[nsp] proxy arp and dual homed internet
Bruce Pinsky
bep at whack.org
Wed May 12 17:03:50 EDT 2004
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Matt Bazan wrote:
| Hey all,
| Got a question on dual homed internet questions and proxy arp
| that I've been unable to figure out. Here's the deal: our company
| hosts our web farm at a co-location facility that provides us with
| redundant internet connectivity. here's how it looks:
|
| to sprint to at&t
| | |
| | |
| colo router 1 colo router 2
| | |
| | |
| colo switch 1 colo switch 2
| | |
| 128.104.221.32 /30 128.104.228.36 /30
| | |
| \ /
| eth0\128.104.221.34 eth1/128.104.221.38
| HA firewall's (active/passive cluster)
|
| colo routers and colo switches are the data center's equipment. HA
| firewall's are my responsibility.
|
| Our primary Internet connection is the 128.104.221.32 net.
|
| In our case they have provided us with an additional /27 block
| (128.104.224.96 /27) that I'm NAT'ing on the outside of our firewall.
| What they're telling me is that in order to provide us with redundant
| internet connections our HA firewall appliance needs to support proxy
| arp. Now I understand proxy arp, I cannot, however, figure out how
| proxy arp is used to provide this redundancy. Their net engineer
| states:
|
|> 'The reason for proxy arp is how we are sending you your
|> netblock. We are routing to your virtual interface, or
|> ethernet port (on our switch). This way if the link or port goes
|
| down the
|
|> route will fall out of the routing table and stop routing to
|> a dead link and then rerouting to the other router to your
|> other connection. Routing this way send a broadcast route on
|> your connection and is asking for a reply. If your device
|> does not support proxy arp then it will not answer for the
|> route and traffic will not flow to your network.'
|
|
| My question is: how does proxy arp enable the above? I don't get it.
| For me, proxy arp has always been used to physically separate one
| subnet..so, my guess is that the ip addressing scheme they have given us
| is actually flat in some manner and their routing techniques are using
| arp to determine if the primary or secondary route is to be used. Can
| someone shed some light on what may be going on here for me? Thanks
| much..
|
Sounds like they don't route your address space to an IP address next-hop
but instead route it to the physical interface. If that is the case,
instead of forwarding all packets in your address space to your firewall,
their router would ARP for all addresses in that address space and your
firewall would have to proxy-arp in response.
That's a pretty crazy way to do it if you ask me. Assuming the routers in
question here are cisco, they could get the same effect by putting in two
static routes, one to each of your firewall IP addresses, and set one of
the routes with a higher admin distance. If the port to the IP address of
the preferred route goes down, then that route will be removed from the
routing table leaving the route with a lower admin distance available.
Might want to have a chat with them about it.
- --
=========
bep
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (MingW32)
iD8DBQFAopE2E1XcgMgrtyYRApL4AJ9XULrLsvglUmhbEidRBnUg7Jk/DwCgoKkn
zJ+szTBRqUtYxDuOAyvsN1A=
=UuPZ
-----END PGP SIGNATURE-----
More information about the cisco-nsp
mailing list