Linux – Same netmask or /32 for secondary IP on Linux

ipip addressiproutelinuxnetmask

There appear to be (at least) two ways to add a secondary IP address to an interface on Linux. By secondary, I mean that it'll accept traffic to the IP address, and responses to connections made to that IP will use it as a source, but any traffic the box originates (e.g., an outgoing TCP connection) will not use the secondary address.

Both ways start with adding the primary address, e.g., ip addr add 172.16.8.10/24 dev lan. Then I can add the secondary address with either a netmask of /24 (matching the primary) or /32.

If I add it with a /24, it gets flagged secondary, so will not be used as the source of outgoing packets, but that leaves a risk of the two addresses being added in the wrong order by mistake. If I add it with /32, wrong order can't happen, but it doesn't get flagged as secondary, and I'm not sure what the bad effects of that may be.

So, I'm wondering, which approach is least likely to break? (If it matters, the main service on this machine is MySQL, but it also runs NFSv3. I'm adding a second machine as a warm standby, and hope to switch between them by changing which owns the secondary IP.)

Best Answer

If I add it with a /24, it gets flagged secondary, so will not be used as the source of outgoing packets, but that leaves a risk of the two addresses being added in the wrong order by mistake. If I add it with /32, wrong order can't happen, but it doesn't get flagged as secondary, and I'm not sure what the bad effects of that may be.

I'm not sure what you mean here. You network interfaces are configured in a deterministic fashion when your system boots up. By properly configuring your networking you can decide which address is assigned first and which is assigned as the secondary address.

If you're on a RedHat-ish system, the primary network configuration file ifcfg-eth0 (for example) will be handled before any alias interfaces such as ifcfg-eth0:0. I'm less certain of the behavior on Debian-ish systems, but it looks like the /etc/network/interfaces file may be handled sequentially, so put your alias definitions after the primary address and you should be all set.

So, I'm wondering, which approach is least likely to break?

If both of your addresses are on the same network I don't know that either one is going to be more or less likely to break. For what it's worth, I usually configure secondary addresses with a /32 netmask, since the primary address already provides the necessary network route.

Related Solutions

Linux – How to get linux to honor new netmask without hard restart of networking subsystem

First things first, do not use ifconfig and route. These commands are generally regarded as obsolete today; they were written too long ago when Linux had a very different network stack, and have been patched ever since. The very idea of interface aliases (e.g. ethX:YY) in order to have multiple addresses is obsolete today, they still exist mostly to please ifconfig itself. Today, the ip command should satisfy all your needs.

Now, understand your original situation: Your eth0 interface originally had two active scopes: /24 and /27. 172.16.45.3 was the primary address for the /24 scope, while 172.16.45.21 was the primary address for the /27 scope (because it is listed first). When you issued the ifconfig command to change the prefix of the first address, it deleted it and reinserted it as a secondary address in the /27 scope. So now you should have something like this:

inet 172.16.45.21/27 brd 172.16.45.31 primary   eth0:11
inet 172.16.45.22/27 brd 172.16.45.31 secondary eth0:12
inet 172.16.45.3/27  brd 172.16.45.31 secondary eth0

It doesn't matter that eth0 should be primary, or that it looks like it should be primary (another reason not to use ifconfig). It was inserted latter in the /27 scope, so it is a secondary address. This also means that outbound packets will be addressed 172.16.45.21, and that if you bring eth0:11 down using ifconfig, all your addresses will be taken down together. This is how it works.

The only way to fix this is to remove all addresses from the interface and reinsert them in the correct order. Then, the first address added (in the /27 scope) will be the primary address in that scope, and further addresses will all be secondaries.

The addressing was already broken from the beginning, there wasn't much you could do in this situation. Your best solution is to just restart the network service.

One possible workaround is to change the source routing address. This will have almost the same effect of changing the primary address. In your case:

ip route change 172.16.45.0/27 dev eth0 src 172.16.45.3

In this case, packets going to 172.16.45.0/27 will have the source address set to 172.16.45.3. You will need another command if you also want to change the source of packets passing through the gateway.

Linux – How to Specify IP Address for Outbound Connections on Multi-IP Host

Update default:

ip route change default via 81.169.180.1 src 81.169.180.51

Check configuration:

ip route list

Best Answer

Related Solutions

Linux – How to get linux to honor new netmask without hard restart of networking subsystem

Linux – How to Specify IP Address for Outbound Connections on Multi-IP Host

Related Topic