As a cisco instructor I have to step in … ;->
2 sep 2011 kl. 19:07 skrev Lee Sharp:
> On 09/02/2011 03:05 AM, Ilkka Tengvall wrote:
>> Would someone mind telling me why monowall community and documentation
>> considers this as a bad idea? To me the network interface aliasing is
>> extremely good idea. I'm obviously missing something here, since it's
>> been so long considered as a bad thing in monowall discussions.
Secondary addresses or aliases are as old as IP and was sometimes the only way to add hosts to
a network. But it was not without problem. First of all you end up with local routing, slowing down
the router. After CIDR (supernet) it is preferred to use a larger mask to solve the problem
eg. 192.168.2.0/23 gives you address 2.0 - 3.255.
Other problems are source address selection and routing protocols that mess up things. One thing
that I ran into was, if you loose the primary address the router starts using the secondary even if
you put the primary back again.
In your case you want to add a secondary address to solve a configuration problem. Just go ..
> The first is collisions. If you have to networks on one collision domain, it is potentially very
> The second is security. You have none at all this way. At least with a v-lan you have something
We nowadays run full duplex so we do not have any collisions. The two networks will be in the same
broadcast domain. That is no problem as long as the total amount of routed traffic through the
can be handled. Note that traffic between the two subnets must be routed through the FW. Can
also be solved with static routes in end devices.
If you add, what ever number, of subnets to the same physical or VLAN media you can not use
the firewall to guarantee the security between the local networks. If that isn't a problem ...
If you use VLANs, one for each subnet you can use the firewall for local security.
>> I claim it's waste of money and resources to buy separate network
>> cards and switch just to connect two ip's into the same network (or to
>> connect to external DSL box), in case of not being bottleneck due
>> heavy traffic. For me personally this along with the missing openvpn
>> are the only shortcomings of monowall.
> As to your case, sticking a second IP on WAN so you can log into a DSL box is not a big issue.
But if you make it easy to be sloppy, then people will do it in cases where it is a problem, and
then we get the support questions. :)