cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
566
Views
0
Helpful
9
Replies

Subnetting Question

4everlearning
Level 1
Level 1

Hi Guys,

let's say i have 2 routers connected to SP with EBGP and we are using /26 for this connectivity.

Now let's say i have some requirements and limitation on my internal networks where i need to assign IPs from the same range to internal devices BUT i can't forward them over the same subnet. 

 

in this case can i subnet the network from my side further ? 

for example can we do the following case:

From Service Provider side for Point to Point connectivity:

PE1: 192.168.50.2/26

PE2 192.168.50.3/26

HSRP IP: 192.168.50.1/26

 

Now from my side can i use: /27 on the point to point links ? and then on the internal networks use /29 ? 

For example:

X Device 1: 192.168.50.4/27

X Device 2: 192.168.50.5/27

 

then on the internal device i configure /29. so this way the internal device will be able to pass the X devices because they use different subnet and at the same time they will be able to reach the PEs because the PEs configured with large subnet (/26)

 

1) Would this scenario work ?

2) If it works, would that save any IPs or maximize the use of that subnet ?          

1 Accepted Solution

Accepted Solutions

In this case, proxy ARP works when the ISP's router has a broader subnet mask than yours does. If the ISP is running a /26 and you're running a /29, their router will ARP for anything that falls within the /26 because it considers the whole subnet to be directly connected. If you have proxy ARP enabled on your router's ISP-facing interface, it will reply with its own MAC address for these addresses. The ISP router will then forward the Ethernet frame to your router, which will route the packet normally.

It's not normally recommended except in isolated circumstances (subnet mask transition, VPN pools on an Ethernet interface, &c) because it creates unnecessary network traffic and opens up the potential for spoofing... but it might work in this case.

Further information can be found here: Proxy ARP - Cisco

View solution in original post

9 Replies 9

ghostinthenet
Level 7
Level 7

If the two BGP routers are sharing a subnet for connectivity to the ISP, you can (with the participation of the ISP) shave that down to /29. If you're going to subnet a /26, you'll want to bring it down to the tightest mask in order to maximize use.

Local HSRP: 192.168.50.1/29
PE1: 192.168.50.2/29
PE2: 192.168.50.3/29
ISP1: 192.168.50.4/29 (Only if the ISP is using HSRP/VRRP)
ISP1: 192.168.50.5/29 (Only if the ISP is using HSRP/VRRP)
ISP HSRP: 192.168.50.6/29

This gives you the following blocks left from the /26 space for internal use:

192.168.50.8/29
192.168.50.16/28
192.168.50.32/27

So, the answer to your question is yes to one (though you have to use different addressing than what you've proposed) and no to two.

Switching to a /29 for your ISP segment and setting up the other /29 (192.168.50.8/29) for your two devices will work.

Local HSRP: 192.168.50.9/29
PE1: 192.168.50.10/29
PE2: 192.168.50.11/29
X Device 1: 192.168.50.12/29
X Device 2: 192.168.50.13/29

This will also leave you with a /28 and a /27 for future use.

Thanks Jlemoine...

In case i don't have the flexibility to change from SP side, where they have to configure their devices with /26 subnet. 

now from my side if i use smaller subnets for my internal networks taking from the same range that is configured as /26 on service provider side. would this work since those IPs with smaller subnets are still under the umbrella of the service provider big range (/26). 

Or the subnets for point to point connectivity between my devices and service provider should match exactly ?

 

to clarify my example, if service provider has to configure the point to point with /26, and at the same time i have an internal requirements where the subnet needs to be different for my internal devices to be able to bypass some routers and leave my CEs to the SP PEs. 

would i be able from my side to play with the /26 subnets as long as i use smaller subnets (/27 and up) ? 

If the ISP won't change the subnet mask from their side, there's no clean way to do it from your side and have it work well.

If you change the subnet mask unilaterally and apply the other subnets on different interfaces, you'll be relying on proxy ARP support for the ISP's router to get to your other subnets and this just isn't a good strategy.

Assuming you're using NAT with private IPv4 addressing on your internal network, you can use NAT at layer three to forward a public IPv4 address to a private one to perhaps accomplish something similar.

If you can outline what you're trying to accomplish with these two addresses, I might be of further assistance.

Thanks again for the reply Jody

You are right, due to the limitation the proposed option is to use proxy arp. However, i still don't understand how this will work, can you explain how proxy arp will work in this scenario ? Or if you have any documents that explain this point, i will appreciate if you share them

In this case, proxy ARP works when the ISP's router has a broader subnet mask than yours does. If the ISP is running a /26 and you're running a /29, their router will ARP for anything that falls within the /26 because it considers the whole subnet to be directly connected. If you have proxy ARP enabled on your router's ISP-facing interface, it will reply with its own MAC address for these addresses. The ISP router will then forward the Ethernet frame to your router, which will route the packet normally.

It's not normally recommended except in isolated circumstances (subnet mask transition, VPN pools on an Ethernet interface, &c) because it creates unnecessary network traffic and opens up the potential for spoofing... but it might work in this case.

Further information can be found here: Proxy ARP - Cisco

Thanks Jody, that explains it well.

Just one more question, so in order to do proxy arp with the ISP should i change the subnet on my device which connect to the PEs ? or can i use the same subnet with the PEs and then change the subnet for internal networks only ?

For example: 

PE1: 192.168.50.2/26

PE2 192.168.50.3/26

HSRP IP: 192.168.50.1/26

Now from my side can i use also /26 on the point to point links ? and then on the internal networks use /28 (which will give me 4 internal subnets) ? 

X Device Interface 1: 192.168.50.4/26

X Device Interface 2 192.168.50.5/26

Then: 

Internal Networks: four /28 subnets.

OR:

Should i change the subnets on X device Interfaces to /27 and then internal networks to two /28 or four /29?

 

Thanks,

 

 

As for what we try to accomplish, we have /25 subnet Between us and the SP for that site.

now our device has an internal like an internal router and behind it there is like 2 different vlans or networks, those networks behind the internal router use different subnets than each others and also should use a different subnets than the interfaces IPs in order to bypass our device interfaces and go to the SP. 

The proposed solution is to change the subnet and use proxy arp, is there a better approach ?

There's always more than one way to get there, so it depends on what these devices are doing.

I just re-read the question again and something else occurred to me. If you're using a /26 between your ISP and your two edge routers and then running eBGP between them and your ISP, what are you advertising to your ISP with eBGP?

If you're advertising other public IPv4 prefixes, the best approach is to put your devices on another prefix.

In this case we are connected to the PEs using HSRP (not eBGP).

 

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: