Solved

AIX IP Alias?  Multiple IP address in One NIC

Posted on 2004-09-05
10
6,832 Views
Last Modified: 2013-11-17
Hi All,

I have list of public ip addresses used for hosting different websites (intel machine). I also have an AIX 5.1 machine used as Firewall. The AIX has 3 NIC, 1 used for Public, 2nd NIC used for secured LAN, 3rd NIC used for DMZ. Currrently, the 3rd NIC only used for my Mail server.

Can i used the 3rd NIC to host mulitple webservers using only one NIC? How can i configure the 3rd NIC so that all my websites & mail server can be seen? is "IP Alias" the right answer to it? If so, please help me how can i configure one NIC to have mulitple ip addresses?


Please Help!

Thank you
0
Comment
Question by:lordfc
  • 4
  • 3
10 Comments
 
LVL 20

Expert Comment

by:Gns
ID: 11988985
It might be. You configure aliases via "smitty inetalias".
This is usually used to host multiple domains on the same webserver (virtual domains). In your case you might use it to have more than one network on the DMZ.

-- Glenn
0
 

Author Comment

by:lordfc
ID: 11993374
Hi Gns,


Sowe i cant fully understand, please explain further...
We have 6 webservers, which is current now is outside of our firewall. We wanted to put all those servers inside our AIX firewall but the firewall has a limited NIC only. Can we put all those servers inside one nic?

en0 = x.x.x.1
  /usr/sbin/ifconfig en0 <your_IP_address> alias

Example:
  /usr/sbin/ifconfig en0 <x.x.x.2> alias
  /usr/sbin/ifconfig en0 <x.x.x.3> alias
  /usr/sbin/ifconfig en0 <x.x.x.4> alias

Does this config means that the three alias will be inputed on en0 (x.x.x.1)?
If i have 3 servers running on windows platform, the ip address that i should give them would be x.2, x.3, & x.4 and then i would add this as an alias to the aix en0? We use IBM secureway for AIX, but the secureway has a limitations. It can only cater 3 NIC. We already used all the NIC, thats why we wanted to know if we can put multiple ip address on one nic in AIX? Please advice.

Please your assistance would be very much appreciated...

Thank you


0
 
LVL 20

Expert Comment

by:Gns
ID: 11994869
> en0 = x.x.x.1
>  /usr/sbin/ifconfig en0 <your_IP_address> alias
> Example:
>   /usr/sbin/ifconfig en0 <x.x.x.2> alias
>   /usr/sbin/ifconfig en0 <x.x.x.3> alias
>   /usr/sbin/ifconfig en0 <x.x.x.4> alias
> Does this config means that the three alias will be inputed on en0 (x.x.x.1)?
> If i have 3 servers running on windows platform, the ip address that i should give them would be x.2, x.3, & x.4 and then i would add this as an alias
> to the aix en0? We use IBM secureway for AIX, but the secureway has a limitations. It can only cater 3 NIC. We already used all the NIC, thats
> why we wanted to know if we can put multiple ip address on one nic in AIX? Please advice.

Well. lets define some things: In the example above, are we to assume that the x.x.x part of each address is on the same _network_? If so, then you don't have to mess with aliases, assuming the secureway FW (I've no experience of this particular product) is a traditional routing firewall. In this case you'd just need have an address on each interface (on the AIX box) like
Outside = Your public IP address.
Inside = Your LAN IP address
DMZ = Your DMZ IP address
In this setup, the DMZ interface would have x.x.x.1 perhaps, and the servers on the DMZ would have .2, .3, .4 ... Then you'd need define the rules  for the _network_ as such, not individual hosts. For static NAT or similar, you'd still define things per address, of course:-).
But exactly how that is done depends on the capabilities of the firewall... I'm sure it can be done, but I don't know exact commands there.
Having several addresses on the same network "aliased" to the same interface doesn't mean anything here... What you might end up doing, for static 1-to-1 NAT, is to define aliases for your _Outside_ interface... Provided you need/employ NAT between Outside and DMZ.

You'd only need use aliases _in the firewall_ if you were aiming at having different _networks_ on the DMZ (or as noted above for 1-to-1 NAT). Say that host a has adress 192.168.0.2/24 and host b has 192.168.17.4/24, then you'd need configure one address on each network (192.168.0 and 192.168.17 respectively in the example).

To be more specific I think we'd need a better description of your topology (use faked addresses, by all means, but use the same _type_ of addresses;-).

-- Glenn
0
 
LVL 61

Expert Comment

by:gheist
ID: 11999673
> I have list of public ip addresses used for hosting different websites
http://httpd.apache.org/docs/mod/core.html#namevirtualhost
> http://httpd.apache.org/docs/mod/core.html#namevirtualhost
Only ethernet adapter II (Intel based) has hardware capability to program input filter for multiple IP addresses

Basically AIX behaves just like any normal UNIX host - when you configure interface address it adds default route to that network on that interface, rest is done via route command or routed daemon.

If you can give formal description what filtering is done inside firewall you can easily replace that firewall with anything alike, simply anything free like Linux or any BSD will offer functionality IBM SecureWay for AIX offers ( Proxy + IPSEC + NAT + obscure ruleset language )
0
Find Ransomware Secrets With All-Source Analysis

Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

 
LVL 20

Expert Comment

by:Gns
ID: 12003860
> ... + obscure ruleset language )
So true:-)

-- Glenn
0
 

Author Comment

by:lordfc
ID: 12050991
Hi All,

What would be the best approach for this environment? Should i create NAT or IP Alias?
All i want is to put my servers (initially 5 machines) with different public ip address inside my firewall, but my firewall is limited to 3 NIC (ip address) only.. And i'ved setup this for 1st- Internet, 2nd-DMZ, and the 3rd-LAN(secured)...

What should i used to put all my servers inside the DMZ? NAT or IP Alias? And make all the 5 web servers accessible/viewed to the internet...


Please extend some more advice on this...

Thank you
0
 
LVL 20

Accepted Solution

by:
Gns earned 20 total points
ID: 12052549
Either you have real routable addresses on the server that you _route through the firewall_ from the outside to DMZ, or you have private addresses on the DMZ _and all the hosts attached to that network_ and define static 1-to-1 NAT for each host so that a real address on the outside is NATed to each host on the DMZ ... and in either case you of course define just the necessary rules for what is allowed to pass through...
As said, I lack experience with this particular firewalling software, but _any_ firewall worth its salt will be be able to do this.
In the first case you have a subnetting problem to solve (since you'll have some of your real addresses on the outside, and some on the DMZ), but no NAT and no aliases...
In the second you employ both.

An alternative is port forwarding (or NPAT) where you have one public address and perform NAT for individual ports... In this case you do a form of NAT often called PAT or NPAT, where you have a single public address and forward port x1 to the "hidden" host1s port y1 (x1 and y1 may be the same, or differ), prot x2 to host2s y2 etc. x1 cannot be equal to x2 in this kind of setup, rather limiting its effectiveness. In this type of setup you don't use aliases.

Some firewalls let you mix all the above... A lovely missmatched brew:-)

Clearer?

-- Glenn
0
 

Author Comment

by:lordfc
ID: 12122515
Hi Glenn,

Thank you vry much for the info that u'v shared to us!
More power!!!

This Points is for you...

Cheers :o))
0

Featured Post

Find Ransomware Secrets With All-Source Analysis

Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

Join & Write a Comment

Suggested Solutions

This tech tip describes how to install the Solaris Operating System from a tape backup that was created using the Solaris flash archive utility. I have used this procedure on the Solaris 8 and 9 OS, and it shoudl also work well on the Solaris 10 rel…
FreeBSD on EC2 FreeBSD (https://www.freebsd.org) is a robust Unix-like operating system that has been around for many years. FreeBSD is available on Amazon EC2 through Amazon Machine Images (AMIs) provided by FreeBSD developer and security office…
Learn how to find files with the shell using the find and locate commands. Use locate to find a needle in a haystack.: With locate, check if the file still exists.: Use find to get the actual location of the file.:
This video shows how to set up a shell script to accept a positional parameter when called, pass that to a SQL script, accept the output from the statement back and then manipulate it in the Shell.

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now