[ previous ] [ next ] [ threads ]
 From:  "Giobbi, Ryan" <rgiobbi at AGOC dot com>
 To:  <stefan at fuhrmann dot homedns dot org>, <m0n0wall at lists dot m0n0 dot ch>
 Subject:  RE: [m0n0wall] IP-aliasing
 Date:  Tue, 27 Dec 2005 08:14:04 -0500
>okay, VLANs are nice but I dont have everywhere a VLAN, and you can not
assume that everybody has VLANs. And for my dependencies there is a need
for IP-                          aliasing. 
>And I can not see why this should be bad?! 
>When you have further information, please, explain me why aliasing is
not a good idea. I'm always ready to learn, who not.

Although certainly not as secure as VLANs (some of the advanced sniffing
tools like ettercap can easily sniff all traffic on a single interface),
I've found using IP aliasing (and it Linux counterpart) is very useful
in the below cases (where VLANs are overkill or not possible):

- By dropping all telnet/SSH/http/https (depending on the device)
traffic from the main subnet and restricting it to a seperate secondary
subnet, curious LAN users can not easily find the management interface
of their gateway/firewall. 

- By using a seperate IP range and using it just for layer 2 bridging
devices (802.11b/g wireless bridges for example), these devices become
totally transparent to the end-user, and are much easier to manage since
no one ever "steals" or "camps" on their IP address.

- My mobile laptops all have multiple IP addresses on their different
interfaces, even when booted intp Windows XP. This way I can jack into a
network, and manage devices on different subnets and I'm not changing my
NIC card settings every two minutes. Also, its the only way Windows XP
will let me mount SMB shares through SSH tunneling.