Overlapped IP Range in a Merger

The Scenario is this…Company A has purchased Company B. One is an enterprise of thousands of users, the other a mid size company in the multiple hundres. However, as would happen to be the case, both companies utilize an overlapping subnet. To further complicate the issue it has been decided that both companies need to terminate at Company A’s core and utilize a single unified instance of EIGRP. As part of this scenario, both companies need to be abble to access each others networks but luckily it has been determined that neither need to be able to access each others overlapped networks. Additionally both companies advertise different bit masks on their overlapping networks. This is something that we can work with.

The following examples show the additional configuration required for the specific scenario above. The full router configurations are posted at the end of the article.

The topology is as follows:

rfpbr

The good news is, Company A advertises 10.10.8.0 as a /24 network. On the other hand, Company B advertises 10.10.8.0 as a /22. This allows both companies to advetise to the converged core, while utilizing a little bit of network engineering to properly route packets.

To start, we will termporarly be breaking routing to Company B’s 10.10.8.0 network. This would be a downtime change that will allow us to continue. Lets start out by preventing the Company A 10.10.8.0/24 route from being advertised into Company A’s routing tables.

On R2 we will want to add the following configuration. We will start by creating an access list matching Company A’s 10.10.8.0/24 route and permitting it. Following this we will create a route map set to deny anything matched by the access list and permit all other routes. We will then apply this route map to the eigrp 42 instance preventing the target route from entering R2’s Serial 0/0 interface. Doing this blocks the 10.10.8.0/24 route from being inserted into the routing table.

access-list 8 permit 10.10.8.0 0.0.0.255
!
route-map NO-EIGHT-22 deny 10
 match ip address 8
!
route-map NO-EIGHT-22 permit 20
!
router eigrp 42
 distribute-list route-map NO-EIGHT-22 in Serial0/0
!

Now that we have removed the 10.10.8.0/24 route from R2’s routing table we must do the same over on R5. In this case we will again apply a route map to the EIGRP 42 instance. Howerver, this time we will use a prefix list instead of an ACL to demontrate it’s use. We will create two prefix lists to seperate the 10.10.8.0/24 and 10.10.8.0/22 routes. These will then be applied to a route map as previously done with an access list.

ip prefix-list FILTER-8 seq 5 permit 10.10.0.0/16 le 22
!
ip prefix-list FILTER-8-2 seq 5 permit 10.10.0.0/16 ge 24 le 29
!
route-map FILTER-8 permit 10
 match ip address prefix-list FILTER-8
!
route-map FILTER-8 deny 20
 match ip address prefix-list FILTER-8-2
!
route-map FILTER-8 permit 30
!
router eigrp 42
distribute-list route-map FILTER-8 in Serial0/0
!

We do not need to perform similar operations on the Company A routers since routing logic dictates that the route will select the more specific route to an address. In this case, Company A’s 10.10.8.0/24 is more sepecific then 10.10.8.0/22 based on its bit mask. This will lead Company A’s routers, and it’s core to select the 10.10.8.0/24 route towards R4 over top of the 10.10.8.0/22 route towards R2 unless that route is no longer being advertised. If that is the case, there is a nother problem up at R4 that needs to be taken care of.

This brings up another issue. Packets sent from R5 towards Company B’s 10.10.8.0/22 network will be sent correctly towards the core. Unfortunately when those packets get to the core, they will be sent towards R4 due to the more specific route for 10.10.8.0. This prevents Company B from access to its own 10.10.8.0 network. To fix this we will need to apply policy based routing. We will do that in the following manner.

The work will be done on R1 since it is the center of the converged networks. We will start by creating an access list designed to match any source IP address going to the 10.10.8.0/22 network. We will then apply this access list to a route map where we set the next hop IP address for this special traffic. This will be applied to the inbound interface connecting Company A’s core to Company B’s WAN connected network.

access-list 100 permit ip any 10.10.8.0 0.0.3.255
!
route-map ROUTE-B-LAN permit 10
 match ip address 100
 match interface Serial0/2
 set ip next-hop 10.10.250.2
!
route-map ROUTE-B-LAN permit 20
!
interface Serial0/2
 ip address 10.10.230.1 255.255.255.252
 ip policy route-map ROUTE-B-LAN
 no dce-terminal-timing-enable
!

The results can be confirmed by proving that R5 can reach the 10.10.8.1 host located on Company B’s LAN while still being able to reach the 10.200.1.1 host on Company A’s R6 LAN. Also, to verify we will send packets from R6 destined for the 10.10.8.1 host on Company A’s LAN as well as attempting to reach Company B’s 10.10.4.1 host.

R5#traceroute 10.10.8.1

Type escape sequence to abort.
Tracing the route to 10.10.8.1

  1 10.10.230.1 8 msec 96 msec 32 msec
  2 10.10.250.2 44 msec 64 msec 48 msec
  3 10.10.240.1 40 msec *  88 msec
R5#traceroute 10.200.1.1

Type escape sequence to abort.
Tracing the route to 10.200.1.1

  1 10.10.230.1 52 msec 8 msec 4 msec
  2 10.10.210.2 132 msec *  20 msec

While this isn’t the ideal situation for solving this issue, it proves to show that in a bind, route filtering and policy based routing can be used to achieve a solution even in select issues with overlapping networks. To correctly remedy this solution and provide less administrative effort in the instance of changes the companies would want to agree upon re-addressing one of the 10.10.8.0 IP ranges. However, this show that carefully planned changes can provide a bandaid to many situations.

All configuration added to routers to complete this scenario is as follows:

R6#traceroute 10.10.8.1

Type escape sequence to abort.
Tracing the route to 10.10.8.1

  1 10.10.210.1 36 msec 24 msec 16 msec
  2 10.10.220.2 64 msec *  40 msec
R6#traceroute 10.10.4.1

Type escape sequence to abort.
Tracing the route to 10.10.4.1

  1 10.10.210.1 72 msec 28 msec 28 msec
  2 10.10.250.2 92 msec 28 msec 28 msec
  3 10.10.240.1 92 msec *  68 msec
R1

version 12.4
!
hostname Company-B-CORE
!
interface FastEthernet0/0
 no ip address
 shutdown
 duplex auto
 speed auto
!
interface Serial0/0
 ip address 10.10.250.1 255.255.255.252
 no dce-terminal-timing-enable
!
interface FastEthernet0/1
 no ip address
 shutdown
 duplex auto
 speed auto
!
interface Serial0/1
 ip address 10.10.220.1 255.255.255.252
 no dce-terminal-timing-enable
!
interface Serial0/2
 ip address 10.10.230.1 255.255.255.252
 ip policy route-map ROUTE-B-LAN
 no dce-terminal-timing-enable
!
interface Serial0/3
 ip address 10.10.210.1 255.255.255.252
 no dce-terminal-timing-enable
!
router eigrp 42
 passive-interface default
 no passive-interface Serial0/0
 no passive-interface Serial0/1
 no passive-interface Serial0/2
 no passive-interface Serial0/3
 network 10.10.210.0 0.0.0.3
 network 10.10.220.0 0.0.0.3
 network 10.10.230.0 0.0.0.3
 network 10.10.250.0 0.0.0.3
 no auto-summary
!
ip classless
!
access-list 100 permit ip any 10.10.8.0 0.0.3.255
!
route-map ROUTE-B-LAN permit 10
 match ip address 100
 set ip next-hop 10.10.250.2
!
route-map ROUTE-B-LAN permit 20
!
end
R2

!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Company-B-CORE
!
!
interface FastEthernet0/0
 ip address 10.10.240.2 255.255.255.252
 duplex auto
 speed auto
!
interface Serial0/0
 ip address 10.10.250.2 255.255.255.252
 no dce-terminal-timing-enable
!
interface FastEthernet0/1
 no ip address
 shutdown
 duplex auto
 speed auto
!
interface Serial0/1
 no ip address
 shutdown
 no dce-terminal-timing-enable
!
router eigrp 42
 passive-interface default
 no passive-interface FastEthernet0/0
 no passive-interface Serial0/0
 network 10.10.240.0 0.0.0.3
 network 10.10.250.0 0.0.0.3
 distribute-list route-map NO-EIGHT-22 in Serial0/0
 no auto-summary
!
access-list 8 permit 10.10.8.0 0.0.0.255
!
route-map NO-EIGHT-22 deny 10
 match ip address 8
!
route-map NO-EIGHT-22 permit 20
!
end
R3

!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Company-B-LAN
!
interface Loopback4
 ip address 10.10.4.1 255.255.252.0
!
interface Loopback8
 ip address 10.10.8.1 255.255.252.0
!
interface FastEthernet0/0
 ip address 10.10.240.1 255.255.255.252
 duplex auto
 speed auto
!
interface FastEthernet0/1
 no ip address
 duplex auto
 speed auto
!
interface FastEthernet1/0
 no ip address
 duplex auto
 speed auto
!
router eigrp 42
 passive-interface default
 no passive-interface FastEthernet0/0
 network 10.10.1.0 0.0.0.255
 network 10.10.4.0 0.0.3.255
 network 10.10.8.0 0.0.3.255
 network 10.10.240.0 0.0.0.3
 no auto-summary
!
end
R4

!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Company-A-WAN-1
!
interface Loopback8
 ip address 10.10.8.1 255.255.255.0
!
interface FastEthernet0/0
 no ip address
 duplex auto
 speed auto
!
interface Serial0/0
 ip address 10.10.220.2 255.255.255.252
 no dce-terminal-timing-enable
!
interface FastEthernet0/1
 no ip address
 shutdown
 duplex auto
 speed auto
!
interface Serial0/1
 no ip address
 shutdown
 no dce-terminal-timing-enable
!
router eigrp 42
 passive-interface default
 no passive-interface Serial0/0
 network 10.10.8.0 0.0.0.255
 network 10.10.220.0 0.0.0.3
 no auto-summary
!
end
R5

!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Company-B-WAN
!
interface Loopback100
 ip address 10.142.1.1 255.255.255.0
!
interface FastEthernet0/0
 no ip address
 shutdown
 duplex auto
 speed auto
!
interface Serial0/0
 ip address 10.10.230.2 255.255.255.252
 no dce-terminal-timing-enable
!
interface FastEthernet0/1
 no ip address
 shutdown
 duplex auto
 speed auto
!
interface Serial0/1
 no ip address
 shutdown
 no dce-terminal-timing-enable
!
router eigrp 42
 passive-interface default
 no passive-interface Serial0/0
 network 10.10.230.0 0.0.0.3
 network 10.142.1.0 0.0.0.255
 distribute-list route-map FILTER-8 in Serial0/0
 no auto-summary
!
ip classless
!
!
no ip http server
no ip http secure-server
!
!
ip prefix-list FILTER-8 seq 5 permit 10.10.0.0/16 le 22
!
ip prefix-list FILTER-8-2 seq 5 permit 10.10.0.0/16 ge 24 le 29
!
route-map FILTER-8 permit 10
 match ip address prefix-list FILTER-8
!
route-map FILTER-8 deny 20
 match ip address prefix-list FILTER-8-2
!
route-map FILTER-8 permit 30
!
end
R6

!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Company-A-WAN-2
!
interface Loopback100
ip address 10.200.1.1 255.255.255.0
!
interface FastEthernet0/0
no ip address
shutdown
duplex auto
speed auto
!
interface Serial0/0
ip address 10.10.210.2 255.255.255.252
no dce-terminal-timing-enable
!
interface FastEthernet0/1
no ip address
shutdown
duplex auto
speed auto
!
interface Serial0/1
no ip address
shutdown
no dce-terminal-timing-enable
!
router eigrp 42
passive-interface default
no passive-interface Serial0/0
network 10.10.210.0 0.0.0.3
network 10.200.1.0 0.0.0.255
no auto-summary
!
end

Matt Ouellette is a certified information technology professional residing in Southwest Michigan. His technology findings and advice can be found on his PacketPilot blog. Mr. Ouellette spent 4 years as an I.T. Technician before stepping into a Network Engineer role at Bronson Health Group. Since completing his Associates Degree in Network Administration Matt has taken a head on approach to career enrichment through obtaining credentials such as CCNP, CCNA Voice, MCSA: Server 2008, and VCP5. This passion for continued learning allows him to deliver up to date quality technical solutions.

Permanent link to this article: http://www.packetpilot.com/overlapped-ip-range-in-a-merger/

Leave a Reply