Firewalls: Re: How to configure two network interface into a same

Firewalls
(February 1997)

Indexed By Thread: [Previous] [Next]

Subject:	Re: How to configure two network interface into a same
From:	jegan @ iai . com (James Egan)
Organization:	Integrated Architectures, Inc.
Date:	Fri, 21 Feb 1997 09:03:56 -0500 (EST)
To:	anton @ the-wire . com (Anton J Aylward)
Cc:	rbrackett @ dsm . net, firewalls @ GreatCircle . COM, ruben @ is . com . ar
In-reply-to:	<3 . 0 . 32 . 19970220153330 . 00768a58 @ the-wire . com> from "Anton J Aylward" at Feb 20, 97 03:39:07 pm
Pgp-fingerprint:	64 47 DC 51 D9 11 1D FF 31 43 9C 4C E2 A1 FC 04
Pgp-public-key:	public-key-server @ martigny . ai . mit . edu (subject: GET jegan)
Reply-to:	Jim . Egan @ iai . com

Anton J Aylward recently wrote:
> 
> At 08:41 AM 20/02/97 -0500, Richard Brackett wrote:
> 
> >I don't believe that you are going to be able to make that configuration
> work.  
> >How is TCP/IP supposed to choose
> >which adapter to use when talking to that subnet?  Any multi-adapter
> configuration 
> > I've seen or implemented needed
> >two different subnets to work.  I've done this under various unix flavors,
> Netware, and NT.  
> >Most OS's will allow
> >multiple same-subnet addresses to a single card, but not two different
> cards.  
> >
> >Others may have different experiences and I'd be interested in hearing
> from anyone with more 
> >depth of knowledge on the subject.
> >
> >Richard
> >
> >>>> Ruben Sajnovetzky <ruben @
 is .
 com .
 ar> 02/19/97 11:59am >>>
> >+ I wants to configure the two ATM interfaces using same a subnet
> >+ address(192.11.214.0) on a SGI workstation, for example, one is
> >192.11.214.10
> >+ and another is 192.11.214.11. But I found if I assigned the two ATM
> interfaces
> >+ into same a subnet, the IRIX system couldn't work correctly. If I
> assiged the
> >+ two ATM interfaces into two different subnet(ex: 192.11.214.10 and
> >+ 192.11.215.20), our IRIX system could work correctly. Do you know that two
> >+ network interfaces(such as ATM, ethernet or FDDI) in a UNIX machine can be
> >+ assigned into same a subnet? If can, how should I configure?
> 
> 100% correct.  So lets cheat.
> 
> First I'm going to pick the network address on the class C subnet you
> describe.
> I'm not going to use 10 and 11, I'm going to use 10 and (just to be
> preposterous)
> 255-10 = 245, which was my old house number.
> 
> Now I'm going to squint very hard and make the class C go away.
> With this squint, you no longer have a 24 bit subnet mask, 255.255.255.0
> (or ff.ff.ff.00) but instead a 26 bit mask (ff.ff.ff.80).
> 
> OK, I told you I was going to cheat.  
> >From the point of view of this machine, its on TWO subnets, each of which
> is half a class C.  This is because when you did and ifconfig on each of the
> ports you did the appropriate mask as well.
> 
> But that's only for this machine.   All the other single ported machines
> on the class C don't suffer from this.
> 
> I do say suffer.  As Richard Brackett said, how are you going to make this
> work?
> What good will it do you?  Are you trying to do load balancing?  Split the
> load between
> two cards?   Well this isn't going to do that.  If that's your problem you
> need to
> figured out WHY you need more bandwidth.  Run a snooper and see all the
> junk you're
> putting out.  Turn off rwhod, and all those other noisy protocols like NIS
> and NFS. ;-)
> 
> Putting on my consulting hat for a moment, lets ask two questions:
> 
> 	1. What are you trying to do?
>          Oh yes, put two cards on the same machine on the same subnet.
> 
> 	2. What are you trying to ACHEIVE?   What is your ENDPOINT OBJECTIVE?
> 
> Sorry that's three.   Assume the last two are different ways of asking the
> same thing.
> 
> OBTW: Some RFC and hence some routers and IP stacks may not take kindly to
> this
>       chopping of subnets on non-8-bit boundaries, CIDR not withstanding.
>       Some may say that all of the subnet 0 part simply isn't accessible.
>       Your milage may vary.   All I can say is that it has worked for me.
> 	
> --------------------------------------------------------------------------
> Anton J Aylward                  | Security is not something that comes in 
> The Strahn & Strachan Group Inc  | a self-contained box. It is an attribute 
> Information Security Consultants | of how you do business and as such 
> Voice: (416) 494-8661            | needs to be managed carefully.
>   Fax: (416) 494-8803            |      - Karen Goertzel, Wang Federal Inc.
> 

I don't think this will help you unless the single NIC is overloaded in the
first place.  Just by adding a second NIC will only help if the problem
is the NIC throughput.  It's not going to help if the problem is network
bandwidth.

/Jim/
--
James P. Egan                   | Jim .
 Egan @
 iai .
 com 
Integrated Architectures, Inc.  | http://www.iai.com 
300 East Main Street, Suite 207 | Tel: 508-634-3200 x209
Milford, MA  01757              | Fax: 508-634-8381
Use PGP for more secure email

References:

Re: How to configure two network interface into a same subnet? -Reply
From: Anton J Aylward <anton @ the-wire . com>

Indexed By Date	Previous:	Re: Web server security From: "Robert Black" <r . black @ ic . ac . uk>
Indexed By Date	Next:	Re: [FW1] Firewall 2.1 , Solaris and rouing From: ericj @ breakers . East . Sun . COM (Eric Johnson)
Indexed By Thread	Previous:	Re: How to configure two network interface into a same subnet? -Reply From: "Lack Mr G M" <gml4410 @ ggr . co . uk>
Indexed By Thread	Next:	Re: [FW1] Firewall 2.1 , Solaris and rouing From: jerald . josephs @ Ebay . Sun . COM (Jerald Josephs)