5

Is it possible to have multiple VLANs in the same subnet, with the same gateway address (TMG)?

I want to avoid having many Subnets (and vNIC's in TMG) just to isolate sets of a few hosts.

IP: 10.0.0.1         (TMG server)       VLAN:1 ~ 3

IP: 10.0.0.11 ~ 20   (Hosts group 1)    VLAN:1

IP: 10.0.0.21 ~ 30   (Hosts group 2)    VLAN:2

IP: 10.0.0.31 ~ 40   (Hosts group 3)    VLAN:3

Note that I don't want them to connect to each other, so ARP/inter-vlan routing (within the subnet) is not required.

The gateway is running in a VM within ESXi 5, I can pass the VLans to the VM using VGT or VLan Range, but I don't know how the OS/TMG should handle them.

A.J.
  • 53
  • 1
  • 1
  • 4

1 Answers1

6

Of course you can do that, but it is not the recommended way.

VLANs use software to emulate separate physical LANs. Each VLAN is thus a separate broadcast domain and a separate network.

As you have identified, routing between these VLANs would be difficult, because they are the same subnet. If the addresses are all different it is possible to route traffic using a very large number of rules which don't correspond to the actual subnet configuration and will confuse anyone who inherits this from you. However, it is completely permissible to use the same RFC1918 subnets on different physical networks. You could likely even make all the addresses the same.

The other constraint to bear in mind, and possibly the more relevant one, is that if any of these hosts have to connect to anything at all, routing them to that network will also be difficult. You would have to use NAT almost for sure, and set up NAT rules such that each of these VLANs has a separate outside address. If this configuration doesn't confuse the host OS, it will certainly confuse any administrator trying to work on it.

There are many, many, many RFC1918 addresses available, and there is rarely a real need to conserve addresses in this way. In the extremely unlikely case you are out of them, you can even use the RFC6598 address range 100.64.0.0/10 (which is designated as a private range for carrier-grade NAT, and though this is not its intended use, if you're large enough to use up an entire /8, /16, and /12 besides, you could likely make an argument that you are effectively the ISP for these devices).

Falcon Momot
  • 24,975
  • 13
  • 61
  • 92
  • Sorry if I've misled you, but our network is not that big at all. My goal is to place similar hosts/devices groups on a single subnet, then separate each group by their own VLAN, e.g.: Place all ESXi hosts on a single subnet, then seperate prd/dev/test hosts by their own vlan. Either way, I'd like to know for the sake of knowing. So, could you please answer these two questions: - How can I accomblish this (or point me to the right direction)? - Will I have to use NAT to connect to these VLANS (from a host with a different subnet)? if yes, why? – A.J. Jun 29 '13 at 22:55
  • @A.J. You're doing it wrong. Give each subgroup its own subnet. Use firewall rules or router ACLs to regulate the flow of traffic between the subnets. – Skyhawk Jun 29 '13 at 23:00
  • 1
    AJ: Subnetting is foundational to routing; routing is based upon subnetting. In general, it's messy to route between arbitrary distributions of hosts that aren't subnets, or to duplicate subnets that communicate directly with the same thing. As I mentioned, you *could* use NAT to accomplish this (and you'd need to, to hide the subnets all numbered the same, as they are even if you use different host numbers), but you shouldn't. Keep it simple and standard and sane. – Falcon Momot Jun 30 '13 at 05:00
  • I have to agree with Falcon and Miles, it's easier to do it with subnets than with arbitrary policy routing rules. – Rod MacPherson Jun 30 '13 at 17:16