Solved: Routing Question

dj214 · ‎04-06-2010

Hello All:

I need once again to turn to the experts here form some advice and instruction. I ran out of IPs from our initial contract with out ISP. They applied for and was granted /26 that are non-contiguious with out existing block. I wanted to avoisd the headache of migrating everything over to new IP's, so I chose this method but am having a little bit of a problem getting it configured correctly.

The original /27 terminates on one of their routers in our NOC and then handed off to our CISCO 3640 through an ethernet drop. that interface looks like th is.

interface FastEthernet0/0
description LightPath CKT - xxxxyyyyyzzzzz
ip address 65.x.x.14 255.255.255.252
ip nat outside
speed 100
full-duplex

ip route 0.0.0.0 0.0.0.0 FastEthernet0/0

From there, it's routed to our FW:

interface FastEthernet0/1
description LINK TO NSA3500 WAN <GATEWAY>
ip address 65.x.x.194 255.255.255.224
speed 100
full-duplex

[----------------------------------------------------------------------------------------]

Now I have a spare FE port on this router and according to our ISP, he says to configure a VLAN and apply that to the open interface. I have never done something like this and would appreciate some help on getting it done. The new /26 is let's say 34.48.108.202 255.255.255.192.

Can someone show me what a working configuration might look like or point me in the right direction?? Thanks in advance.- DJ

Jon Marshall · ‎04-06-2010

DJ

Not sure why you need to do this. If you simply want to use this new address block for Natting servers etc. then just make sure the ISP routes this block to your 3640 router. Then on your 3640 router add a route for this new block pointing to the outside interface of your firewall.

Once you've done that you can use the new block on your firewall.

Jon

Cisco are currently donating money to the Haiti earthquake appeal for every rating so please consider rating all helpful posts.

View solution in original post

Richard Burts · ‎04-06-2010

DJ

I agree with Jon that if you want to use the new address block for address translation for additional devices then all you need is a static route on your router pointing to the firewall (assuming that address translation is done on your firewall). Or if you want to use the new address block to assign addresses to additional devices then all you need on your router is a static route pointing to wherever the devices will be (presumably behind the firewall).

I would like to comment on something else in your post. You show a static default route pointing to the outbound interface:

ip route 0.0.0.0 0.0.0.0 FastEthernet0/0

While this may work it is very suboptimal. I would suggest these reasons why you want to do your static default route differently:

- this will work only if the next hop device supports proxy arp. If the next hop device does not support proxy arp then your static default route will not work. And increasingly organizations are disabling proxy arp because of security concerns.

- this static default route will cause your router to arp for every destination that it forwards to.

* arping for every destination will increase the CPU load on the router since the CPU is used to generate every request and to process every response.

* arping for every destination will increase the size of the arp table which will impact memory utilization on the router.

* arping for every destination will increase bandwidth utilization of the link from you to the provider. since it is Ethernet that may not be real significant.

* remember that arp entries are flushed and relearned every 4 hours. so the above points will occur for every address in the arp table every 4 hours.

HTH

Rick

HTH

Rick

View solution in original post

Jon Marshall · ‎04-06-2010

DJ

Not sure why you need to do this. If you simply want to use this new address block for Natting servers etc. then just make sure the ISP routes this block to your 3640 router. Then on your 3640 router add a route for this new block pointing to the outside interface of your firewall.

Once you've done that you can use the new block on your firewall.

Jon

Cisco are currently donating money to the Haiti earthquake appeal for every rating so please consider rating all helpful posts.

Richard Burts · ‎04-06-2010

DJ

I agree with Jon that if you want to use the new address block for address translation for additional devices then all you need is a static route on your router pointing to the firewall (assuming that address translation is done on your firewall). Or if you want to use the new address block to assign addresses to additional devices then all you need on your router is a static route pointing to wherever the devices will be (presumably behind the firewall).

I would like to comment on something else in your post. You show a static default route pointing to the outbound interface:

ip route 0.0.0.0 0.0.0.0 FastEthernet0/0

While this may work it is very suboptimal. I would suggest these reasons why you want to do your static default route differently:

- this will work only if the next hop device supports proxy arp. If the next hop device does not support proxy arp then your static default route will not work. And increasingly organizations are disabling proxy arp because of security concerns.

- this static default route will cause your router to arp for every destination that it forwards to.

* arping for every destination will increase the CPU load on the router since the CPU is used to generate every request and to process every response.

* arping for every destination will increase the size of the arp table which will impact memory utilization on the router.

* arping for every destination will increase bandwidth utilization of the link from you to the provider. since it is Ethernet that may not be real significant.

* remember that arp entries are flushed and relearned every 4 hours. so the above points will occur for every address in the arp table every 4 hours.

HTH

Rick

HTH

Rick

dj214 · ‎04-08-2010

Jon - this worked. Thanks. Just got back from vacation and well, slow going. This was actually the first time I had to include a block of IP's after the initial issue so it was a little different than I was used to. Thaniks again. Tried to give you 5 stars but it's stuck at 1????