Allocating Public IP Addresses

Discussion in 'Cisco' started by Bob Simon, Jun 26, 2004.

  1. Bob Simon

    Bob Simon Guest

    Several edge routers are on the same public subnet supporting private
    networks off their inside interfaces. I route small additional
    blocks of IP addresses to each router's outside interface to support
    inside servers that need public addresses. I want to allocate these
    blocks as efficiently as possible. If I have four servers that need
    public addresses on one inside subnet, can I use a /30 block of public
    addresses?

    Ordinarily, I know that the first and last addresses in a subnet are
    reserved for the network itself and broadcast. I wonder if there is a
    way to make the core router consider these two reserved addresses as
    additional host addresses so I can use all four.

    --
    Bob Simon
    remove x from domain for private replies
     
    Bob Simon, Jun 26, 2004
    #1
    1. Advertising

  2. In article <>,
    Bob Simon <> wrote:

    > Several edge routers are on the same public subnet supporting private
    > networks off their inside interfaces. I route small additional
    > blocks of IP addresses to each router's outside interface to support
    > inside servers that need public addresses. I want to allocate these
    > blocks as efficiently as possible. If I have four servers that need
    > public addresses on one inside subnet, can I use a /30 block of public
    > addresses?
    >
    > Ordinarily, I know that the first and last addresses in a subnet are
    > reserved for the network itself and broadcast. I wonder if there is a
    > way to make the core router consider these two reserved addresses as
    > additional host addresses so I can use all four.


    I don't think so. There's a special case that's been done for /31
    blocks, to allow both addresses to be used on a point-to-point link
    (these subnets don't normally need broadcasts). But all other subnet
    sizes are handled using the normal subnetting rules.

    --
    Barry Margolin,
    Arlington, MA
    *** PLEASE post questions in newsgroups, not directly to me ***
     
    Barry Margolin, Jun 27, 2004
    #2
    1. Advertising

  3. In article <>,
    Bob Simon <> wrote:

    > Several edge routers are on the same public subnet supporting private
    > networks off their inside interfaces. I route small additional blocks
    > of IP addresses to each router's outside interface to support inside
    > servers that need public addresses. I want to allocate these blocks as
    > efficiently as possible. If I have four servers that need public
    > addresses on one inside subnet, can I use a /30 block of public
    > addresses?


    *If* the edge routers are natting those addresses into the private
    address space of the servers, it's not clear to me if they are or not,
    then you only need one address per server.

    You put a host route on the core router pointing at the appropriate edge
    router for each server address.

    Since NAT is just modifying addresses in headers and there is no
    interface in the network those addresses come from, then network and
    broadcast addresses aren't an issue.

    --
    Rgds,
    Martin
     
    Martin Gallagher, Jun 27, 2004
    #3
  4. Bob Simon

    Bob Simon Guest

    On Sun, 27 Jun 2004 22:25:10 +1000, "Martin Gallagher"
    <> wrote:

    >In article <>,
    > Bob Simon <> wrote:
    >
    >> Several edge routers are on the same public subnet supporting private
    >> networks off their inside interfaces. I route small additional blocks
    >> of IP addresses to each router's outside interface to support inside
    >> servers that need public addresses. I want to allocate these blocks as
    >> efficiently as possible. If I have four servers that need public
    >> addresses on one inside subnet, can I use a /30 block of public
    >> addresses?

    >
    > *If* the edge routers are natting those addresses into the private
    >address space of the servers, it's not clear to me if they are or not,
    >then you only need one address per server.


    Yes. Sorry, I meant to say that.

    > You put a host route on the core router pointing at the appropriate edge
    >router for each server address.


    Instead of a host route for each address, I'd prefer to use a subnet
    route So four servers on the private network that each need one
    static public address could be satisfied by routing a /30 subnet to
    the outside interface of the edge router. Would the core router
    refuse to route packets to the specified edge router with dest IP of
    the first and last address in the subnet?

    > Since NAT is just modifying addresses in headers and there is no
    >interface in the network those addresses come from, then network and
    >broadcast addresses aren't an issue.


    Exactly. And it makes a much bigger difference when you want to
    allocate public addresses for 7 servers. The normal rules require a
    /28 subnet for this which would waste 9 addresses.

    --
    Bob Simon
    remove x from domain for private replies
     
    Bob Simon, Jun 27, 2004
    #4
  5. On Sun, 27 Jun 2004 16:37:27 -0500, Bob Simon wrote:

    > On Sun, 27 Jun 2004 22:25:10 +1000, "Martin Gallagher"
    > <> wrote:
    >
    >> You put a host route on the core router pointing at the appropriate
    >> edge
    >>router for each server address.

    >
    > Instead of a host route for each address, I'd prefer to use a subnet route
    > So four servers on the private network that each need one static public
    > address could be satisfied by routing a /30 subnet to the outside
    > interface of the edge router. Would the core router refuse to route
    > packets to the specified edge router with dest IP of the first and last
    > address in the subnet?
    >


    Not sure offhand. There's no problem with forwarding packets with the
    subnet broadcast as destination, so I'd guess the subnet address should be
    forarded as well.

    --
    Rgds,
    Martin
     
    Martin Gallagher, Jun 28, 2004
    #5
  6. In article <>,
    "Martin Gallagher" <> wrote:

    > On Sun, 27 Jun 2004 16:37:27 -0500, Bob Simon wrote:
    >
    > > On Sun, 27 Jun 2004 22:25:10 +1000, "Martin Gallagher"
    > > <> wrote:
    > >
    > >> You put a host route on the core router pointing at the appropriate
    > >> edge
    > >>router for each server address.

    > >
    > > Instead of a host route for each address, I'd prefer to use a subnet route
    > > So four servers on the private network that each need one static public
    > > address could be satisfied by routing a /30 subnet to the outside
    > > interface of the edge router. Would the core router refuse to route
    > > packets to the specified edge router with dest IP of the first and last
    > > address in the subnet?
    > >

    >
    > Not sure offhand. There's no problem with forwarding packets with the
    > subnet broadcast as destination, so I'd guess the subnet address should be
    > forarded as well.


    The router will forward both of them as broadcasts, not unicasts, and
    *only* if you don't have "no ip directed-broadcast" configured on the
    LAN interface. Other machines on the LAN will receive the broadcasts,
    and respond to them; at a minimum the router itself will also respond to
    pings to those addresses.

    If the hosts have correct subnet masks configured, they should not allow
    you to configure them with subnet or broadcast addresses as their
    interface addresses. And TCP is not supposed to respond to broadcasts.

    There might be a way to trick the devices into making this work, but I
    think it would be a very fragile configuration.

    --
    Barry Margolin,
    Arlington, MA
    *** PLEASE post questions in newsgroups, not directly to me ***
     
    Barry Margolin, Jun 28, 2004
    #6
  7. Bob Simon

    Bob Simon Guest

    On Mon, 28 Jun 2004 09:20:54 -0400, Barry Margolin
    <> wrote:

    >In article <>,
    > "Martin Gallagher" <> wrote:
    >
    >> On Sun, 27 Jun 2004 16:37:27 -0500, Bob Simon wrote:
    >>
    >> > On Sun, 27 Jun 2004 22:25:10 +1000, "Martin Gallagher"
    >> > <> wrote:
    >> >
    >> >> You put a host route on the core router pointing at the appropriate
    >> >> edge
    >> >>router for each server address.
    >> >
    >> > Instead of a host route for each address, I'd prefer to use a subnet route
    >> > So four servers on the private network that each need one static public
    >> > address could be satisfied by routing a /30 subnet to the outside
    >> > interface of the edge router. Would the core router refuse to route
    >> > packets to the specified edge router with dest IP of the first and last
    >> > address in the subnet?
    >> >

    >>
    >> Not sure offhand. There's no problem with forwarding packets with the
    >> subnet broadcast as destination, so I'd guess the subnet address should be
    >> forarded as well.

    >
    >The router will forward both of them as broadcasts, not unicasts, and
    >*only* if you don't have "no ip directed-broadcast" configured on the
    >LAN interface. Other machines on the LAN will receive the broadcasts,
    >and respond to them; at a minimum the router itself will also respond to
    >pings to those addresses.
    >
    >If the hosts have correct subnet masks configured, they should not allow
    >you to configure them with subnet or broadcast addresses as their
    >interface addresses. And TCP is not supposed to respond to broadcasts.
    >
    >There might be a way to trick the devices into making this work, but I
    >think it would be a very fragile configuration.


    Barry,
    do you agree with Martin that the way to do this is to, "put a host
    route on the core router pointing at the appropriate edge
    router for each server address"?

    I'm going to end up with 40 - 50 host routes on the core router. Will
    this significantly impact the performance of a 3640?
    Bob

    --
    Bob Simon
    remove x from domain for private replies
     
    Bob Simon, Jun 28, 2004
    #7
  8. In article <>,
    Bob Simon <> wrote:

    > On Mon, 28 Jun 2004 09:20:54 -0400, Barry Margolin
    > <> wrote:
    >
    > >In article <>,
    > > "Martin Gallagher" <> wrote:
    > >
    > >> On Sun, 27 Jun 2004 16:37:27 -0500, Bob Simon wrote:
    > >>
    > >> > On Sun, 27 Jun 2004 22:25:10 +1000, "Martin Gallagher"
    > >> > <> wrote:
    > >> >
    > >> >> You put a host route on the core router pointing at the appropriate
    > >> >> edge
    > >> >>router for each server address.
    > >> >
    > >> > Instead of a host route for each address, I'd prefer to use a subnet
    > >> > route
    > >> > So four servers on the private network that each need one static public
    > >> > address could be satisfied by routing a /30 subnet to the outside
    > >> > interface of the edge router. Would the core router refuse to route
    > >> > packets to the specified edge router with dest IP of the first and last
    > >> > address in the subnet?
    > >> >
    > >>
    > >> Not sure offhand. There's no problem with forwarding packets with the
    > >> subnet broadcast as destination, so I'd guess the subnet address should be
    > >> forarded as well.

    > >
    > >The router will forward both of them as broadcasts, not unicasts, and
    > >*only* if you don't have "no ip directed-broadcast" configured on the
    > >LAN interface. Other machines on the LAN will receive the broadcasts,
    > >and respond to them; at a minimum the router itself will also respond to
    > >pings to those addresses.
    > >
    > >If the hosts have correct subnet masks configured, they should not allow
    > >you to configure them with subnet or broadcast addresses as their
    > >interface addresses. And TCP is not supposed to respond to broadcasts.
    > >
    > >There might be a way to trick the devices into making this work, but I
    > >think it would be a very fragile configuration.

    >
    > Barry,
    > do you agree with Martin that the way to do this is to, "put a host
    > route on the core router pointing at the appropriate edge
    > router for each server address"?


    You should be able to do it with subnet routes, you don't need
    individual host routes. Only the leaf router will know that there's
    something special about these attempts to use broadcast addresses as
    host addresses.

    > I'm going to end up with 40 - 50 host routes on the core router. Will
    > this significantly impact the performance of a 3640?


    No, that's nothing. Modern routers can deal with thousands of routes.

    --
    Barry Margolin,
    Arlington, MA
    *** PLEASE post questions in newsgroups, not directly to me ***
     
    Barry Margolin, Jun 28, 2004
    #8
  9. On Mon, 28 Jun 2004 09:20:54 -0400, Barry Margolin wrote:

    > In article <>,
    > "Martin Gallagher" <> wrote:
    >
    >> Not sure offhand. There's no problem with forwarding packets with the
    >> subnet broadcast as destination, so I'd guess the subnet address should
    >> be forarded as well.

    >
    > The router will forward both of them as broadcasts, not unicasts, and
    > *only* if you don't have "no ip directed-broadcast" configured on the LAN
    > interface. Other machines on the LAN will receive the broadcasts, and
    > respond to them; at a minimum the router itself will also respond to pings
    > to those addresses.


    Only when you reach the destination network. AIUI, the OP is routing
    these /30 subnets to his edge routers , which then NAT the addresses into
    the private networks on the other side of the edge router. Since the /30
    networks aren't actually configured on any router or host interface, the
    network/broadcast addresses never become significant.

    >
    > If the hosts have correct subnet masks configured, they should not allow
    > you to configure them with subnet or broadcast addresses as their
    > interface addresses. And TCP is not supposed to respond to broadcasts.


    I believe the end hosts have RFC1918 addresses. They never see the
    addresses in the /30s anyway.

    --
    Rgds,
    Martin
     
    Martin Gallagher, Jun 29, 2004
    #9
  10. In article <>,
    "Martin Gallagher" <> wrote:

    > I believe the end hosts have RFC1918 addresses. They never see the
    > addresses in the /30s anyway.


    Ahh, I didn't realize that. When I read "inside servers that need
    public addresses", I thought he was configuring public addresses on the
    servers themselves, not configuring static NAT mappings.

    --
    Barry Margolin,
    Arlington, MA
    *** PLEASE post questions in newsgroups, not directly to me ***
     
    Barry Margolin, Jun 29, 2004
    #10
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.

Share This Page