recommended way to support duplicate IP addresses on different VLANs?

recommended way to support duplicate IP addresses on different VLANs?

[Chris Friesen]

Hi all,

We've got a server that sits on multiple VLANs.  Each VLAN is segregated 
and doesn't know about the others.  The IP address ranges in each of the 
VLANs may overlap, and the server may be assigned the same IP address in 
multiple VLANs.

We've got a messy solution now involving unique internal addresses and 
NATing between those and the duplicate external addresses, but I'm 
wondering if there is a cleaner way to handle this.

It seems like network namespaces would work, but it would require 
multiple instances of our software which is a dealbreaker.

Is there any other way to deal with this scenario?

Thanks,
Chris

Re: recommended way to support duplicate IP addresses on different VLANs?

[Rémi Denis-Courmont]

Le lundi 11 juillet 2011 17:58:14 Chris Friesen, vous avez écrit :
> Hi all,
> 
> We've got a server that sits on multiple VLANs.  Each VLAN is segregated
> and doesn't know about the others.  The IP address ranges in each of the
> VLANs may overlap, and the server may be assigned the same IP address in
> multiple VLANs.
> 
> We've got a messy solution now involving unique internal addresses and
> NATing between those and the duplicate external addresses, but I'm
> wondering if there is a cleaner way to handle this.
> 
> It seems like network namespaces would work, but it would require
> multiple instances of our software which is a dealbreaker.
> 
> Is there any other way to deal with this scenario?

Namespace file descriptors if/when they get accepted.

Or then binding sockets to devices (SO_BINDTODEVICE) might work.

-- 
Rémi Denis-Courmont
http://www.remlab.net/
http://fi.linkedin.com/in/remidenis

Re: recommended way to support duplicate IP addresses on different VLANs?

[Chris Friesen]

On 07/11/2011 09:04 AM, Rémi Denis-Courmont wrote:
> Le lundi 11 juillet 2011 17:58:14 Chris Friesen, vous avez écrit :
>> Hi all,
>>
>> We've got a server that sits on multiple VLANs.  Each VLAN is segregated
>> and doesn't know about the others.  The IP address ranges in each of the
>> VLANs may overlap, and the server may be assigned the same IP address in
>> multiple VLANs.

>> Is there any other way to deal with this scenario?


> Or then binding sockets to devices (SO_BINDTODEVICE) might work.

Hmm...SO_BINDTODEVICE looks interesting.  I would imagine we'd still 
need to do some funky stuff around ARP handling.

Chris



-- 
Chris Friesen
Software Developer
GENBAND
chris.friesen@genband.com
www.genband.com

Re: recommended way to support duplicate IP addresses on different VLANs?

[Ben Greear]

On 07/11/2011 08:48 AM, Chris Friesen wrote:
> On 07/11/2011 09:04 AM, Rémi Denis-Courmont wrote:
>> Le lundi 11 juillet 2011 17:58:14 Chris Friesen, vous avez écrit :
>>> Hi all,
>>>
>>> We've got a server that sits on multiple VLANs. Each VLAN is segregated
>>> and doesn't know about the others. The IP address ranges in each of the
>>> VLANs may overlap, and the server may be assigned the same IP address in
>>> multiple VLANs.
>
>>> Is there any other way to deal with this scenario?
>
>
>> Or then binding sockets to devices (SO_BINDTODEVICE) might work.
>
> Hmm...SO_BINDTODEVICE looks interesting. I would imagine we'd still need
> to do some funky stuff around ARP handling.

arp_filter should help.

Also, you may want to use conn-trck tables.  This lets packets coming
in one or more interfaces use a specific conn-track cache.  Might help
keep the identical IPs from colliding in their conn tracking.

iptables -t raw -A PREROUTING -i eth0.7 -j CT --zone 7

Thanks,
Ben

>
> Chris
>
>
>


-- 
Ben Greear <greearb@candelatech.com>
Candela Technologies Inc  http://www.candelatech.com

Re: recommended way to support duplicate IP addresses on different VLANs?

[Eric W. Biederman]

"Rémi Denis-Courmont" <remi@remlab.net> writes:

> Le lundi 11 juillet 2011 17:58:14 Chris Friesen, vous avez écrit :
>> Hi all,
>> 
>> We've got a server that sits on multiple VLANs.  Each VLAN is segregated
>> and doesn't know about the others.  The IP address ranges in each of the
>> VLANs may overlap, and the server may be assigned the same IP address in
>> multiple VLANs.
>> 
>> We've got a messy solution now involving unique internal addresses and
>> NATing between those and the duplicate external addresses, but I'm
>> wondering if there is a cleaner way to handle this.
>> 
>> It seems like network namespaces would work, but it would require
>> multiple instances of our software which is a dealbreaker.
>> 
>> Is there any other way to deal with this scenario?
>
> Namespace file descriptors if/when they get accepted.

For reference.

The namespace file descriptor code is in 3.0.  setns is present in the
latest glibc.  And the iproute support is just finishing up.

What doesn't exist at the moment is a handy socketat library
function to make it a userspace program that uses multiple network
namespaces trivial.  But that is only a few lines of code.

It sounds like you don't need the full generality of network
namespaces but if you do the functionality is present.

Eric

Re: recommended way to support duplicate IP addresses on different VLANs?

[David Lamparter]

On Fri, Jul 15, 2011 at 05:24:54PM -0700, Eric W. Biederman wrote:
> "Rémi Denis-Courmont" <remi@remlab.net> writes:
> > Namespace file descriptors if/when they get accepted.
> 
> For reference.
> 
> The namespace file descriptor code is in 3.0.  setns is present in the
> latest glibc.  And the iproute support is just finishing up.
> 
> What doesn't exist at the moment is a handy socketat library
> function to make it a userspace program that uses multiple network
> namespaces trivial.  But that is only a few lines of code.

A few lines of code that can be found at
http://git.spaceboyz.net/equinox/vrf-tools.git/

pptpd already supports it, an OpenVPN patch is in the repo.

I'm updating it to match the paths used by "ip netns" over the next
few days.


-David

P.S.: Eric, there is no way to recognise a namespace descriptor as
such from userspace, other than trying setns()?