two interfaces one subnet

Patrick McManus mcmanus at ducksong.com
Wed May 13 12:36:34 CDT 2009


> use separate subnets for the different  
> interfaces. As someone said before, it's not rocket science.

It can be a barrier to selling gear if you don't have multiple subnets
easily available to you - which is a very big deal for vendors doing
evals or for development teams doing staging. Almost never an issue in
production, I agree.

I worked on a product that had this "1 address for the service", "1
address for administration" concept as its recommended deployment. When
the product was in testing or in pre-production the potential customer
would sensibly want to set it up the same way it would be in production
- with 2 interfaces, each with a different address.

But then the prospect would tell our Sales Engineer that they had only one
subnet available for testing and it would take weeks or months to remedy
that. Half the time that subnet would be DHCP only. As a vendor, our
motivation was to lubricate the eval and pre production stages so we
could quickly move onto the next trial with a satisfied customer in our
wake.

We, eventually, supported it all quite smoothly taking into
consideration the arp and src address interface selection methods noted
elsewhere in this thread. It never posed complications interacting with
anything external to our gear. As such, I don't think it is fair to
characterize it as a square peg.

related link how to configure Linux to do do src address based routing:
http://www.linuxjournal.com/article/7291 .. though I agree bonding is a
better answer to the motivation laid out in the article.

final semi related thought - I have seen devices with an
admin/production NIC split where the production (insecure) interface
will packets accept all the way up the stack that are (IP.dst ==
adminIP) as long as you put the production mac as the destination on the
packet. That kinda leads to a false sense of security just because they
are on different subnets. Gear that doesn't have physically separate
processors for control/admin and data/production has to work a lot
harder to make sure those things stay separated.

-- 
PenBay Networks
VOIPRecorder - Record Calls Made with Vonage(tm) on Your Computer!
www.penbaynetworks.com





More information about the NANOG mailing list