Two VLANs, One Subnet

Corey Edwards tensai at zmonkey.org
Sun Mar 11 21:45:22 MDT 2007


On Sat, 2007-03-10 at 11:49 -0700, Michael Torrie wrote:
> On Sat, 2007-03-10 at 11:28 -0700, Michael Torrie wrote:
> > Tis a vain hope, yes. :)  But this issue has nothing to do with saving
> > IP addresses.  Typically it's about establishing a DMZ.  I get the
> > impression (likely wrongly) you're thinking about NAT in terms of
> > masquerading, when you say "save IP addresses."

When I mention saving, it's because you only have to assign a 1-to-1
mapping if that host needs to communicate with the Internet at all. You
can have a pool of public IPs and only dig into it when you need, thus
conserving them. At work we do that on occasion and it's functional
although not my preferred method.

> I should note that if all your vlans are public ip addresses, then
> normal routing works fine and we don't have to do any mucking about with
> translations.  A DMZ can be established entirely based on routing, and
> applying a firewall between each subnet.  If we all had IPv6, for
> example, we could do such things.  It's just that when you add private
> IP addresses to the mix (on the trusted side) and want your DMZ servers
> to also have private addresses (as well as be seen publicly) that NAT
> seems to be the best way to to do it.

OK. I had to parse this a few times before I grokked what you're saying,
but finally I did and you're right. I can see where using NAT simplifies
the configuration on each node. Rather than having to statically assign
multiple addresses, you just use one and handle all the tricky stuff on
the router.

On my subnet I went the other direction. I have static DHCP entries, but
I also have static 1918 addresses. The private IPs are not NAT'd, so
they're effectively like IPv6 link local addresses. Having the backup
private IP has come in handy a few times, but I really don't use it that
much.

While this style of NAT is definitely better than your consumer grade
NAT with 20 computers sharing a single IP address, I still would take
public IP addresses instead. One example I can readily site is SIP which
relies on the endpoints accurately knowing their own IP address so they
can send negotiate RTP streams. NAT throws a monkey wrench in that and
you need a SIP proxy to sort it all out, a problem best left alone. I
know Hans will back me up on that and I suspect that's where he learned
to love NAT so much.

Corey





More information about the PLUG mailing list