[c-nsp] using a /29 mask on a /30 point-to-point

Arie Vayner (avayner) avayner at cisco.com
Tue Jun 30 17:45:30 EDT 2009


I am not sure exactly how you are trying to configure the PIX, but I
guess you need to have an IP for each PIX, and then a VIP in the same
subnet used for real traffic forwarding.

You can tell your SP to use /30, so for example, they allocate
192.168.1.1 for their side, and 192.168.1.2 for your side.

You can configure on your devices a /28 subnet, allocating PIX #1
192.168.1.4/28, and PIX #2 192.168.1.5/28, then configure the VIP to be
192.168.1.2, as you SP is expecting you to do...

Set your default gateway to point at 192.168.1.1, and you are done.

The only caveat I see is that if for some reason you would need to reach
the other (public) IP's on the /28 you have "abused", you won't be able
to reach it...

Arie

-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Deny IP Any Any
Sent: Tuesday, June 30, 2009 22:45
To: cisco-nsp at puck.nether.net
Subject: [c-nsp] using a /29 mask on a /30 point-to-point

I have a new ISP for one of our locations, and we currently have a
pair of Cisco PIXs in an active/standby config. The new ISP wants to
give us a /30 for this MetroE WAN link, with one of the IPs being used
for their equipment on their side of the circuit (aka, our default
gateway). This only gives us one IP address for our Primary's external
interface, and none left over for the secondary firewall's external
int (which it requires to be in the same subnet as Primary's ext int).
The ISP refuses to issue a /29 instead, due a corp policy stemming
from a mis-configured customer many years ago.

What are my options to get this to work? I really don't want to lose
my redundant firewalls, and adding a router (a single point of
failure) to just get redundant firewalls seems self-defeating.

Could I configure the subnet on my side of the WAN as a /29? My
broadcast address would be wrong, but since its basically a
point-to-point anyway, I shouldn't need broadcasts. I realize this is
semi-evil, and might get my Internet drivers license revoked, but what
would I break by doing this?



-- 
deny ip any any (4393649193 matches)
_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/


More information about the cisco-nsp mailing list