Secondary IP's are generally used in a migration process, where a subnet is being extended, or moved, and a number of hosts in that subnet may have differing default gateways.
I've also seen it when I worked for an ISP, in that point of view where the customers LAN doesnt trunk up to the router (non cisco switch, poor LAN design, their own migration issues etc) and the customer requested the secondary IP, without dot 1q trunking on the router.
Search for secondary on this page - theres a couple of other points: http://www.cisco.com/en/US/docs/ios/12_2/ip/configuration/guide/1cfipadr.html
And there was a similar question in the CCNP forum a while back:
Hope that helps,
I once inherited a network that used secondary IPs to expand the amount of IP addresses on the lan. This is all well and dandy but remember that when you add a secondary IP range, you are adding them in a broadcast domain and thus you have 2 Ip ranges in the same broadcast domain. I have seen some weird anomalies with this kind of set up with various applications and have determined that it is really not a good long term practice. I have only done it as a termporary transisition and I do mean temporary.
You can use as many secondary IP's as you want. The only time I have seen it used is when the subnet assigned to an interface was too small. So there was a /23, and all IP addresses were used. A seperate secondary /22 IP address was assigned as a secondary IP address. So therefore you can keep the /23 on the interface, but also use IP addresses in the /22 range as well. Eventually the /23 was faded out, and only the /22 was used. A very helpful migration strategy
Very well explained Stephen, It`s very clear now
How do I change the secondary IP as the primary IP should I just use the "no ip address" command to the primary IP and the secondary would automatical become the primary IP ?
The way i use it is: no ip address xxx yyy secondary, just like most commands "no" in front to remove.
I can't say if it automatically switches to a "primary" ip address, but i don't believe so - not seen it. I just no ip address xxx yyy secondary followed by a ip address xxx yyy. There's no need to remove both the "primary" and the secondary ip-address...as the command "ip address xxx yyy" overwrites whatever ip-address that is already set.
As a side-comment to Stephen, i came across this simular configuration on a network just a few weeks back which during a migration required to be part of *several subnets in the same vlan on the same interface*....and whichever cisco book and studies you do they teach you that you can't do this, but it's doable - just not recommended.
You can simply overwrite the address using the same command but omitting the secondary keyword:
R1#sh run int fa0/0
ip address 10.200.200.1 255.255.255.0 secondary
ip address 10.5.5.5 255.255.255.0
Enter configuration commands, one per line. End with CNTL/Z.
R1(config-if)#ip address 10.200.200.1 255.255.255.0
R1(config-if)#do sh run int fa0/0
ip address 10.200.200.1 255.255.255.0
i would just add that if you're using secondary addresses on vlan interfaces (SVI's) then just keep in mind that you don't want your broadcast domain to get too big - each IP address represents a potential member of that broadcast domain. i have always looked to go no bigger than a /23 for a single broadcast domain.
i know cisco recommends only one IP subnet per Vlan, but that's not always practical depending on your needs.
Hi All, have an similiar issue. I want to add secondary ip address on our upstream internet router, because our Cisco ASA Firewall has to public subnets, DMZ-EXT and OUTSIDE. These are trunked with sub-interfaces on the Cisco-ASA
Both subnets are advertised in OSPF and BGP. We have BGP Peer setup with our Provider. Provider is sending us a default route.
Is there any impact to adding the secondary ip address to an active IP Routed Interface.
Cisco-ASA is connected to internet router on primary subnet but through a DMZ switch
Again, Cisco ASA is setup as trunked, vlan-subinterfaces.
Let me know, Thanks
I've used them in conjunction with setting up a DHCP superscope at some sites, where simply expanding IP address range wasn't possible because of how the network was previously subnetted (without any wiggle room for growth). The secondary gateway was necessary to correctly route traffic to the site based on the new superscope IP addresses/subnets.