It's all pretty much in the title. Is it possible to assign both local and public IPs to different nodes connected to the same switch?
I have 4 servers with 2 gigabit ethernet ports each. I want one of each to have a public IP, and the remaining ports to have local IPs for server-to-server traffic.
Edit:
The reason I want to do this is because my switch is a few levels down from our company's public-facing router, and I don't want to clog the other switches and router with traffic that only needs to go from one of the 4 servers to another. The public traffic will be minimal, but server-to-server will be huge.
Edit 2:
I have just confirmed with our provider (we're renting rackspace): I do not have access to any NAT hardware upstream. All we have is an IP range and a few switches, which cannot be re-organized because other customers also use them. So at this point, my options appear to be:
- IDEAL: Purchase NAT-capable firewall/router and configure underneath current switches with NIC-bonding on each server to a local IP, and the router will forward public IPs to the local IPs.
- CHEAP: Divide switch into 2 VLANs for public/local IP range division. The switch does have 802.1q VLAN support.
We're going to go with 2 for now and probably switch to 1 in the future if bandwidth requirements grow. Thanks to all for your advice.
Best Answer
It's possible, but it's not advised, especially when there are better ways.
First, switches don't care about your IP addresses, they care about your MAC addresses. They're "layer 2" devices. IP addresses are layer 3, so they're pretty much irrelevant to the switching side of things.
To make sure that I've got your infrastructure correct, you have servers A, B, C, and D. Each one of them has 2 NICs. You want to take NIC#1 on each server, and configure them with external, internet facing IP addresses, then take NIC#2 on each server, and configure them with private IPs?
I have to ask why, at this point.
If it's for dedicated bandwidth, you would be better served to bond NIC#1 and NIC#2 into one logical interface, which can double the bandwidth.
If it's for security, then you'll have to give some more information, because there's no added security from using private IPs on a switch with public network connections. You aren't going to be broadcasting anything to the internet*, but at the same time, any network broadcasts from the network cards on the private IP block (things like ARP/RARP requests and the like) will get sent to your upstream router. It won't forward them or respond, but it certainly doesn't do anything for you.
(* - probably not, anyway)
Now, if you're still security conscious, why not use VLANs on the switch to segregate the external network from the internal network? The VLANs will create two logical switches*, which will prevent the leaking of your layer 2 broadcast info to the router, and in general, segregation of "private" networks into distinct logical layer 2 networks is preferable.
(* - I'm simplifying, but in essence, this is what it does)