[72895] in North American Network Operators' Group
Re: Quick question about secondary addresses
daemon@ATHENA.MIT.EDU (Laurence F. Sheldon, Jr.)
Sat Jul 31 13:39:21 2004
Date: Sat, 31 Jul 2004 12:38:40 -0500
From: "Laurence F. Sheldon, Jr." <LarrySheldon@cox.net>
To: nanog@merit.edu
In-Reply-To: <Pine.LNX.4.58.0407311152440.7852@web1.mmaero.com>
Errors-To: owner-nanog-outgoing@merit.edu
Jon Lewis wrote:
> On Sat, 31 Jul 2004, Jesper Skriver wrote:
>
>>On Fri, Jul 30, 2004 at 10:21:06AM -0700, Dan Lockwood wrote:
>>
>>>I'm in a debate with a guy over the use of 'ip address x.x.x.x s.s.s.s
>>>secondary' on Cisco gear. I seem to remember reading that the use of
>>>secondary addresses is a bad idea, but I can't recall the details of
>>>why. Process switched?
>>
>>No, traffic to hosts within a subnet configured as secondaries
>>will be CEF switched.
>>
>>The only "bad" thing I can think of with secondaries, is that it's often
>>not what you want, why not split it on layer 2 as well, and get the
>>benefit of a smaller broadcast domain ?
>
> A few other possible issues:
>
> 1) routing protocols (i.e. ospf) will not form adjacencies with devices in
> the secondary address subnets...so if you're doing this to get more
> address space on a particular ethernet without renumbering, if you need
> OSPF on the ethernet, all the OSPF speakers have to be in the primary
> subnet.
>
> 2) If you're doing this to separate customers, it doesn't really. They're
> all free to steal each others IPs. Better solutions would be VLAN
> trunking back to the router with a subint for each subnet or a L3 switch
> effectively doing that all in one box.
I meant to add (but apparently didn't sent the reply where I thought I
did):
Depending on traffic flows, the "one-armed" routing (bouncing the
traffic from one IP net to the other off the router) can be a
significant issue for the router.
> 3) Human error. More than once I've seen someone change an interface's
> primary IP by "adding a secondary" and hitting return before typing
> "secondary". Maybe it would have been better/safer if the command were
> "secondary ip addr ..." :)
That is an especial treat when you do it the interface you are talking
to the router on.
I always set a secondary on the most-likely-to-be-the-managment
interface and left it there and used it for managment sessions.
--
Requiescas in pace o email
Ex turpi causa non oritur actio
http://members.cox.net/larrysheldon/