1

Related to my other questions:

Designing OSPF mesh network

Private and Public IPs in the same OSPF area

What is you opinion on having both the private ip subnets and the public ip subnets on the same vlan? (and thus removing the need for vlans at the access-layer, only needing two IP-addresses on the same interface of a certain host).

Consider the two situations to the left and right in this picture:

enter image description here

Community
  • 1
Peter
  • 406
  • 3
  • 16
  • re: private and public subnet on the same vlan, it's a bad idea. Also see [this question](http://networkengineering.stackexchange.com/questions/7629/vlan-subnets-11) – Mike Pennington Jul 03 '15 at 12:59
  • 1
    @MikePennington depends on the situation. I have seen it used very effectively in locations that provide PI addressing to computers while using private addressing on resources that don't need PI addresses such as printers, scanners, etc. All hosts in the same "group" can be within the same VLAN and managed as such, while not exposing unnecessary resources or uselessly using PI space on devices that clearly don't need it. – YLearn Jul 06 '15 at 18:16
  • Your question is asking for opinions and we are unable to provide a *correct* answer. Please edit your question and it will automatically start a reopen vote. You may find our [Question Checklist](http://meta.networkengineering.stackexchange.com/q/292/33) helpful to improve your question. – YLearn Jul 06 '15 at 18:19

2 Answers2

1

Having two IP's on a host on the same interface is never a good idea.

  1. When sending packets out which IP will be used as source ip ?
  2. What if 172.x is used for talking to the internet ?
  3. When using the wrong src/dst combination for local traffic it needs to hairpin through a l3/router.
  4. DHCP will not be a option any more, so only applicable to a very small setup.

A better/standard approach is to use private ip's 10/8, 172.16/12 for the host IP's, then on the upstream router do a 1 to 1 nat to the public IP, for outgoing and incoming traffic.

If you then ever change ISP and get new public IP's is simple to change them in one place.

Pieter
  • 1,417
  • 10
  • 14
  • Yes 1:1 nat maybe is the best solution to this problem, it gets rid of the need for multiple vlans per host. We have a few thousand hosts were just a few needs public ips but everyone needs internet access. The new question that comes to mind now is how to set that up since our core switches dont do nat. (And the upstream router is out of our control) – Peter Jul 03 '15 at 13:50
0

Only ease of use deployment, no control over router, no separation

Use public ip's, (only public ip, no private ip) on hosts that need them. Statical configured.

Use private 172.x private IP's on the rest of the hosts.

The routing between public and private can then be done by a L3 switch.

Ask the provider that manages the router to only nat/hide the private IP's when they leave for the internet, but let the public ip's straight through.

Pieter
  • 1,417
  • 10
  • 14