4

It's all pretty much in the title. Is it possible to assign both local and public IPs to different nodes connected to the same switch?

I have 4 servers with 2 gigabit ethernet ports each. I want one of each to have a public IP, and the remaining ports to have local IPs for server-to-server traffic.

Edit:

The reason I want to do this is because my switch is a few levels down from our company's public-facing router, and I don't want to clog the other switches and router with traffic that only needs to go from one of the 4 servers to another. The public traffic will be minimal, but server-to-server will be huge.

Edit 2:

I have just confirmed with our provider (we're renting rackspace): I do not have access to any NAT hardware upstream. All we have is an IP range and a few switches, which cannot be re-organized because other customers also use them. So at this point, my options appear to be:

  1. IDEAL: Purchase NAT-capable firewall/router and configure underneath current switches with NIC-bonding on each server to a local IP, and the router will forward public IPs to the local IPs.
  2. CHEAP: Divide switch into 2 VLANs for public/local IP range division. The switch does have 802.1q VLAN support.

We're going to go with 2 for now and probably switch to 1 in the future if bandwidth requirements grow. Thanks to all for your advice.

Andrew Ensley
  • 912
  • 2
  • 16
  • 30
  • 1
    I'm with the others: because you're suggesting something non-standard/ill-advised, it would be better for you to revise your question to describe what it is you're trying to achieve. – gravyface Apr 26 '10 at 15:27
  • The server <-> server traffic should be over the private addresses, and not over the public addresses. – Zypher Apr 26 '10 at 15:50
  • 1
    @Zypher: That's the reason for my question :-) – Andrew Ensley Apr 26 '10 at 16:55

5 Answers5

8

It's possible, but it's not advised, especially when there are better ways.

First, switches don't care about your IP addresses, they care about your MAC addresses. They're "layer 2" devices. IP addresses are layer 3, so they're pretty much irrelevant to the switching side of things.

To make sure that I've got your infrastructure correct, you have servers A, B, C, and D. Each one of them has 2 NICs. You want to take NIC#1 on each server, and configure them with external, internet facing IP addresses, then take NIC#2 on each server, and configure them with private IPs?

I have to ask why, at this point.

If it's for dedicated bandwidth, you would be better served to bond NIC#1 and NIC#2 into one logical interface, which can double the bandwidth.

If it's for security, then you'll have to give some more information, because there's no added security from using private IPs on a switch with public network connections. You aren't going to be broadcasting anything to the internet*, but at the same time, any network broadcasts from the network cards on the private IP block (things like ARP/RARP requests and the like) will get sent to your upstream router. It won't forward them or respond, but it certainly doesn't do anything for you.

(* - probably not, anyway)

Now, if you're still security conscious, why not use VLANs on the switch to segregate the external network from the internal network? The VLANs will create two logical switches*, which will prevent the leaking of your layer 2 broadcast info to the router, and in general, segregation of "private" networks into distinct logical layer 2 networks is preferable.

(* - I'm simplifying, but in essence, this is what it does)

Matt Simmons
  • 20,218
  • 10
  • 67
  • 114
  • I've updated my question with more information. I'm not so much worried about security with this strategy as performance. Given my setup, is there any performance gain to be had? – Andrew Ensley Apr 26 '10 at 15:33
1

This sounds like a case for NAT forwarding and trusting your switch.

I would keep internal ips for the servers on just one of their ports. The switch will keep server to server traffic from impacting the rest of your network. If you need the bandwidth you might want to get a gigabit switch for the servers if the rest of your network is 100 megabit. If your outside traffic will be low, there's no reason to use the second network card until you need the bandwidth.

Connections to your external ip's should be forwarded to the internal ip from your router via NAT.

I couldn't find an exact picture of the topology you're looking for, but this is close, sans switches. alt text
(source: btinternet.co.uk)

In my setup I have my cisco ASA firewall forward requests for a specific ip address and port to an internal ip address and port. The server gets the request and forwards it out to the net. This way I can keep any public routing on the public side of my firewall, internal broadcasts and traffic on the internal side and still access services on the internal network.

Glorfindel
  • 1,213
  • 3
  • 15
  • 22
reconbot
  • 2,435
  • 3
  • 25
  • 30
1

Under some situations, I'd be okay with doing this if the switch were a relatively modern switch that has 802.1q VLAN tag support.

I'd create one vlan for the public traffic and one vlan for the private traffic, and use private addresses for the private traffic. Put one set of ports into one vlan (all untagged), and another set of ports into another vlan.

Put your public interfaces / addresses into one vlan, then put the private addresses into the other.

Beware that if any of the public facing computers gets broken into, you'll be exposing the private interfaces of the other hosts on the private network to that rooted computer. You should treat all of these interfaces as untrustworthy when you're setting up and vetting up your security model.

Thinking about this a little -- the vlan model is about the same as setting up ip address aliases and putting everything into the same broadcast domain / vlan. In some ways it is even better because you can do LACP between the computers and the switch and get better performance and link redundancy. But I still wouldn't do it because it is ugly to rely on your router / firewall to drop traffic to RFC1918 space.

chris
  • 11,784
  • 6
  • 41
  • 51
1

The reason I want to do this is because my switch is a few levels down from our company's public-facing router, and I don't want to clog the other switches and router with traffic that only needs to go from one of the 4 servers to another. The public traffic will be minimal, but server-to-server will be huge.

Server-to-server traffic won't magically "flow" upstream to the other switches because all four servers are on the same switch (unless they're on a VLAN that's trunked upstream to another switch, but you didn't mention anything like that).

If you expect some major server-to-server traffic, I'd just do NIC bonding, give the bonded interface an internal IP, and use NAT/port forwarding to allow public access.

gravyface
  • 13,947
  • 16
  • 65
  • 100
  • If I just use public IPs though, won't all traffic go up through the switches to the router and then back down again? The idea of the setup is to make sure the server-to-server traffic has as short of a path as possible and doesn't clog the other switches. Is there a better strategy for this? I can't do cross-over cables because there aren't enough interfaces on each server. – Andrew Ensley Apr 26 '10 at 16:58
  • You don't want to use public IPs for your server's NICs. Bond them together (if they're the same manufacturer/speed/type, consult your server docs) and give them each a LAN IP. In your firewall/edge router, setup DNAT/port forwarding to forward WAN traffic to the server(s). It would help if you described what role these servers are playing (i.e. Web, DB, etc.) – gravyface Apr 26 '10 at 17:33
  • Thanks gravyface. That's probably what I'll end up doing. – Andrew Ensley Apr 26 '10 at 21:20
0

It should be possible depending on your internet connection, but i would not recomment it. You open yourself up to all kinds of security risks. Most of all you would be broadcasting your internal broadcast out to the internet. Your Internetrouter will be the boundry of those braodcast. But if it is not under your controll I would not feel good about it.

But I doubt your setup would have any benefit. Since your switch will be the limit for throughput. You cold use the public IPs exclusively (whith encrypted traffic!). What is the reason behind this configuration?

lepole
  • 1,723
  • 1
  • 10
  • 17