[c-nsp] pseudo rfc 3069 setup

Joe Pruett joey at q7.com
Fri Sep 20 17:32:29 EDT 2013 

the basic concept of 3069 is to allow you to assign ip addresses one at
a time to systems in a data center, but still keep them in separate
broadcast domains and avoid ip "stealing". i have been doing this for
quite some time (before i had ever seen the rfc) by using 1 vlan per
customer and a subinterface per vlan. this allows me to use ip
unnumbered on the subinterface and rely on proxy arp if for some reason
customers need to talk to each other. install /32 routes pointing to the
appropriate subint and turn on unicast source reachable and presto! this
lets us keep ip waste to almost 0. also allows for shaping per customer.

anyway, i am now looking at pushing some of this down into the 6509 i'm
playing with and there are 3 ways to get to the same place.

1. put port g#/# in switchport mode, then using vlan# interface with ip
unnumbered. route to vlan#
2. create subint on port g#/# with dot1q native vlan and ip unnumber it.
route to g#/#.#
3. assign fake ip (like 10.#.#.1/30) to base port. route to g#/#

pro/cons:

1 probably give me the most flexibility, i can provide multiple ports to
a single customer by putting them all in same vlan. but i wonder if
processing will be heavier that way having to go through the vlan pseudo
interface.
2. pretty close to what i do now. but can't have multiple ports per
customer. since from what i can tell those vlans are just for
in/outbound tagging and don't interact with switching fabric.
3. feels like might have the least overhead, but traceroute exposes fake ip.

and i haven't determined if any of these would have problems with
shaping. they all seem like full interfaces, so i would expect to be
able to shape on any of them.

no one may be as crazy as i am and doing anything like this, so feedback
may be sparse. but, i'm curious if anyone has feelings about which of
1-3 would have the least overhead. i don't have enough time available to
set up a good test between them. they all seem to work, but that's as
far as i've gotten.

as a small isp, we don't have huge amounts of traffic, so it may all be
moot. i just want to keep the customer isolation without burning up ips.
we have lots of single ip customers.

and yes, i have v6 available, but only have 2 customers that have even
started using it. all of these options work great for v6 since i can
just give a /64 to each customer interface.

More information about the cisco-nsp mailing list