[nsp] /30 over WAN links

Danny McPherson danny at tcb.net
Fri Feb 6 20:06:59 EST 2004 

On Feb 6, 2004, at 8:32 AM, Steve Lim wrote:

> Hello all,
>
> 	It has been an age old policy at my company to place a /30 over the 
> WAN links ever since who knows when, and I've never really questioned 
> it. But now, we've merged with another company, and they do not follow 
> such a policy at the Access Layer. In fact, they use a /29 (or shorter 
> prefixes, if customer requires more IPs) over the WAN links, and  use 
> the IPs not already used by the respective end interfaces for 
> hosts/devices on the remote/customer end.
>
> 	I had assumed that most, if not all companies use /30s. So this came 
> as a surprise. But more importantly, I can't come up with a good 
> reason why we use /30s either.
>
> My questions:
>
> 1. At the Access Layer, what are the benefits of using /30s, over 
> subnets with shorter prefixes.

I'd recommend /31s for point-to-point wan links, as have many
others.  See RFC 3021 for additional information.

> 2. Are there administrative benefits to such a policy?

Yes.  Especially when it comes to defining access list policies
and the like.

> 3. Are there routing or switching benefits to such a policy?

With a single address block unless I'm mistaken the router on the
edge will need to proxy for the customer Link Layer addresses.  I'm
not a big fan of proxy anything, especially when it comes to Link
Layer and shared customer subnets.  Not to mention what this does
to address allocation and punching holes in blocks if customers/
machines are rehomed to other routers and incapable/unwilling to
renumber into new space.

> 4. Is it a best practice policy?

I don't like it.  IMO, a nice cleanly allocated block of addresses for
point-to-point link addressing and summarization, policy specification,
etc.. for all IP-addressable internal elements is a better design.  It
also provides for simpler redundancy solutions and the like for multi-
homed customers, keeps extra gunk out of your IGP and allows you to
turn off potentially exploitable services (e.g., proxy arp).    It
doesn't add any benefit in the way of summarization if you've allocated
addresses and specified routing topology intelligently.

If ease of configuration is the concern then something like RFC3069
and super(?) VLANs helps alleviate the administrative overhead a bit
as well..

-danny

More information about the cisco-nsp mailing list