[c-nsp] using a /29 mask on a /30 point-to-point

Peter Rathlev peter at rathlev.dk
Tue Jun 30 20:25:16 EDT 2009


On Tue, 2009-06-30 at 15:44 -0400, Deny IP Any Any wrote:
> Could I configure the subnet on my side of the WAN as a /29? My
> broadcast address would be wrong, but since its basically a
> point-to-point anyway, I shouldn't need broadcasts. I realize this is
> semi-evil, and might get my Internet drivers license revoked, but what
> would I break by doing this?

To clear up: The PIX uses only two addresses, one for the active unit
and one for the standby unit. The address for the standby unit is only
used to reach the standby when the primary is still active/live. Upon
failover the standby unit becomes active and takes over the IP adress of
the former active. Every NAT/PAT is carried over statefully between the
pair. A failover is pratically "invisible" for neighbors.

If you couldn't change ISP and absolutely _had_ to do something that
would almost certainly make your successor hate you, then you _could_
configure the PIX with a /29 mask where the addressing is thus:

- PIX primary address is "your" side of the ISP assigned /30
- PIX secondary address is one of the broadcast addresses from the ISP
assigned /30 (the one that is a valid host address in the /29)
- Insert a static /30 route for the other part of the /29.

Example, if the ISP assigned 10.0.0.0/30 for your link and took 10.0.0.1
for themselves (in v7+ format):

! *** pix ***
interface GigabitEthernet0/0
 nameif outside
 security-level 0
 ip address 10.0.0.2 255.255.255.248 standby 10.0.0.3
!
route outside 10.0.0.4 255.255.255.252 10.0.0.1
!

Please just change ISP. :-)

Regards,
Peter




More information about the cisco-nsp mailing list