[c-nsp] using a /29 mask on a /30 point-to-point

[Geoffrey Pendery]

Or short of changing ISP, change your layout.

I assume you are receiving either:
A.  One hand-off going to a switch, then ports on that switch used to
connect to outside interfaces of both PIXes.
B.  Two hand-offs, each one going to a PIX outside interface.

If it's A, then adding a router isn't really "adding a single point of
failure", since you already have SPoFs (the single hand-off and the
single switch).  Just replace the switch with either a router or a
layer 3 switch (like a 3560/3750).
If it's B, then add two routers, one for each hand-off, and have them
do HSRP/VRRP/GLBP on the inside for your firewalls.

Either solution seems less likely to get your "Internet Drivers
License revoked" than trying to wrangle some IP trickery on a /28
(suggested above in lieu of /29, probably a better idea since none of
the actual interface addresses will be seen as the broadcast address
by your hosts).

But yes, it would probably work.  And of course correct me if your
layout is actually C.


-Geoff


On Tue, Jun 30, 2009 at 7:25 PM, Peter Rathlev<peter at rathlev.dk> wrote:
> On Tue, 2009-06-30 at 15:44 -0400, Deny IP Any Any wrote:
>> Could I configure the subnet on my side of the WAN as a /29? My
>> broadcast address would be wrong, but since its basically a
>> point-to-point anyway, I shouldn't need broadcasts. I realize this is
>> semi-evil, and might get my Internet drivers license revoked, but what
>> would I break by doing this?
>
> To clear up: The PIX uses only two addresses, one for the active unit
> and one for the standby unit. The address for the standby unit is only
> used to reach the standby when the primary is still active/live. Upon
> failover the standby unit becomes active and takes over the IP adress of
> the former active. Every NAT/PAT is carried over statefully between the
> pair. A failover is pratically "invisible" for neighbors.
>
> If you couldn't change ISP and absolutely _had_ to do something that
> would almost certainly make your successor hate you, then you _could_
> configure the PIX with a /29 mask where the addressing is thus:
>
> - PIX primary address is "your" side of the ISP assigned /30
> - PIX secondary address is one of the broadcast addresses from the ISP
> assigned /30 (the one that is a valid host address in the /29)
> - Insert a static /30 route for the other part of the /29.
>
> Example, if the ISP assigned 10.0.0.0/30 for your link and took 10.0.0.1
> for themselves (in v7+ format):
>
> ! *** pix ***
> interface GigabitEthernet0/0
>  nameif outside
>  security-level 0
>  ip address 10.0.0.2 255.255.255.248 standby 10.0.0.3
> !
> route outside 10.0.0.4 255.255.255.252 10.0.0.1
> !
>
> Please just change ISP. :-)
>
> Regards,
> Peter
>
>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>