Multiple same-net IPs on same interface bad idea? Why?

We have different sets of IPs within the same subnet on the same interface for different purposes:

192.168.1.201..230 are for servers (all Linux)

192.168.1.1..199 are for services running on those servers

As a consequence, every server has multiple IPs - could be two or even more - on the same physical interface. The idea was to be able to move a service from one server to another easily.

There are some services - such as ssh - that are not bound to a specific IP, but all "productive" services (proxy, DNS, NTP, etc.) are bound to one specific IP (and DNS name) which is meant to be moved to another server if the service is moved.

Now, this setup may not be considered "best practice" but so far we haven't had any trouble whatsoever caused by this. However, a lot of people I talk to about this keep saying that "It's just a matter of time until very bad things happen in such a setup" - without being able to explicitly state what that might be. Right now we're discussing whether we should change the setup in the long run which would require a significant amount of effort. Basically I'm looking for arguments for and against changing this.

So this is the question: what "bad things" might be expected in such a setup? Is it something that can always be avoided by doing or refraining from doing certain things? Is there some problem that can be "triggered" in order to demonstrate the problem and show the need to change the setup?

Thomas

Posted 2018-07-16T08:15:35.953

Reputation: 178

I don’t see any problems except perhaps administrative overhead. The only real alternative is to use non-standard ports for most services. Not exactly user-friendly. – Daniel B – 2018-07-16T08:27:25.767

What "bad things" might be expected in such a setup? When service sends a packet, it "gives" this packet to the OS and "says": var.1) send it to {dest IP} anyway (close to always on Win); var.2) send it to {dest IP} with {src IP} (close to always on *nix). In the second case no "bad things" might be expected. – Akina – 2018-07-16T08:39:50.043

Considering the goal (failing over a different server) I do see it as a correct practice. For example a fail-over cluster (eg: pacemaker/corysync on RHEL) would do the same: have an additional IP set on a server, then if the server goes down for any reason, the IP would be "moved" to an other server along with the service. What might happen is ARP issues making the floating IP appearing dead for a few minutes on the new server. use arping's Gratuitous ARP or DAD requests to prevent this (like what would do a real cluster) – A.B – 2018-07-16T12:44:21.987

1As someone who thinks in binary, 1-199 and 201-230 does make me itch. Do you really need those last 8 services? 1-191 and 193-223 make more sense. (Hex 01-BF and C1-DF). – MSalters – 2018-07-16T13:52:27.530

This question would fit better on https://serverfault.com

– Philipp – 2018-07-16T14:33:17.997

Answers

As others have added to, this will work fine provided that the services all bind to OP addresses and you will not be originating requests from these servers which need to be seen from a specific address.

Depending on the nature of the services, you might also want to consider security/firewall implications of your network setup, particularly the increased complexity of the firewalls required and increased risk of attacks/compromised spreading laterally.

It won't solve your problem (but it could reduce it) - you have provided what seem to be arbitrary IP ranges - instead, why don't you arrange the ranges in different netblocks - if space is not an issue, maybe sequential class C's on a /23 boundary, or if space is an issue, 1-190 and 193-254 ?

davidgo

Posted 2018-07-16T08:15:35.953

Reputation: 49 152

5For those that do not realize why Davidgo mentiones the ip-ranges: If you split them by subnet boundaries (like /26 for the 1-190/193-254 pair) writing the firewall rules can be done for whole subnets, which is far more efficient and convenient than doing it for arbitrary sub-ranges. – Tonny – 2018-07-16T12:23:23.377

As long as you can bind everything (or at least everything that matters) to a specific address, it will be fine.

The problems start with applications that can't bind to a specific address: They will choose one of the many IPs on the interface as source address, and that choice may not be particularly consistent. Which may break things on the other end.

This also applies to packets that are sent out by the kernel for some reason; they also will choose some of the many source addresses.

It will also matter if you start doing more complicated networking stuff with iptables or tc.

If none of these applies to your server, you'll be fine. If any of this starts to materialise, you can always add a network namespace (either for all your services, or for things that can't bind and should be guaranteed to use the single "main" address of the server).

dirkt

Posted 2018-07-16T08:15:35.953

Reputation: 11 627

There is nothing wrong with having multiple IP addresses on a server, and I occasionally do this myself. For more advanced setups I combine this with BGP so that I can run multiple instances of a service with redundancy.

There are only three things that have bitten me with setups like this, and one of them is not really relevant to this question as it's more BGP related.

Always bind on addresses, especially for UDP (like DNS). Listening on 0.0.0.0 or * can cause surprises. If you want to listen on multiple addresses, it's often better to use multiple Listen directives (a lot of software supports this)
When using BGP, beware not to accidentally create an anycast service if that's not what you were intending. As long as you make sure that every IP address is claimed by only one server, this cannot happen.
When switching addresses between servers, Duplicate Addresses Detection may stop a server from configuring an address if the previous owner of the address still answers on it. I asked a question about this on the Unix stack exchange.

jornane

Posted 2018-07-16T08:15:35.953

Reputation: 977