[c-nsp] using a /29 mask on a /30 point-to-point

[Deny IP Any Any]

I have a new ISP for one of our locations, and we currently have a
pair of Cisco PIXs in an active/standby config. The new ISP wants to
give us a /30 for this MetroE WAN link, with one of the IPs being used
for their equipment on their side of the circuit (aka, our default
gateway). This only gives us one IP address for our Primary's external
interface, and none left over for the secondary firewall's external
int (which it requires to be in the same subnet as Primary's ext int).
The ISP refuses to issue a /29 instead, due a corp policy stemming
from a mis-configured customer many years ago.

What are my options to get this to work? I really don't want to lose
my redundant firewalls, and adding a router (a single point of
failure) to just get redundant firewalls seems self-defeating.

Could I configure the subnet on my side of the WAN as a /29? My
broadcast address would be wrong, but since its basically a
point-to-point anyway, I shouldn't need broadcasts. I realize this is
semi-evil, and might get my Internet drivers license revoked, but what
would I break by doing this?



-- 
deny ip any any (4393649193 matches)