wall in a room to create 2 rooms. The people in each half of the room can no longer communicate with the people in the other half of the former room.
So you have two hosts on two distinct L2 networks without anything to allow them to communicate.
Note that in most cases it makes no sense to use the same subnet on two different VLANs. The standard case is to associate an IP network with a VLAN.
edited yesterday
Cown
6,99131031
answered yesterday
JFLJFL
12.2k11442
I'm hard-pressed to think of any case where using the same subnet on two different VLANs makes sense. Pretend you're a router, and you get a packet destined for 192.168.5.15. Which VLAN is that?
– Monty Harder
yesterday
@MontyHarder Depends. From which network (virtual or not) does it come?
– Deduplicator
yesterday
1
@Deduplicator I'm not sure why it matters what the source IP of the packet is. How do you know what VLAN an IP is if you're using the same IP range for two or more VLANs? It just doesn't make sense.
– Monty Harder
yesterday
@MontyHarder I do have the case: I have interconnections to providers that use the same addressing, and those are made on the same switches. Since I talk to both (via different routers) and they do not talk to each other that is just fine.
– JFL
20 hours ago
@MontyHarder Actually, it is very common to have the same subnet on many different LANs (and hence VLANs). RFC1918 private addresses are re-used in millions of LANs. You could very well have several separately NATed networks on the same VLAN. This probably happens ad nauseam in hosting environments. But those networks are indeed considered completely independent.
– jcaron
18 hours ago
|
show 2 more comments
The whole point of Virtual LAN, is to create separate Layer 2 LANs on a single physical device.
It is like building an armored and sonic-proof wall in a room to create 2 rooms. The people in each half of the room can no longer communicate with the people in the other half of the former room.
So you have two hosts on two distinct L2 networks without anything to allow them to communicate.
Note that in most cases it makes no sense to use the same subnet on two different VLANs. The standard case is to associate an IP network with a VLAN.
edited yesterday
Cown
6,99131031
answered yesterday
JFLJFL
12.2k11442
I'm hard-pressed to think of any case where using the same subnet on two different VLANs makes sense. Pretend you're a router, and you get a packet destined for 192.168.5.15. Which VLAN is that?
– Monty Harder
yesterday
@MontyHarder Depends. From which network (virtual or not) does it come?
– Deduplicator
yesterday
1
@Deduplicator I'm not sure why it matters what the source IP of the packet is. How do you know what VLAN an IP is if you're using the same IP range for two or more VLANs? It just doesn't make sense.
– Monty Harder
yesterday
@MontyHarder I do have the case: I have interconnections to providers that use the same addressing, and those are made on the same switches. Since I talk to both (via different routers) and they do not talk to each other that is just fine.
– JFL
20 hours ago
@MontyHarder Actually, it is very common to have the same subnet on many different LANs (and hence VLANs). RFC1918 private addresses are re-used in millions of LANs. You could very well have several separately NATed networks on the same VLAN. This probably happens ad nauseam in hosting environments. But those networks are indeed considered completely independent.
– jcaron
18 hours ago
|
show 2 more comments
The whole point of Virtual LAN, is to create separate Layer 2 LANs on a single physical device.
It is like building an armored and sonic-proof wall in a room to create 2 rooms. The people in each half of the room can no longer communicate with the people in the other half of the former room.
So you have two hosts on two distinct L2 networks without anything to allow them to communicate.
Note that in most cases it makes no sense to use the same subnet on two different VLANs. The standard case is to associate an IP network with a VLAN.
edited yesterday
Cown
6,99131031
answered yesterday
JFLJFL
12.2k11442
The whole point of Virtual LAN, is to create separate Layer 2 LANs on a single physical device.
It is like building an armored and sonic-proof wall in a room to create 2 rooms. The people in each half of the room can no longer communicate with the people in the other half of the former room.
So you have two hosts on two distinct L2 networks without anything to allow them to communicate.
Note that in most cases it makes no sense to use the same subnet on two different VLANs. The standard case is to associate an IP network with a VLAN.
edited yesterday
Cown
6,99131031
answered yesterday
JFLJFL
12.2k11442
edited yesterday
Cown
6,99131031
edited yesterday
Cown
6,99131031
edited yesterday
Cown
6,99131031
6,99131031
answered yesterday
JFLJFL
12.2k11442
answered yesterday
JFLJFL
12.2k11442
answered yesterday
JFLJFL
12.2k11442
12.2k11442
I'm hard-pressed to think of any case where using the same subnet on two different VLANs makes sense. Pretend you're a router, and you get a packet destined for 192.168.5.15. Which VLAN is that?
– Monty Harder
yesterday
@MontyHarder Depends. From which network (virtual or not) does it come?
– Deduplicator
yesterday
1
@Deduplicator I'm not sure why it matters what the source IP of the packet is. How do you know what VLAN an IP is if you're using the same IP range for two or more VLANs? It just doesn't make sense.
– Monty Harder
yesterday
@MontyHarder I do have the case: I have interconnections to providers that use the same addressing, and those are made on the same switches. Since I talk to both (via different routers) and they do not talk to each other that is just fine.
– JFL
20 hours ago
@MontyHarder Actually, it is very common to have the same subnet on many different LANs (and hence VLANs). RFC1918 private addresses are re-used in millions of LANs. You could very well have several separately NATed networks on the same VLAN. This probably happens ad nauseam in hosting environments. But those networks are indeed considered completely independent.
– jcaron
18 hours ago
|
show 2 more comments
I'm hard-pressed to think of any case where using the same subnet on two different VLANs makes sense. Pretend you're a router, and you get a packet destined for 192.168.5.15. Which VLAN is that?
– Monty Harder
yesterday
@MontyHarder Depends. From which network (virtual or not) does it come?
– Deduplicator
yesterday
1
@Deduplicator I'm not sure why it matters what the source IP of the packet is. How do you know what VLAN an IP is if you're using the same IP range for two or more VLANs? It just doesn't make sense.
– Monty Harder
yesterday
@MontyHarder I do have the case: I have interconnections to providers that use the same addressing, and those are made on the same switches. Since I talk to both (via different routers) and they do not talk to each other that is just fine.
– JFL
20 hours ago
@MontyHarder Actually, it is very common to have the same subnet on many different LANs (and hence VLANs). RFC1918 private addresses are re-used in millions of LANs. You could very well have several separately NATed networks on the same VLAN. This probably happens ad nauseam in hosting environments. But those networks are indeed considered completely independent.
– jcaron
18 hours ago
I'm hard-pressed to think of any case where using the same subnet on two different VLANs makes sense. Pretend you're a router, and you get a packet destined for 192.168.5.15. Which VLAN is that?
– Monty Harder
yesterday
I'm hard-pressed to think of any case where using the same subnet on two different VLANs makes sense. Pretend you're a router, and you get a packet destined for 192.168.5.15. Which VLAN is that?
– Monty Harder
yesterday
@MontyHarder Depends. From which network (virtual or not) does it come?
– Deduplicator
yesterday
@MontyHarder Depends. From which network (virtual or not) does it come?
– Deduplicator
yesterday
1
1
@Deduplicator I'm not sure why it matters what the source IP of the packet is. How do you know what VLAN an IP is if you're using the same IP range for two or more VLANs? It just doesn't make sense.
– Monty Harder
yesterday
@Deduplicator I'm not sure why it matters what the source IP of the packet is. How do you know what VLAN an IP is if you're using the same IP range for two or more VLANs? It just doesn't make sense.
– Monty Harder
yesterday
@MontyHarder I do have the case: I have interconnections to providers that use the same addressing, and those are made on the same switches. Since I talk to both (via different routers) and they do not talk to each other that is just fine.
– JFL
20 hours ago
@MontyHarder I do have the case: I have interconnections to providers that use the same addressing, and those are made on the same switches. Since I talk to both (via different routers) and they do not talk to each other that is just fine.
– JFL
20 hours ago
@MontyHarder Actually, it is very common to have the same subnet on many different LANs (and hence VLANs). RFC1918 private addresses are re-used in millions of LANs. You could very well have several separately NATed networks on the same VLAN. This probably happens ad nauseam in hosting environments. But those networks are indeed considered completely independent.
– jcaron
18 hours ago
@MontyHarder Actually, it is very common to have the same subnet on many different LANs (and hence VLANs). RFC1918 private addresses are re-used in millions of LANs. You could very well have several separately NATed networks on the same VLAN. This probably happens ad nauseam in hosting environments. But those networks are indeed considered completely independent.
– jcaron
18 hours ago
|
show 2 more comments
IP subnets logically group hosts - hosts within the same subnet use their layer-2 connection to directly talk to each other. Talking to hosts on another subnet requires the use of a gateway/router.
VLANs physically group hosts - hosts within the same VLAN/broadcast domain/L2 segment can talk to each other directly. Hosts in different VLANs can't. (Don't beat me up - physically group isn't really correct but it marks my point.)
So, when two hosts are in the same IP subnet but on different VLANs/broadcast domains/L2 networks they can't communicate: the source host assumes the destination in within its local L2 network and therefore it tries to ARP the destination address (or NDP resolve for IPv6).
ARP works by sending a request as broadcast to the local L2 network and the host with the requested IP address answers with its MAC address. Since the destination host is outside the local network it never hears the ARP request and ARP fails.
Even if the source would somehow know the destination's MAC address and build a frame addressed to that MAC it would never reach the destination since it's outside the L2 network still. MACs from outside the local L2 network are meaningless and useless.
answered yesterday
Zac67Zac67
32.8k22163
add a comment |
IP subnets logically group hosts - hosts within the same subnet use their layer-2 connection to directly talk to each other. Talking to hosts on another subnet requires the use of a gateway/router.
VLANs physically group hosts - hosts within the same VLAN/broadcast domain/L2 segment can talk to each other directly. Hosts in different VLANs can't. (Don't beat me up - physically group isn't really correct but it marks my point.)
So, when two hosts are in the same IP subnet but on different VLANs/broadcast domains/L2 networks they can't communicate: the source host assumes the destination in within its local L2 network and therefore it tries to ARP the destination address (or NDP resolve for IPv6).
ARP works by sending a request as broadcast to the local L2 network and the host with the requested IP address answers with its MAC address. Since the destination host is outside the local network it never hears the ARP request and ARP fails.
Even if the source would somehow know the destination's MAC address and build a frame addressed to that MAC it would never reach the destination since it's outside the L2 network still. MACs from outside the local L2 network are meaningless and useless.
answered yesterday
Zac67Zac67
32.8k22163
add a comment |
IP subnets logically group hosts - hosts within the same subnet use their layer-2 connection to directly talk to each other. Talking to hosts on another subnet requires the use of a gateway/router.
VLANs physically group hosts - hosts within the same VLAN/broadcast domain/L2 segment can talk to each other directly. Hosts in different VLANs can't. (Don't beat me up - physically group isn't really correct but it marks my point.)
So, when two hosts are in the same IP subnet but on different VLANs/broadcast domains/L2 networks they can't communicate: the source host assumes the destination in within its local L2 network and therefore it tries to ARP the destination address (or NDP resolve for IPv6).
ARP works by sending a request as broadcast to the local L2 network and the host with the requested IP address answers with its MAC address. Since the destination host is outside the local network it never hears the ARP request and ARP fails.
Even if the source would somehow know the destination's MAC address and build a frame addressed to that MAC it would never reach the destination since it's outside the L2 network still. MACs from outside the local L2 network are meaningless and useless.
answered yesterday
Zac67Zac67
32.8k22163
IP subnets logically group hosts - hosts within the same subnet use their layer-2 connection to directly talk to each other. Talking to hosts on another subnet requires the use of a gateway/router.
VLANs physically group hosts - hosts within the same VLAN/broadcast domain/L2 segment can talk to each other directly. Hosts in different VLANs can't. (Don't beat me up - physically group isn't really correct but it marks my point.)
So, when two hosts are in the same IP subnet but on different VLANs/broadcast domains/L2 networks they can't communicate: the source host assumes the destination in within its local L2 network and therefore it tries to ARP the destination address (or NDP resolve for IPv6).
ARP works by sending a request as broadcast to the local L2 network and the host with the requested IP address answers with its MAC address. Since the destination host is outside the local network it never hears the ARP request and ARP fails.
Even if the source would somehow know the destination's MAC address and build a frame addressed to that MAC it would never reach the destination since it's outside the L2 network still. MACs from outside the local L2 network are meaningless and useless.
answered yesterday
Zac67Zac67
32.8k22163
answered yesterday
Zac67Zac67
32.8k22163
answered yesterday
Zac67Zac67
32.8k22163
answered yesterday
Zac67Zac67
32.8k22163
32.8k22163
add a comment |
add a comment |
I expect you to have good understanding about Subnet masking. When you have separate VLANs you have to have unique ip address range with subnets.It is not essential.
VLANs is a separate LAN but it is a virtual.Additionally Virtual LAN for separating Networks in Same Switch.It will create separate broadcast domain in your switch. But when you create virtual LANs with Same ip it is useless.
In addition to that you need to configure Intervlan Routing on your switch.
answered yesterday
serverAdmin123serverAdmin123
3407
2
No it's not impossible to have multiple VLANs with same subnet . It's unusual and somewhat discouraged but it's totally possible.
– JFL
yesterday
I will edit my answer thanks
– serverAdmin123
yesterday
@JFL True, it is possible, using either VRF's or some other form of separator, but i've yet to see any use case for this. Please enlighten me.
– Cown
yesterday
@JFL same issue for me as well. I just now tried in cisco packet tracer, with intervlan routing. I don't know whether issue with Cisco packet tracer. It is not work. I agree with cown. it is possible in VRF.
– serverAdmin123
yesterday
1
@Cown I didn't say it was a good idea nor it was possible to made them communicate togtether (but still it's possible with NAT). But I have some use cases. For example I have interconnection with providers that pass through some overlapping RFC1918 networks. Those are connected to the same switches in different VLANs and don't communicate with each others.
– JFL
yesterday
|
show 2 more comments
I expect you to have good understanding about Subnet masking. When you have separate VLANs you have to have unique ip address range with subnets.It is not essential.
VLANs is a separate LAN but it is a virtual.Additionally Virtual LAN for separating Networks in Same Switch.It will create separate broadcast domain in your switch. But when you create virtual LANs with Same ip it is useless.
In addition to that you need to configure Intervlan Routing on your switch.
answered yesterday
serverAdmin123serverAdmin123
3407
2
No it's not impossible to have multiple VLANs with same subnet . It's unusual and somewhat discouraged but it's totally possible.
– JFL
yesterday
I will edit my answer thanks
– serverAdmin123
yesterday
@JFL True, it is possible, using either VRF's or some other form of separator, but i've yet to see any use case for this. Please enlighten me.
– Cown
yesterday
@JFL same issue for me as well. I just now tried in cisco packet tracer, with intervlan routing. I don't know whether issue with Cisco packet tracer. It is not work. I agree with cown. it is possible in VRF.
– serverAdmin123
yesterday
1
@Cown I didn't say it was a good idea nor it was possible to made them communicate togtether (but still it's possible with NAT). But I have some use cases. For example I have interconnection with providers that pass through some overlapping RFC1918 networks. Those are connected to the same switches in different VLANs and don't communicate with each others.
– JFL
yesterday
|
show 2 more comments
I expect you to have good understanding about Subnet masking. When you have separate VLANs you have to have unique ip address range with subnets.It is not essential.
VLANs is a separate LAN but it is a virtual.Additionally Virtual LAN for separating Networks in Same Switch.It will create separate broadcast domain in your switch. But when you create virtual LANs with Same ip it is useless.
In addition to that you need to configure Intervlan Routing on your switch.
answered yesterday
serverAdmin123serverAdmin123
3407
I expect you to have good understanding about Subnet masking. When you have separate VLANs you have to have unique ip address range with subnets.It is not essential.
VLANs is a separate LAN but it is a virtual.Additionally Virtual LAN for separating Networks in Same Switch.It will create separate broadcast domain in your switch. But when you create virtual LANs with Same ip it is useless.
In addition to that you need to configure Intervlan Routing on your switch.
answered yesterday
serverAdmin123serverAdmin123
3407
edited yesterday
answered yesterday
serverAdmin123serverAdmin123
3407
answered yesterday
serverAdmin123serverAdmin123
3407
answered yesterday
serverAdmin123serverAdmin123
3407
3407
2
No it's not impossible to have multiple VLANs with same subnet . It's unusual and somewhat discouraged but it's totally possible.
– JFL
yesterday
I will edit my answer thanks
– serverAdmin123
yesterday
@JFL True, it is possible, using either VRF's or some other form of separator, but i've yet to see any use case for this. Please enlighten me.
– Cown
yesterday
@JFL same issue for me as well. I just now tried in cisco packet tracer, with intervlan routing. I don't know whether issue with Cisco packet tracer. It is not work. I agree with cown. it is possible in VRF.
– serverAdmin123
yesterday
1
@Cown I didn't say it was a good idea nor it was possible to made them communicate togtether (but still it's possible with NAT). But I have some use cases. For example I have interconnection with providers that pass through some overlapping RFC1918 networks. Those are connected to the same switches in different VLANs and don't communicate with each others.
– JFL
yesterday
|
show 2 more comments
2
No it's not impossible to have multiple VLANs with same subnet . It's unusual and somewhat discouraged but it's totally possible.
– JFL
yesterday
I will edit my answer thanks
– serverAdmin123
yesterday
@JFL True, it is possible, using either VRF's or some other form of separator, but i've yet to see any use case for this. Please enlighten me.
– Cown
yesterday
@JFL same issue for me as well. I just now tried in cisco packet tracer, with intervlan routing. I don't know whether issue with Cisco packet tracer. It is not work. I agree with cown. it is possible in VRF.
– serverAdmin123
yesterday
1
@Cown I didn't say it was a good idea nor it was possible to made them communicate togtether (but still it's possible with NAT). But I have some use cases. For example I have interconnection with providers that pass through some overlapping RFC1918 networks. Those are connected to the same switches in different VLANs and don't communicate with each others.
– JFL
yesterday
2
2
No it's not impossible to have multiple VLANs with same subnet . It's unusual and somewhat discouraged but it's totally possible.
– JFL
yesterday
No it's not impossible to have multiple VLANs with same subnet . It's unusual and somewhat discouraged but it's totally possible.
– JFL
yesterday
I will edit my answer thanks
– serverAdmin123
yesterday
I will edit my answer thanks
– serverAdmin123
yesterday
@JFL True, it is possible, using either VRF's or some other form of separator, but i've yet to see any use case for this. Please enlighten me.
– Cown
yesterday
@JFL True, it is possible, using either VRF's or some other form of separator, but i've yet to see any use case for this. Please enlighten me.
– Cown
yesterday
@JFL same issue for me as well. I just now tried in cisco packet tracer, with intervlan routing. I don't know whether issue with Cisco packet tracer. It is not work. I agree with cown. it is possible in VRF.
– serverAdmin123
yesterday
@JFL same issue for me as well. I just now tried in cisco packet tracer, with intervlan routing. I don't know whether issue with Cisco packet tracer. It is not work. I agree with cown. it is possible in VRF.
– serverAdmin123
yesterday
1
1
@Cown I didn't say it was a good idea nor it was possible to made them communicate togtether (but still it's possible with NAT). But I have some use cases. For example I have interconnection with providers that pass through some overlapping RFC1918 networks. Those are connected to the same switches in different VLANs and don't communicate with each others.
– JFL
yesterday
@Cown I didn't say it was a good idea nor it was possible to made them communicate togtether (but still it's possible with NAT). But I have some use cases. For example I have interconnection with providers that pass through some overlapping RFC1918 networks. Those are connected to the same switches in different VLANs and don't communicate with each others.
– JFL
yesterday
|
show 2 more comments
Complementary to the existing answers, which cover the question from a design and theory point of view ...
Instead of asking "why don't they communicate?", let's ask "what happens when they try to communicate?"
First, what does it mean to configure a VLAN on a switch? In our example there are some sockets configured as VLAN 10, and some configured VLAN 20. The definition of a VLAN is that only sockets on the same VLAN are connected. What that means is that a frame received on a port in a given VLAN is only ever sent to ports of the same VLAN.
10 10 20 20 10 20 VLAN of port
1 2 3 4 5 6 Port number
===+===+===+===+===+===+===
| | | | | |
A B C D E F Hosts
In this diagram we have six hosts, ports 1, 2, 5 are on VLAN 10, ports 3, 4, 6 are on VLAN 20.
Suppose host A is statically configured as 192.168.5.10/24 and F is statically configured as 192.168.5.20/24, from the question. Suppose B to E have other static configuration addresses (doesn't matter what they are).
If A pings 192.168.5.20, it determines it's in the same /24, so the first thing that happens is an ARP request: WHO HAS 192.168.5.20, sent as an ethernet broadcast.
The switch receives the broadcast on port 1. This is VLAN 10, so it sends the broadcast out of ports 2 and 5, the other ports in VLAN 10. Hosts B and E receive the ARP request and ignore it as it's not their address.
That's it.
There will be no ARP reply; the next thing that happens will be a timeout on A, followed by subsequent repeat ARP requests, until the application gives up.
A host plugged into anything other than a VLAN 10 port will see nothing at all, whatever its IP address. This obviously includes F, which is 192.168.5.20.
answered yesterday
jonathanjojonathanjo
12.2k1937
add a comment |
Complementary to the existing answers, which cover the question from a design and theory point of view ...
Instead of asking "why don't they communicate?", let's ask "what happens when they try to communicate?"
First, what does it mean to configure a VLAN on a switch? In our example there are some sockets configured as VLAN 10, and some configured VLAN 20. The definition of a VLAN is that only sockets on the same VLAN are connected. What that means is that a frame received on a port in a given VLAN is only ever sent to ports of the same VLAN.
10 10 20 20 10 20 VLAN of port
1 2 3 4 5 6 Port number
===+===+===+===+===+===+===
| | | | | |
A B C D E F Hosts
In this diagram we have six hosts, ports 1, 2, 5 are on VLAN 10, ports 3, 4, 6 are on VLAN 20.
Suppose host A is statically configured as 192.168.5.10/24 and F is statically configured as 192.168.5.20/24, from the question. Suppose B to E have other static configuration addresses (doesn't matter what they are).
If A pings 192.168.5.20, it determines it's in the same /24, so the first thing that happens is an ARP request: WHO HAS 192.168.5.20, sent as an ethernet broadcast.
The switch receives the broadcast on port 1. This is VLAN 10, so it sends the broadcast out of ports 2 and 5, the other ports in VLAN 10. Hosts B and E receive the ARP request and ignore it as it's not their address.
That's it.
There will be no ARP reply; the next thing that happens will be a timeout on A, followed by subsequent repeat ARP requests, until the application gives up.
A host plugged into anything other than a VLAN 10 port will see nothing at all, whatever its IP address. This obviously includes F, which is 192.168.5.20.
answered yesterday
jonathanjojonathanjo
12.2k1937
add a comment |
Complementary to the existing answers, which cover the question from a design and theory point of view ...
Instead of asking "why don't they communicate?", let's ask "what happens when they try to communicate?"
First, what does it mean to configure a VLAN on a switch? In our example there are some sockets configured as VLAN 10, and some configured VLAN 20. The definition of a VLAN is that only sockets on the same VLAN are connected. What that means is that a frame received on a port in a given VLAN is only ever sent to ports of the same VLAN.
10 10 20 20 10 20 VLAN of port
1 2 3 4 5 6 Port number
===+===+===+===+===+===+===
| | | | | |
A B C D E F Hosts
In this diagram we have six hosts, ports 1, 2, 5 are on VLAN 10, ports 3, 4, 6 are on VLAN 20.
Suppose host A is statically configured as 192.168.5.10/24 and F is statically configured as 192.168.5.20/24, from the question. Suppose B to E have other static configuration addresses (doesn't matter what they are).
If A pings 192.168.5.20, it determines it's in the same /24, so the first thing that happens is an ARP request: WHO HAS 192.168.5.20, sent as an ethernet broadcast.
The switch receives the broadcast on port 1. This is VLAN 10, so it sends the broadcast out of ports 2 and 5, the other ports in VLAN 10. Hosts B and E receive the ARP request and ignore it as it's not their address.
That's it.
There will be no ARP reply; the next thing that happens will be a timeout on A, followed by subsequent repeat ARP requests, until the application gives up.
A host plugged into anything other than a VLAN 10 port will see nothing at all, whatever its IP address. This obviously includes F, which is 192.168.5.20.
answered yesterday
jonathanjojonathanjo
12.2k1937
Complementary to the existing answers, which cover the question from a design and theory point of view ...
Instead of asking "why don't they communicate?", let's ask "what happens when they try to communicate?"
First, what does it mean to configure a VLAN on a switch? In our example there are some sockets configured as VLAN 10, and some configured VLAN 20. The definition of a VLAN is that only sockets on the same VLAN are connected. What that means is that a frame received on a port in a given VLAN is only ever sent to ports of the same VLAN.
10 10 20 20 10 20 VLAN of port
1 2 3 4 5 6 Port number
===+===+===+===+===+===+===
| | | | | |
A B C D E F Hosts
In this diagram we have six hosts, ports 1, 2, 5 are on VLAN 10, ports 3, 4, 6 are on VLAN 20.
Suppose host A is statically configured as 192.168.5.10/24 and F is statically configured as 192.168.5.20/24, from the question. Suppose B to E have other static configuration addresses (doesn't matter what they are).
If A pings 192.168.5.20, it determines it's in the same /24, so the first thing that happens is an ARP request: WHO HAS 192.168.5.20, sent as an ethernet broadcast.
The switch receives the broadcast on port 1. This is VLAN 10, so it sends the broadcast out of ports 2 and 5, the other ports in VLAN 10. Hosts B and E receive the ARP request and ignore it as it's not their address.
That's it.
There will be no ARP reply; the next thing that happens will be a timeout on A, followed by subsequent repeat ARP requests, until the application gives up.
A host plugged into anything other than a VLAN 10 port will see nothing at all, whatever its IP address. This obviously includes F, which is 192.168.5.20.
answered yesterday
jonathanjojonathanjo
12.2k1937
edited yesterday
answered yesterday
jonathanjojonathanjo
12.2k1937
answered yesterday
jonathanjojonathanjo
12.2k1937
answered yesterday
jonathanjojonathanjo
12.2k1937
12.2k1937
add a comment |
add a comment |
Consider what happens when you have a LAN at home and a computer with IP 192.168.2.1. Your friend down the road also has a LAN at his home and a computer with IP 192.168.2.2. They're on the same subnet, so why can't they talk to each other?
In such an example, the cause is different than you're asking about.
But a VLAN achieves the same result — it segments a network, at the second layer.
My point is that we can easily see that the fact "IP addresses are in the same subnet" is not sufficient for determining whether packets may route between them. The underlying topology has a part to play as well.
Taking this to its extreme, at the lowest layer you need some physical material (well, okay, or air :D) to actually transport the data. Your computers can be in the same house on the same subnet but not be physically connected (or have a wireless link) and then you wouldn't expect packets to be routed.
answered 12 hours ago
Lightness Races in OrbitLightness Races in Orbit
27016
add a comment |
Consider what happens when you have a LAN at home and a computer with IP 192.168.2.1. Your friend down the road also has a LAN at his home and a computer with IP 192.168.2.2. They're on the same subnet, so why can't they talk to each other?
In such an example, the cause is different than you're asking about.
But a VLAN achieves the same result — it segments a network, at the second layer.
My point is that we can easily see that the fact "IP addresses are in the same subnet" is not sufficient for determining whether packets may route between them. The underlying topology has a part to play as well.
Taking this to its extreme, at the lowest layer you need some physical material (well, okay, or air :D) to actually transport the data. Your computers can be in the same house on the same subnet but not be physically connected (or have a wireless link) and then you wouldn't expect packets to be routed.
answered 12 hours ago
Lightness Races in OrbitLightness Races in Orbit
27016
add a comment |
Consider what happens when you have a LAN at home and a computer with IP 192.168.2.1. Your friend down the road also has a LAN at his home and a computer with IP 192.168.2.2. They're on the same subnet, so why can't they talk to each other?
In such an example, the cause is different than you're asking about.
But a VLAN achieves the same result — it segments a network, at the second layer.
My point is that we can easily see that the fact "IP addresses are in the same subnet" is not sufficient for determining whether packets may route between them. The underlying topology has a part to play as well.
Taking this to its extreme, at the lowest layer you need some physical material (well, okay, or air :D) to actually transport the data. Your computers can be in the same house on the same subnet but not be physically connected (or have a wireless link) and then you wouldn't expect packets to be routed.
answered 12 hours ago
Lightness Races in OrbitLightness Races in Orbit
27016
Consider what happens when you have a LAN at home and a computer with IP 192.168.2.1. Your friend down the road also has a LAN at his home and a computer with IP 192.168.2.2. They're on the same subnet, so why can't they talk to each other?
In such an example, the cause is different than you're asking about.
But a VLAN achieves the same result — it segments a network, at the second layer.
My point is that we can easily see that the fact "IP addresses are in the same subnet" is not sufficient for determining whether packets may route between them. The underlying topology has a part to play as well.
Taking this to its extreme, at the lowest layer you need some physical material (well, okay, or air :D) to actually transport the data. Your computers can be in the same house on the same subnet but not be physically connected (or have a wireless link) and then you wouldn't expect packets to be routed.
answered 12 hours ago
Lightness Races in OrbitLightness Races in Orbit
27016
answered 12 hours ago
Lightness Races in OrbitLightness Races in Orbit
27016
answered 12 hours ago
Lightness Races in OrbitLightness Races in Orbit
27016
answered 12 hours ago
Lightness Races in OrbitLightness Races in Orbit
27016
27016
add a comment |
add a comment |
The point of the VLANs is to have network segmentation. You could also achieve the same (some caveats aside) using subnets. Since your subnet is split into 2 different VLANs, your devices can not communicate on L2 network. You can setup IRB interface on the switch to allow communication between the VLANs. Alternatively, you can route the traffic via a firewall and allow selective communication between the VLANs. Ideally, you should design your network to have different subnets for each of the VLANs and then Firewall the traffic between VLANs. Hope this helps.
answered yesterday
RickyRicky
1
New contributor
Ricky is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
1
Nonononono don’t use IRB in this situation... the problem is that the switch should never have been configured with two vlans across the same subnet. The best answer is put all hosts in one subnet in the same vlan.
– Mike Pennington
yesterday
add a comment |
The point of the VLANs is to have network segmentation. You could also achieve the same (some caveats aside) using subnets. Since your subnet is split into 2 different VLANs, your devices can not communicate on L2 network. You can setup IRB interface on the switch to allow communication between the VLANs. Alternatively, you can route the traffic via a firewall and allow selective communication between the VLANs. Ideally, you should design your network to have different subnets for each of the VLANs and then Firewall the traffic between VLANs. Hope this helps.
answered yesterday
RickyRicky
1
New contributor
Ricky is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
1
Nonononono don’t use IRB in this situation... the problem is that the switch should never have been configured with two vlans across the same subnet. The best answer is put all hosts in one subnet in the same vlan.
– Mike Pennington
yesterday
add a comment |
The point of the VLANs is to have network segmentation. You could also achieve the same (some caveats aside) using subnets. Since your subnet is split into 2 different VLANs, your devices can not communicate on L2 network. You can setup IRB interface on the switch to allow communication between the VLANs. Alternatively, you can route the traffic via a firewall and allow selective communication between the VLANs. Ideally, you should design your network to have different subnets for each of the VLANs and then Firewall the traffic between VLANs. Hope this helps.
answered yesterday
RickyRicky
1
New contributor
Ricky is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
The point of the VLANs is to have network segmentation. You could also achieve the same (some caveats aside) using subnets. Since your subnet is split into 2 different VLANs, your devices can not communicate on L2 network. You can setup IRB interface on the switch to allow communication between the VLANs. Alternatively, you can route the traffic via a firewall and allow selective communication between the VLANs. Ideally, you should design your network to have different subnets for each of the VLANs and then Firewall the traffic between VLANs. Hope this helps.
answered yesterday
RickyRicky
1
New contributor
Ricky is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
answered yesterday
RickyRicky
1
New contributor
Ricky is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
answered yesterday
RickyRicky
1
answered yesterday
RickyRicky
1
1
New contributor
Ricky is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
New contributor
Ricky is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
Ricky is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
1
Nonononono don’t use IRB in this situation... the problem is that the switch should never have been configured with two vlans across the same subnet. The best answer is put all hosts in one subnet in the same vlan.
– Mike Pennington
yesterday
add a comment |
1
Nonononono don’t use IRB in this situation... the problem is that the switch should never have been configured with two vlans across the same subnet. The best answer is put all hosts in one subnet in the same vlan.
– Mike Pennington
yesterday
1
1
Nonononono don’t use IRB in this situation... the problem is that the switch should never have been configured with two vlans across the same subnet. The best answer is put all hosts in one subnet in the same vlan.
– Mike Pennington
yesterday
Nonononono don’t use IRB in this situation... the problem is that the switch should never have been configured with two vlans across the same subnet. The best answer is put all hosts in one subnet in the same vlan.
– Mike Pennington
yesterday
add a comment |
Jim Pap is a new contributor. Be nice, and check out our Code of Conduct.
Jim Pap is a new contributor. Be nice, and check out our Code of Conduct.
Jim Pap is a new contributor. Be nice, and check out our Code of Conduct.
Jim Pap is a new contributor. Be nice, and check out our Code of Conduct.
Thanks for contributing an answer to Network Engineering Stack Exchange!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fnetworkengineering.stackexchange.com%2fquestions%2f58364%2fwhy-cant-devices-on-different-vlans-but-on-the-same-subnet-communicate%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
-subnet, switch, vlan
3
You need a router to route between different Vlans. Also, when doing that, you cannot have the same IP subnet on those two Vlans.
– Cown
yesterday
5
Hello Jim Pap and welcome ... It's like you plugged your two hosts into two different switches, one labelled "LAN 10" and the other labelled "LAN 20". Configuring VLANs on your switch divides your switch into multiple, virtual, switches.
– jonathanjo
yesterday
2
This question is somewhat of a tautology. They can't because they can't, by design. The creation of separate VLANs logically segments the switched internetwork. You now need to use some form of inter-VLAN routing for these devices to communicate.
– WakeDemons3
yesterday
@Cown you can most definitely have the same IP on multiple VLANS although it may not be beneficial to do so
– Matt Douhan
17 hours ago
@MattDouhan Unless the Vlans are in different VRF's or some other separator, then no, that is not possible, at least not on Cisco. Please prove it.
– Cown
12 hours ago