Routing for Verizon FIOS -- Reward for answer
in [Cisco]
|
Prev: bgp anycast addressing
Next: IP CLASSLESS not working
From: stephen on 6 May 2008 03:37 "Fletcher James" <fjames(a)levitjames.com> wrote in message news:Ek0Tj.523$Ve.520(a)trnddc08... > This is your opportunity to be a Cisco hero (and to earn a tin of incredible > cookies, with the first correct answer.) I suspect that the right person > can solve this problem in a snap, but the solution has been eluding us for > over a month. > > We have been assigned a block of 64 static IP addresses (actually, 61) by > Verizon, for our Business FIOS network. Let's call our addresses > 70.x.x.64/26. > > We wish to place a Cisco 1841 directly on the FIOS connection, and then have > a handful of devices inside (perimeter network), connected by a simple > Ethernet switch. Most of the addresses will be handled by an ISA server > (firewall/NAT, which protects our LAN and a separate Web Server zone), but a > few other devices will be independent (e.g. a videoteleconference unit which > doesn't play well inside the firewall, a wireless router for untrusted > devices, etc.) > > For many reasons, it would be best if we were simply routing our traffic to > the inside of the Cisco, so that our 70.x.x.64/26 subnet is on the INSIDE of > the 1841. > > The problem we have is this: Verizon's gateway is 70.x.x.1. Unlike our > other ISPs, they have NOT assigned us a separate 30-bit subnet with an > address for our router (in this case, that would be 70.x.x.2). I think > Verizon just expected us to NAT everything immediately after their > interface, the way that residential customers do with their Actiontec > router/firewall units. > > So the problem is: What do we use as an address for the outside interface > of our router, which will allow it to route traffic to the gateway, OR, how > do we otherwise deal with this problem? > > To demonstrate: If we assign our router's outside to .66 (they've told us > not to use .65) then we need a netmask of 255.255.255.128 so that we can > route outbound through the gateway. Unfortunately, that then defines ALL of > our public addresses as being on the outside of the router. We've looked at > a long list of solutions, and none of them are very good: > > OPTION A: Currently, we have declared our outside interface as > 70.x.x.126/24. We then force all of our inbound traffic to the inside with > a long list of entries such as: > > ip route 70.x.x.69 255.255.255.255 FastEthernet0/0 > > This works, but poorly -- I suspect there's a lot of unnecessary ARPing > going on. 1 suggestion is rig up Wireshark to look at what is actually happening on the outside interface. some real info is worth a lot of guessing. > > OPTION B: We could keep the public addresses on the outside, and then NAT > them to private addresses between the Cisco and the perimeter network (e.g. > 70.x.x.69 --> 10.0.0.69) and then NAT them a second time in the ISA server. > Yuch. you can NAT an address to be the same address after it is translated (or at least you can on a PIX) - any use? > > OPTION C: We could "steal" the address 70.x.x.2/30 for our outside > interface,and hope that it never causes a problem (We've tried this, but > have had inconsistent results -- it works, and then when we re-boot our > router it mysteriously fails.) > > OPTION D: We could assign a PRIVATE address to the outside of our router -- > say, 10.1.1.1. But then, how would we direct traffic to our gateway? If we > provide a default route just by interface > > ip route 0.0.0.0 0.0.0.0 FastEthernet0/1) > > then it's got to ARP for every single outbound address. QUESTION: would the > following solve that problem: > > ip route 0.0.0.0 0.0.0.0 70.x.x.1 > > ip route 70.x.x.1 255.255.255.255 FastEthernet0/1 > > OPTION E: > You're the genius. Tell us Option E. use up a small amount of addrssing from your block for a /30 to have a link to the FIOS next hop. So your outside would be 70.x.x.2 255.255.255.252 then you have an inside subnet for the full block, and let proxy ARP fix up the next hop stuff for FIOS. Cost is you lose some addresses for the reserved part of the /30 (and the complexity and debugging of course). this depends on the 1800 allowing you to set up overlapping subnets - used to work a few years back, but i havent tried recently........ > > I would very much appreciate it if you could cc me directly on any reply. > > Thanks! > > Fletcher James > President > Levit & James, Inc. > 703-771-1549 > http://www.levitjames.com > -- Regards stephen_hope(a)xyzworld.com - replace xyz with ntl
From: Merv on 6 May 2008 05:32 > use up a small amount of addrssing from your block for a /30 to have a link > to the FIOS next hop. > So your outside would be > 70.x.x.2 255.255.255.252 I believe that Trendkill has already pointed out the negative impact of attempting this approach: "then he can't easily subnet whats left without vlan'ing it into a / 30, a /29, a /28, and a /27"
From: Trendkill on 6 May 2008 05:51 On May 6, 5:32 am, Merv <merv.hr...(a)rogers.com> wrote: > > use up a small amount of addrssing from your block for a /30 to have a link > > to the FIOS next hop. > > So your outside would be > > 70.x.x.2 255.255.255.252 > > I believe that Trendkill has already pointed out the negative impact > of attempting this approach: > > "then he can't easily subnet whats left without vlan'ing it into a / > 30, a /29, a /28, and a /27" Yes, he can't use .2. He has been given .66 - .126, and .2 is off limits. If he takes .68/30 (he was told to avoid .65 for some reason as well), then he has to vlan/subnet the remaining portion of the /26 into a /28 and /27. Not all that bad, but just a pain to have to deal with and he loses several addresses. The problem here is Verizon has not come to the table and said they will do anything, and if he uses . 68/30, he can't get to their .1 interface anymore (they want him to use the full /24 and only use .65 - .126. This is why I was saying that if Verizon's FIOS router has a /24 and a IP of .1, why can't they turn up a secondary virtual interface on it (secondary IP) of .65 or .69? Then he can do the above to use a /30 and vlan/trunk the rest which is a pain but will work. If Verizon is not willing to do that, then he will have to attempt one of the above solutions with default gateway-next hop interface, etc.
From: Trendkill on 6 May 2008 05:56 On May 6, 5:51 am, Trendkill <jpma...(a)gmail.com> wrote: > On May 6, 5:32 am, Merv <merv.hr...(a)rogers.com> wrote: > > > > use up a small amount of addrssing from your block for a /30 to have a link > > > to the FIOS next hop. > > > So your outside would be > > > 70.x.x.2 255.255.255.252 > > > I believe that Trendkill has already pointed out the negative impact > > of attempting this approach: > > > "then he can't easily subnet whats left without vlan'ing it into a / > > 30, a /29, a /28, and a /27" > > Yes, he can't use .2. He has been given .66 - .126, and .2 is off > limits. If he takes .68/30 (he was told to avoid .65 for some reason > as well), then he has to vlan/subnet the remaining portion of the /26 > into a /28 and /27. Not all that bad, but just a pain to have to deal > with and he loses several addresses. The problem here is Verizon has > not come to the table and said they will do anything, and if he uses . > 68/30, he can't get to their .1 interface anymore (they want him to > use the full /24 and only use .65 - .126. > > This is why I was saying that if Verizon's FIOS router has a /24 and a > IP of .1, why can't they turn up a secondary virtual interface on it > (secondary IP) of .65 or .69? Then he can do the above to use a /30 > and vlan/trunk the rest which is a pain but will work. If Verizon is > not willing to do that, then he will have to attempt one of the above > solutions with default gateway-next hop interface, etc. Although on second thought, this would work on the way out, but not the way back in, as the Verizon router still thinks its a .24 and would most likely not route to the next hop to get to the .64/26 network. The only way to make this clean is to get them to assign a / 31 or /30 that is not in the /26 they have assigned you or the bigger / 24 that holds it that they insist on forcing upon you. Even if it was a private IP'ed point to point, that would be fine, provided their routing is correct, but I'll bet they don't want to split up that / 24. Have you asked them if there is another block that they can assign you that will allow the usage of a /30 or /31 for this point to point purpose?
From: Merv on 6 May 2008 05:57
What is bit strange here is that of having a service were Verizon dishes out a /26 which is beyond anything a normal residence would require unless it is a multi-unit dwelling. This really is a an business Internet service offering but it certainly appears that it is not being supported as such. Unfortunately teh OP does not have access to a Verizon SE or account manager. If I were him I would write to the President of Verizon and request to be directed to someone in the Verizon organization who can address this business issue. |