iBGP next hop and multi-access media
Background: Router A and B are connected via a common ethernet segment 1. Router A uses 10.10.10.1/30, and Router B uses 10.10.10.2/30. Router B also has another subnet configured for ethernet segment 1; 172.16.16.0/24. When I setup a situation like the above, with Router B advertising the 172.16.16.0/24 to router A, router A sees a next hop of 10.10.10.2. This is not good since packets from A going to the 172.16.16 subnet get sent to Router B, which then ARPs the desitnation, instead of just being ARPed by router A. I don't want to turn on ICMP redirects on B since they're insecure and ugly. I've also made sure I'm not using next-hop self. Is there a way to make this work? Ralph Doncaster principal, IStop.com
Can you create another segment with 172.16.16? May be another dotq1q interface?. Regards Ezequiel On Sun, 2002-10-06 at 13:44, Ralph Doncaster wrote:
Background: Router A and B are connected via a common ethernet segment 1. Router A uses 10.10.10.1/30, and Router B uses 10.10.10.2/30. Router B also has another subnet configured for ethernet segment 1; 172.16.16.0/24.
When I setup a situation like the above, with Router B advertising the 172.16.16.0/24 to router A, router A sees a next hop of 10.10.10.2. This is not good since packets from A going to the 172.16.16 subnet get sent to Router B, which then ARPs the desitnation, instead of just being ARPed by router A.
I don't want to turn on ICMP redirects on B since they're insecure and ugly. I've also made sure I'm not using next-hop self. Is there a way to make this work?
Ralph Doncaster principal, IStop.com
RD> Date: Sun, 6 Oct 2002 12:44:07 -0400 (EDT) RD> From: Ralph Doncaster RD> Router A and B are connected via a common ethernet segment 1. RD> Router A uses 10.10.10.1/30, and Router B uses 10.10.10.2/30. RD> Router B also has another subnet configured for ethernet RD> segment 1; 172.16.16.0/24. RD> RD> When I setup a situation like the above, with Router B RD> advertising the 172.16.16.0/24 to router A, router A sees a RD> next hop of 10.10.10.2. This is not good since packets from RD> A going to the 172.16.16 subnet get sent to Router B, which RD> then ARPs the desitnation, instead of just being ARPed by RD> router A. Is this what you're trying to do: route-map <foo> match <whatever> set ip next-hop <something> ? Eddy -- Brotsman & Dreger, Inc. - EverQuick Internet Division Bandwidth, consulting, e-commerce, hosting, and network building Phone: +1 (785) 865-5885 Lawrence and [inter]national Phone: +1 (316) 794-8922 Wichita ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Date: Mon, 21 May 2001 11:23:58 +0000 (GMT) From: A Trap <blacklist@brics.com> To: blacklist@brics.com Subject: Please ignore this portion of my mail signature. These last few lines are a trap for address-harvesting spambots. Do NOT send mail to <blacklist@brics.com>, or you are likely to be blocked.
RD> When I setup a situation like the above, with Router B RD> advertising the 172.16.16.0/24 to router A, router A sees a RD> next hop of 10.10.10.2. This is not good since packets from RD> A going to the 172.16.16 subnet get sent to Router B, which RD> then ARPs the desitnation, instead of just being ARPed by RD> router A.
Is this what you're trying to do:
route-map <foo> match <whatever> set ip next-hop <something>
Not really, what I want is router A to learn that ther is no next hop IP- the subnet is on the local ethernet. -Ralph
On Sun, 6 Oct 2002, Ralph Doncaster wrote:
RD> When I setup a situation like the above, with Router B RD> advertising the 172.16.16.0/24 to router A, router A sees a RD> next hop of 10.10.10.2. This is not good since packets from RD> A going to the 172.16.16 subnet get sent to Router B, which RD> then ARPs the desitnation, instead of just being ARPed by RD> router A.
Is this what you're trying to do:
route-map <foo> match <whatever> set ip next-hop <something>
Not really, what I want is router A to learn that ther is no next hop IP- the subnet is on the local ethernet.
(except that 172.x.x.x isn't 'local' to the 10.x.x.x network, even if they are connected to the same physical network)
With the right MASK they could be local :) On Mon, Oct 07, 2002 at 01:15:59AM +0000, Christopher L. Morrow wrote:
On Sun, 6 Oct 2002, Ralph Doncaster wrote:
RD> When I setup a situation like the above, with Router B RD> advertising the 172.16.16.0/24 to router A, router A sees a RD> next hop of 10.10.10.2. This is not good since packets from RD> A going to the 172.16.16 subnet get sent to Router B, which RD> then ARPs the desitnation, instead of just being ARPed by RD> router A.
Is this what you're trying to do:
route-map <foo> match <whatever> set ip next-hop <something>
Not really, what I want is router A to learn that ther is no next hop IP- the subnet is on the local ethernet.
(except that 172.x.x.x isn't 'local' to the 10.x.x.x network, even if they are connected to the same physical network)
RD> Date: Sun, 6 Oct 2002 21:05:32 -0400 (EDT) RD> From: Ralph Doncaster RD> Not really, what I want is router A to learn that ther is no RD> next hop IP- the subnet is on the local ethernet. As others are saying... it isn't "local". It's not "local" unless in the same subnet. Physical topology often correlates with higher layers, but it's not strictly 1:1. Add a secondary IP address to the router you want to use ARP, utilize a static route to an interface, or just live with the way IP works. (Then what about the path in the other direction?) Just remember that IGP complexity is not your friend. Make sure the answer is better than the problem. Eddy -- Brotsman & Dreger, Inc. - EverQuick Internet Division Bandwidth, consulting, e-commerce, hosting, and network building Phone: +1 (785) 865-5885 Lawrence and [inter]national Phone: +1 (316) 794-8922 Wichita ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Date: Mon, 21 May 2001 11:23:58 +0000 (GMT) From: A Trap <blacklist@brics.com> To: blacklist@brics.com Subject: Please ignore this portion of my mail signature. These last few lines are a trap for address-harvesting spambots. Do NOT send mail to <blacklist@brics.com>, or you are likely to be blocked.
On Mon, 7 Oct 2002, E.B. Dreger wrote:
RD> Date: Sun, 6 Oct 2002 21:05:32 -0400 (EDT) RD> From: Ralph Doncaster
RD> Not really, what I want is router A to learn that ther is no RD> next hop IP- the subnet is on the local ethernet.
As others are saying... it isn't "local". It's not "local" unless in the same subnet. Physical topology often correlates with higher layers, but it's not strictly 1:1.
Manually configuring a static route in router A would achieve the result: ip route 172.16.16.0 255.255.255.0 fa0/0 However, I'm surprised that there's no dynamic routing protocol that allows you to do everything you can with static routes. -Ralph
On Sun, 6 Oct 2002, Ralph Doncaster wrote:
As others are saying... it isn't "local". It's not "local" unless in the same subnet. Physical topology often correlates with higher layers, but it's not strictly 1:1.
Manually configuring a static route in router A would achieve the result: ip route 172.16.16.0 255.255.255.0 fa0/0
Why are we doing basic IP routing 101 on NANOG? Don't route IP blocks to the ethernet. That's using ARP as your routing protocol and it's horribly fragile. I've seen one ISP do that (they were very technically challenged) and it's a setup that broke way too easily. Paging Dalph Roncaster. Clean-up in aisle one. ---------------------------------------------------------------------- Jon Lewis *jlewis@lewis.org*| I route System Administrator | therefore you are Atlantic Net | _________ http://www.lewis.org/~jlewis/pgp for PGP public key_________
On Sun, 6 Oct 2002, jlewis@lewis.org wrote:
On Sun, 6 Oct 2002, Ralph Doncaster wrote:
As others are saying... it isn't "local". It's not "local" unless in the same subnet. Physical topology often correlates with higher layers, but it's not strictly 1:1.
Manually configuring a static route in router A would achieve the result: ip route 172.16.16.0 255.255.255.0 fa0/0
Why are we doing basic IP routing 101 on NANOG?
OK, since it's so basic why don't you explain how to have router A dynamically learn from router B that there is a new subnet on the local ethernet?
Don't route IP blocks to the ethernet. That's using ARP as your routing protocol and it's horribly fragile. I've seen one ISP do that (they were very technically challenged) and it's a setup that broke way too easily.
So then what do you call a connected route (for an ethernet interface on a router)? If you use ethernet, at the edges of your network you HAVE to route IP blocks to the ethernet. -Ralph
OK, I'll bite. I've been doing ip route statements going on 8 years now, and I can't imagine why ever -- and how it would even work -- you'd want to ip route a netblock with a next hop of a multi-access brandcast media. As in, the next hop is still truly undetermined. I guess I don't know this because I've never tried it. But, how does the router determine where to send the packets for a route statement as specified above (ip route a.b.c.d e.f.g.h f0/0) ?
So then what do you call a connected route (for an ethernet interface on a router)? If you use ethernet, at the edges of your network you HAVE to route IP blocks to the ethernet.
-Ralph
-- Alex Rubenstein, AR97, K2AHR, alex@nac.net, latency, Al Reuben -- -- Net Access Corporation, 800-NET-ME-36, http://www.nac.net --
On Mon, 7 Oct 2002, Alex Rubenstein wrote:
I've been doing ip route statements going on 8 years now, and I can't imagine why ever -- and how it would even work -- you'd want to ip route a netblock with a next hop of a multi-access brandcast media. As in, the next hop is still truly undetermined.
I guess I don't know this because I've never tried it. But, how does the router determine where to send the packets for a route statement as specified above (ip route a.b.c.d e.f.g.h f0/0) ?
When you setup a secondary ip on an interface int fa0/0 ip address a.b.c.d e.f.g.h secondary How does it determine where to send the packets? ARP. Which is the same as adding the route described above. -Ralph
Aha. So, if you route to a ethernet interface, it will try to arp for that address on that subnet, even without having a local address on the same subnet? This seems to me to be something you don't want to do. Is the entire route valid as long as the router can ARP for one of the addresses in the routed subnet? On Mon, 7 Oct 2002, Ralph Doncaster wrote:
On Mon, 7 Oct 2002, Alex Rubenstein wrote:
I've been doing ip route statements going on 8 years now, and I can't imagine why ever -- and how it would even work -- you'd want to ip route a netblock with a next hop of a multi-access brandcast media. As in, the next hop is still truly undetermined.
I guess I don't know this because I've never tried it. But, how does the router determine where to send the packets for a route statement as specified above (ip route a.b.c.d e.f.g.h f0/0) ?
When you setup a secondary ip on an interface int fa0/0 ip address a.b.c.d e.f.g.h secondary
How does it determine where to send the packets? ARP. Which is the same as adding the route described above.
-Ralph
-- Alex Rubenstein, AR97, K2AHR, alex@nac.net, latency, Al Reuben -- -- Net Access Corporation, 800-NET-ME-36, http://www.nac.net --
My understanding is the route is valid as long as the interface is up; just like adding a secondary IP on the interface. Ralph Doncaster principal, IStop.com On Mon, 7 Oct 2002, Alex Rubenstein wrote:
Aha.
So, if you route to a ethernet interface, it will try to arp for that address on that subnet, even without having a local address on the same subnet?
This seems to me to be something you don't want to do.
Is the entire route valid as long as the router can ARP for one of the addresses in the routed subnet?
On Mon, 7 Oct 2002, Ralph Doncaster wrote:
On Mon, 7 Oct 2002, Alex Rubenstein wrote:
I've been doing ip route statements going on 8 years now, and I can't imagine why ever -- and how it would even work -- you'd want to ip route a netblock with a next hop of a multi-access brandcast media. As in, the next hop is still truly undetermined.
I guess I don't know this because I've never tried it. But, how does the router determine where to send the packets for a route statement as specified above (ip route a.b.c.d e.f.g.h f0/0) ?
When you setup a secondary ip on an interface int fa0/0 ip address a.b.c.d e.f.g.h secondary
How does it determine where to send the packets? ARP. Which is the same as adding the route described above.
-Ralph
-- Alex Rubenstein, AR97, K2AHR, alex@nac.net, latency, Al Reuben -- -- Net Access Corporation, 800-NET-ME-36, http://www.nac.net --
Are you just asking a question to get a better understanding of how things work, Ralph or have you already put this into production and are wondering why it doesn't work a certain way?
-----Original Message----- From: owner-nanog@merit.edu [mailto:owner-nanog@merit.edu] On Behalf Of Ralph Doncaster Sent: Monday, October 07, 2002 12:43 AM To: Alex Rubenstein Cc: nanog@merit.edu Subject: Re: iBGP next hop and multi-access media
My understanding is the route is valid as long as the interface is up; just like adding a secondary IP on the interface.
Ralph Doncaster principal, IStop.com
On Mon, 7 Oct 2002, Alex Rubenstein wrote:
Aha.
So, if you route to a ethernet interface, it will try to
arp for that
address on that subnet, even without having a local address on the same subnet?
This seems to me to be something you don't want to do.
Is the entire route valid as long as the router can ARP for one of the addresses in the routed subnet?
On Mon, 7 Oct 2002, Ralph Doncaster wrote:
On Mon, 7 Oct 2002, Alex Rubenstein wrote:
I've been doing ip route statements going on 8 years now, and I can't imagine why ever -- and how it would even work -- you'd want to ip route a netblock with a next hop of a multi-access brandcast media. As in, the next hop is still truly undetermined.
I guess I don't know this because I've never tried it. But, how does the router determine where to send the packets for a route statement as specified above (ip route a.b.c.d e.f.g.h f0/0) ?
When you setup a secondary ip on an interface int fa0/0 ip address a.b.c.d e.f.g.h secondary
How does it determine where to send the packets? ARP. Which is the same as adding the route described above.
-Ralph
-- Alex Rubenstein, AR97, K2AHR, alex@nac.net, latency, Al Reuben -- -- Net Access Corporation, 800-NET-ME-36, http://www.nac.net --
It's a theoretical question. So far I've had one person email me saying OSPF can advertise a subnet as local on a shared multi-access media. If in fact BGP can't do this, then it's no big deal to me as nothing in my network relies on this functionality. Ralph Doncaster principal, IStop.com On Mon, 7 Oct 2002, Jason Lixfeld wrote:
Are you just asking a question to get a better understanding of how things work, Ralph or have you already put this into production and are wondering why it doesn't work a certain way?
-----Original Message----- From: owner-nanog@merit.edu [mailto:owner-nanog@merit.edu] On Behalf Of Ralph Doncaster Sent: Monday, October 07, 2002 12:43 AM To: Alex Rubenstein Cc: nanog@merit.edu Subject: Re: iBGP next hop and multi-access media
My understanding is the route is valid as long as the interface is up; just like adding a secondary IP on the interface.
Ralph Doncaster principal, IStop.com
On Mon, 7 Oct 2002, Alex Rubenstein wrote:
Aha.
So, if you route to a ethernet interface, it will try to
arp for that
address on that subnet, even without having a local address on the same subnet?
This seems to me to be something you don't want to do.
Is the entire route valid as long as the router can ARP for one of the addresses in the routed subnet?
On Mon, 7 Oct 2002, Ralph Doncaster wrote:
On Mon, 7 Oct 2002, Alex Rubenstein wrote:
I've been doing ip route statements going on 8 years now, and I can't imagine why ever -- and how it would even work -- you'd want to ip route a netblock with a next hop of a multi-access brandcast media. As in, the next hop is still truly undetermined.
I guess I don't know this because I've never tried it. But, how does the router determine where to send the packets for a route statement as specified above (ip route a.b.c.d e.f.g.h f0/0) ?
When you setup a secondary ip on an interface int fa0/0 ip address a.b.c.d e.f.g.h secondary
How does it determine where to send the packets? ARP. Which is the same as adding the route described above.
-Ralph
-- Alex Rubenstein, AR97, K2AHR, alex@nac.net, latency, Al Reuben -- -- Net Access Corporation, 800-NET-ME-36, http://www.nac.net --
Ok, so correct me if I'm wrong here (I'm just trying to paint a picture of what this thread is trying to conceive), RA-FA1: 10.10.10.1/30, RB-FA0: 10.10.10.2/30, 172.16.16.1/24 secondary? iBGP setup between RA & RB, RB announces to RA with a next-hop of the primary address on FA0, RA announces to RB with a next-hop of the primary address on FA1. When iBGP announces 172.16.16 to RA, you want it announce with a next-hop of 172.16.16.1 as opposed to the primary address 10.10.10.2. Is that right?
-----Original Message----- From: owner-nanog@merit.edu [mailto:owner-nanog@merit.edu] On Behalf Of Ralph Doncaster Sent: Monday, October 07, 2002 12:56 AM To: Jason Lixfeld Cc: 'Alex Rubenstein'; nanog@merit.edu Subject: RE: iBGP next hop and multi-access media
It's a theoretical question. So far I've had one person email me saying OSPF can advertise a subnet as local on a shared multi-access media. If in fact BGP can't do this, then it's no big deal to me as nothing in my network relies on this functionality.
Ralph Doncaster principal, IStop.com
On Mon, 7 Oct 2002, Jason Lixfeld wrote:
Are you just asking a question to get a better understanding of how things work, Ralph or have you already put this into production and are wondering why it doesn't work a certain way?
-----Original Message----- From: owner-nanog@merit.edu [mailto:owner-nanog@merit.edu] On Behalf Of Ralph Doncaster Sent: Monday, October 07, 2002 12:43 AM To: Alex Rubenstein Cc: nanog@merit.edu Subject: Re: iBGP next hop and multi-access media
My understanding is the route is valid as long as the interface is up; just like adding a secondary IP on the interface.
Ralph Doncaster principal, IStop.com
On Mon, 7 Oct 2002, Alex Rubenstein wrote:
Aha.
So, if you route to a ethernet interface, it will try to
arp for that
address on that subnet, even without having a local address on the same subnet?
This seems to me to be something you don't want to do.
Is the entire route valid as long as the router can ARP for one of the addresses in the routed subnet?
On Mon, 7 Oct 2002, Ralph Doncaster wrote:
On Mon, 7 Oct 2002, Alex Rubenstein wrote:
I've been doing ip route statements going on 8 years now, and I can't imagine why ever -- and how it would even work -- you'd want to ip route a netblock with a next hop of a multi-access brandcast media. As in, the next hop is still truly undetermined.
I guess I don't know this because I've never tried it. But, how does the router determine where to send the packets for a route statement as specified above (ip route a.b.c.d e.f.g.h f0/0) ?
When you setup a secondary ip on an interface int fa0/0 ip address a.b.c.d e.f.g.h secondary
How does it determine where to send the packets? ARP. Which is the same as adding the route described above.
-Ralph
-- Alex Rubenstein, AR97, K2AHR, alex@nac.net, latency, Al Reuben -- -- Net Access Corporation, 800-NET-ME-36, http://www.nac.net --
Ok, so correct me if I'm wrong here (I'm just trying to paint a picture of what this thread is trying to conceive), RA-FA1: 10.10.10.1/30, RB-FA0: 10.10.10.2/30, 172.16.16.1/24 secondary?
iBGP setup between RA & RB, RB announces to RA with a next-hop of the primary address on FA0, RA announces to RB with a next-hop of the primary address on FA1. When iBGP announces 172.16.16 to RA, you want it announce with a next-hop of 172.16.16.1 as opposed to the primary address 10.10.10.2. Is that right?
Can someone please explain to me *why* are you trying to come up with *complicated* configurations as opposite to (a) defining your connected routes on all the routers that would be using it. or (b) letting IP to what it is supposed to do? Oh, and finally, should you be using such super-intersting methods of finding where to go, I certainly hope that the network is secure from little arp games that someone can play. Alex
-----Original Message----- From: owner-nanog@merit.edu [mailto:owner-nanog@merit.edu] On Behalf Of Ralph Doncaster Sent: Monday, October 07, 2002 12:56 AM To: Jason Lixfeld Cc: 'Alex Rubenstein'; nanog@merit.edu Subject: RE: iBGP next hop and multi-access media
It's a theoretical question. So far I've had one person email me saying OSPF can advertise a subnet as local on a shared multi-access media. If in fact BGP can't do this, then it's no big deal to me as nothing in my network relies on this functionality.
Ralph Doncaster principal, IStop.com
On Mon, 7 Oct 2002, Jason Lixfeld wrote:
Are you just asking a question to get a better understanding of how things work, Ralph or have you already put this into production and are wondering why it doesn't work a certain way?
-----Original Message----- From: owner-nanog@merit.edu [mailto:owner-nanog@merit.edu] On Behalf Of Ralph Doncaster Sent: Monday, October 07, 2002 12:43 AM To: Alex Rubenstein Cc: nanog@merit.edu Subject: Re: iBGP next hop and multi-access media
My understanding is the route is valid as long as the interface is up; just like adding a secondary IP on the interface.
Ralph Doncaster principal, IStop.com
On Mon, 7 Oct 2002, Alex Rubenstein wrote:
Aha.
So, if you route to a ethernet interface, it will try to
arp for that
address on that subnet, even without having a local address on the same subnet?
This seems to me to be something you don't want to do.
Is the entire route valid as long as the router can ARP for one of the addresses in the routed subnet?
On Mon, 7 Oct 2002, Ralph Doncaster wrote:
On Mon, 7 Oct 2002, Alex Rubenstein wrote:
> I've been doing ip route statements going on 8 years now, and I can't > imagine why ever -- and how it would even work -- you'd want to ip route a > netblock with a next hop of a multi-access brandcast media. As in, the > next hop is still truly undetermined. > > I guess I don't know this because I've never tried it. But, how does the > router determine where to send the packets for a route statement as > specified above (ip route a.b.c.d e.f.g.h f0/0) ?
When you setup a secondary ip on an interface int fa0/0 ip address a.b.c.d e.f.g.h secondary
How does it determine where to send the packets? ARP. Which is the same as adding the route described above.
-Ralph
-- Alex Rubenstein, AR97, K2AHR, alex@nac.net, latency, Al Reuben -- -- Net Access Corporation, 800-NET-ME-36, http://www.nac.net --
--
Can someone please explain to me *why* are you trying to come up with *complicated* configurations as opposite to
(a) defining your connected routes on all the routers that would be using it.
I've asked because I wanted to know if any routing protocol redistributes information about diretly connected multi-access networks. It seems pretty obvious to me that if you have a an ethernet segment with multiple routers on it that adding a secondary IP to each one is more complicated and error-prone than adding it to one and having a dynamic routing protocol notify the rest of the routers on the segment. It also seems that the answer I was looking for, at least as far as iBGP is concerned, is no. However rather than just saying, "no, BGP can't do this" many people have decided to brag about how smart they are because they don't ask questions about how BGP works. So now I can sit back and watch the chest-thumping continue... -Ralph
(a) defining your connected routes on all the routers that would be using it.
I've asked because I wanted to know if any routing protocol redistributes information about diretly connected multi-access networks.
It seems pretty obvious to me that if you have a an ethernet segment with multiple routers on it that adding a secondary IP to each one is more complicated and error-prone than adding it to one and having a dynamic routing protocol notify the rest of the routers on the segment.
Wrong. It makes you think about "Why am I doing it"
It also seems that the answer I was looking for, at least as far as iBGP is concerned, is no. However rather than just saying, "no, BGP can't do this" many people have decided to brag about how smart they are because they don't ask questions about how BGP works.
Wrong again. They tend to RFTM first. Alx
On Mon, 7 Oct 2002, Ralph Doncaster wrote:
It seems pretty obvious to me that if you have a an ethernet segment with multiple routers on it that adding a secondary IP to each one is more complicated and error-prone than adding it to one and having a dynamic routing protocol notify the rest of the routers on the segment.
They are dynamic routing protocols, not dynamic gateway-creation protocols. You're asking iBGP to create an interface. iBGP (and other dynamic routing protocols) don't do that. Pete -- Peter J. Templin, Jr., CCNP, CCDP Networking Consultant On-Line Internet Services - URDirect.net A division of Global On-Line Computers 5606 Randolph Blvd templin@urdirect.net San Antonio, TX 78233 (210)692-9911
On Mon, 07 Oct 2002 14:16:43 CDT, Pete Templin said:
They are dynamic routing protocols, not dynamic gateway-creation protocols. You're asking iBGP to create an interface. iBGP (and other dynamic routing protocols) don't do that.
I suppose they *could* - the fun then starts when you get a routing flap and the other router tells you that you're not on one subnet because the subnet is unreachable and would you please remove the interface? And I'm willing to bet that there's a lack of MD5 at the important places in the dataflow... ;) What's puzzling me is how anybody has a big enough net that subnets are being added fast enough that automating the process is needed, but they don't already have a way to centrally manage the routers so they can just push the needed 'ip route 172.16.16.0 255.255.255.0 fa0/0' out somehow. -- Valdis Kletnieks Computer Systems Senior Engineer Virginia Tech
On Mon, 07 Oct 2002 15:37:16 -0400, Valdis.Kletnieks@vt.edu wrote:
I suppose they *could* - the fun then starts when you get a routing flap and the other router tells you that you're not on one subnet because the subnet is unreachable and would you please remove the interface? And I'm willing to bet that there's a lack of MD5 at the important places in the dataflow... ;)
What's puzzling me is how anybody has a big enough net that subnets are being added fast enough that automating the process is needed, but they don't already have a way to centrally manage the routers so they can just push the needed 'ip route 172.16.16.0 255.255.255.0 fa0/0' out somehow.
And even so, many of us have learned in very painful ways that running more than one IP subnet on the same physical network can get you into trouble very quickly. For a small SOHO network, fine, but then you usually don't use dynamic routing protocols anyway. Here's just a small sampling of what can go wrong: 1) A broadcast storm cripples all your subnets and slows some of your machines to a crawl. 2) A compromise on a machine leads to ARP mischief (such as theft of another subnet's default gateway IP), leading to TCP hijacking, password theft, or worse. 3) A DoS attack causes one machine to be completely knocked out (locks up, or reboots but fails to come back on after shutting itself off, or locks in an fsck in single user mode or some such). The DoS attack continues until the switch's table entry for that hardware address epires. Now the DoS attack pops out every port on every machine. And on, and on, and on. You want as few machines as possible on a single Ethernet LAN because Ethernet has no protection against various types of subterfuge. DS
On Mon, 7 Oct 2002, Ralph Doncaster wrote: [from previous mail]
Ralph, how do you intend on getting traffic *OUT* of this subnet? Static arp entries on all the hosts? Proxy arp? It seems like that would be a lot more work and much more failure prone in the long run.
What, you don't use a static default route on your end hosts? Are you one of those crazy types that run RIP on your IIS/NT servers?
Default route yes, to an IP address yes. You have to configure the IP address on the router tho!
Can someone please explain to me *why* are you trying to come up with *complicated* configurations as opposite to
(a) defining your connected routes on all the routers that would be using it.
I've asked because I wanted to know if any routing protocol redistributes information about diretly connected multi-access networks.
Yes but only assuming you have a connected IP network or static route, other routers then have no idea of knowing if they are connected to the same layer 2 media unless you explicity tell them Regarding the question of statics to multiaccess networks, my personal opinion on that is that its a bug more than a feature. It shouldnt be allowed as its messy and by design each station on a multiaccess network should be able to identify itself and properly map between layers ie IP to MAC via ARP. By static routing you have no valid source IP...
It seems pretty obvious to me that if you have a an ethernet segment with multiple routers on it that adding a secondary IP to each one is more complicated and error-prone than adding it to one and having a dynamic routing protocol notify the rest of the routers on the segment.
L2 isnt L3 tho
It also seems that the answer I was looking for, at least as far as iBGP is concerned, is no. However rather than just saying, "no, BGP can't do this" many people have decided to brag about how smart they are because they don't ask questions about how BGP works.
I think the real question is more of how L3 to L2 protocols function, the fact that they dont do what is assumed in the original question means the question about iBGP isnt really valid..
So now I can sit back and watch the chest-thumping continue...
Oo oo aar aar Steve
-Ralph
On Mon, 7 Oct 2002, Ralph Doncaster wrote:
My understanding is the route is valid as long as the interface is up; just like adding a secondary IP on the interface.
If you are going through all this trouble, why not just secondary the interface, while you at it run HSRP or VRRP and provide some HA-ness for your LAN?
Ralph Doncaster principal, IStop.com
On Mon, 7 Oct 2002, Alex Rubenstein wrote:
Aha.
So, if you route to a ethernet interface, it will try to arp for that address on that subnet, even without having a local address on the same subnet?
This seems to me to be something you don't want to do.
Is the entire route valid as long as the router can ARP for one of the addresses in the routed subnet?
On Mon, 7 Oct 2002, Ralph Doncaster wrote:
On Mon, 7 Oct 2002, Alex Rubenstein wrote:
I've been doing ip route statements going on 8 years now, and I can't imagine why ever -- and how it would even work -- you'd want to ip route a netblock with a next hop of a multi-access brandcast media. As in, the next hop is still truly undetermined.
I guess I don't know this because I've never tried it. But, how does the router determine where to send the packets for a route statement as specified above (ip route a.b.c.d e.f.g.h f0/0) ?
When you setup a secondary ip on an interface int fa0/0 ip address a.b.c.d e.f.g.h secondary
How does it determine where to send the packets? ARP. Which is the same as adding the route described above.
-Ralph
-- Alex Rubenstein, AR97, K2AHR, alex@nac.net, latency, Al Reuben -- -- Net Access Corporation, 800-NET-ME-36, http://www.nac.net --
On Mon, 7 Oct 2002, Ralph Doncaster wrote:
When you setup a secondary ip on an interface int fa0/0 ip address a.b.c.d e.f.g.h secondary
How does it determine where to send the packets? ARP. Which is the same as adding the route described above.
From what I've read so far, it looks like you're asking for is more like automatic discovery of new subnets local to a given segment, followed by preferential route selection similar to HSRP.
Except above, you're claiming that adding a secondary interface is the same as adding a route. It's not, as adding the secondary interface provides a logical link between a layer 3 address and a layer 2 address, so that ARP is not needed to find the next-(layer 3)-hop, only to find the next layer 2 hop. Again, let's move routing 101 to different venue. Pete -- Peter J. Templin, Jr., CCNP, CCDP Networking Consultant On-Line Internet Services - URDirect.net A division of Global On-Line Computers 5606 Randolph Blvd templin@urdirect.net San Antonio, TX 78233 (210)692-9911
I guess I don't know this because I've never tried it. But, how does the router determine where to send the packets for a route statement as specified above (ip route a.b.c.d e.f.g.h f0/0) ?
When you setup a secondary ip on an interface int fa0/0 ip address a.b.c.d e.f.g.h secondary
How does it determine where to send the packets? ARP. Which is the same as adding the route described above.
No it is not. In this case you defined direct connection. IP does not know about this direct connection without that. Should you drop that secondary line. Alex
On Mon, Oct 07, 2002 at 12:15:40AM -0400, Alex Rubenstein wrote:
OK, I'll bite.
I've been doing ip route statements going on 8 years now, and I can't imagine why ever -- and how it would even work -- you'd want to ip route a netblock with a next hop of a multi-access brandcast media. As in, the next hop is still truly undetermined.
I guess I don't know this because I've never tried it. But, how does the router determine where to send the packets for a route statement as specified above (ip route a.b.c.d e.f.g.h f0/0) ?
A cisco router with the default (ip proxy-arp) enabled on the interface will spend all its time doing arp/proxy-arp for the hosts and it will actually work believe it or not. You'll notice massive cpu utilization. People who do this tend to not have a lot of clue or notice when their cpu is spending all its time doing this... One should always turn proxy-arp off on your interfaces both internal and customer facing so they don't make your router bear the load because they can not configure their devices logically. - Jared
So then what do you call a connected route (for an ethernet interface on a router)? If you use ethernet, at the edges of your network you HAVE to route IP blocks to the ethernet.
-Ralph
-- Alex Rubenstein, AR97, K2AHR, alex@nac.net, latency, Al Reuben -- -- Net Access Corporation, 800-NET-ME-36, http://www.nac.net --
-- Jared Mauch | pgp key available via finger from jared@puck.nether.net clue++; | http://puck.nether.net/~jared/ My statements are only mine.
Proxy arp will still send the data thro the other router tho, the only difference is now router B believes router A to be the destination station. Seems like your worse off than you were before. (Plus I hate proxy arp in non-SOHO environments!) Steve -- Stephen J. Wilcox BSc (Hons), CCNA, CCNP, CCIE wr. Technical Director, Telecomplete http://www.telecomplete.co.uk/ On Mon, 7 Oct 2002, Jared Mauch wrote:
On Mon, Oct 07, 2002 at 12:15:40AM -0400, Alex Rubenstein wrote:
OK, I'll bite.
I've been doing ip route statements going on 8 years now, and I can't imagine why ever -- and how it would even work -- you'd want to ip route a netblock with a next hop of a multi-access brandcast media. As in, the next hop is still truly undetermined.
I guess I don't know this because I've never tried it. But, how does the router determine where to send the packets for a route statement as specified above (ip route a.b.c.d e.f.g.h f0/0) ?
A cisco router with the default (ip proxy-arp) enabled on the interface will spend all its time doing arp/proxy-arp for the hosts and it will actually work believe it or not.
You'll notice massive cpu utilization.
People who do this tend to not have a lot of clue or notice when their cpu is spending all its time doing this... One should always turn proxy-arp off on your interfaces both internal and customer facing so they don't make your router bear the load because they can not configure their devices logically.
- Jared
So then what do you call a connected route (for an ethernet interface on a router)? If you use ethernet, at the edges of your network you HAVE to route IP blocks to the ethernet.
-Ralph
-- Alex Rubenstein, AR97, K2AHR, alex@nac.net, latency, Al Reuben -- -- Net Access Corporation, 800-NET-ME-36, http://www.nac.net --
A cisco router with the default (ip proxy-arp) enabled on the interface will spend all its time doing arp/proxy-arp for the hosts and it will actually work believe it or not.
I spent quite a few cycles trying to convince Cisco that changing this default in the next major release is a very good idea. Unfortunately I failed. Pete
Manually configuring a static route in router A would achieve the result: ip route 172.16.16.0 255.255.255.0 fa0/0
Why are we doing basic IP routing 101 on NANOG?
OK, since it's so basic why don't you explain how to have router A dynamically learn from router B that there is a new subnet on the local ethernet?
It cannot. IP works on layer 3. Ethernet is layer 2. Your local grouping happens on layer 2. Layer 3 does not know about it unless you TELL it about it.
So then what do you call a connected route (for an ethernet interface on a router)? If you use ethernet, at the edges of your network you HAVE to route IP blocks to the ethernet.
A connected route is installed only when you *CONFIGURE* it, something that you are refusing to do. Configure the connected route by assigning a secondary to the interface and your router will *know* that it can reach that subnet directly. If you do not want to do that, configure a dynamic routing protocol or insert a static route pointing to a router which knows how to reach that network directly. Alex
On Mon, 7 Oct 2002, Ralph Doncaster wrote:
As others are saying... it isn't "local". It's not "local" unless in the same subnet. Physical topology often correlates with higher layers, but it's not strictly 1:1.
Manually configuring a static route in router A would achieve the result: ip route 172.16.16.0 255.255.255.0 fa0/0
Why are we doing basic IP routing 101 on NANOG?
OK, since it's so basic why don't you explain how to have router A dynamically learn from router B that there is a new subnet on the local ethernet?
You don't. Even if you did somehow manage that on the routers, how will the hosts get packets back to a router for which they have no route? With no route to get packets back to the router, they're going to use their default route. Or you could write your own IP stack. I have a friend who did this for a networked environmental probe. Rather than utilizing IP routing, this device's primitive IP stack simply sends replies to the MAC address from which they came. I suspect the IP stack on Cisco switches may do something similar. I don't think you're going to find this functionality in many 'normal' IP stacks.
Don't route IP blocks to the ethernet. That's using ARP as your routing protocol and it's horribly fragile. I've seen one ISP do that (they were very technically challenged) and it's a setup that broke way too easily.
So then what do you call a connected route (for an ethernet interface on a router)? If you use ethernet, at the edges of your network you HAVE to route IP blocks to the ethernet.
I don't have to. Go ahead and do it your way. ---------------------------------------------------------------------- Jon Lewis *jlewis@lewis.org*| I route System Administrator | therefore you are Atlantic Net | _________ http://www.lewis.org/~jlewis/pgp for PGP public key_________
On Sun, Oct 06, 2002 at 11:40:11PM -0400, Ralph Doncaster wrote:
Manually configuring a static route in router A would achieve the result: ip route 172.16.16.0 255.255.255.0 fa0/0
However, I'm surprised that there's no dynamic routing protocol that allows you to do everything you can with static routes.
Ralph, how do you intend on getting traffic *OUT* of this subnet? Static arp entries on all the hosts? Proxy arp? It seems like that would be a lot more work and much more failure prone in the long run. Step up to the plate, configure a secondary address, and let normal routing protocols do their job. There is no compelling reason to implement an intentionally broken network, just to prove to us all how quirky you are. Thanks, --msa
On Mon, 7 Oct 2002, Majdi S. Abbas wrote:
On Sun, Oct 06, 2002 at 11:40:11PM -0400, Ralph Doncaster wrote:
Manually configuring a static route in router A would achieve the result: ip route 172.16.16.0 255.255.255.0 fa0/0
However, I'm surprised that there's no dynamic routing protocol that allows you to do everything you can with static routes.
Ralph, how do you intend on getting traffic *OUT* of this subnet? Static arp entries on all the hosts? Proxy arp? It seems like that would be a lot more work and much more failure prone in the long run.
What, you don't use a static default route on your end hosts? Are you one of those crazy types that run RIP on your IIS/NT servers? -Ralph
Ralph Doncaster wrote:
What, you don't use a static default route on your end hosts? Are you one of those crazy types that run RIP on your IIS/NT servers?
Last time I looked (a few years back), M$ Windows [whatever] ran RIP receive-only whether you wanted it to or not. Made working with old Pipelines (which ran RIP send whether you wanted them to or not) kind of a bear. Peter E. Fry
On Mon, 7 Oct 2002, Ralph Doncaster wrote:
On Mon, 7 Oct 2002, Majdi S. Abbas wrote:
Ralph, how do you intend on getting traffic *OUT* of this subnet? Static arp entries on all the hosts? Proxy arp? It seems like that would be a lot more work and much more failure prone in the long run.
What, you don't use a static default route on your end hosts? Are you one of those crazy types that run RIP on your IIS/NT servers?
Stop. You're the one who wants one router (probably an original default route for your hosts) to tell other connected routers about new subnets on an existing segment. If you already have one router on the subnet and you're adding a second router, what do you care about static defaults? You're almost asking a dynamic routing protocol to insert a magical HSRP configuration into any adjacent routers. Wake up and stop dreaming. Besides the fact that you're asking a layer 3 protocol to handle your layer 2 and layer 1 issues, you're asking a layer 3 protocol to do magic reconfiguration. Dangerous stuff, as soon as someone on that network finds out what sort of havoc they can create. Pete -- Peter J. Templin, Jr., CCNP, CCDP Networking Consultant On-Line Internet Services - URDirect.net A division of Global On-Line Computers 5606 Randolph Blvd templin@urdirect.net San Antonio, TX 78233 (210)692-9911
Let me see if I got this. Route A: unknown networks behind it uses 10.10.10.2 as a neighbor to router B Router B: has a network 172.16.16/24 uses 10.10.10.1 as a neighbor to router A. Router A's table shows 172.16.16/24 -> 10.10.10.2 You want Router A to ARP and pretend its on the local broadcast domain for the 172.16.16/24 prefix. But that prefix is NOT local to router A, thus it must ROUTE and thus uses the NexHop in its table. It seems you description is wrong.... But I don't know.. Please clarify On Sun, Oct 06, 2002 at 12:44:07PM -0400, Ralph Doncaster wrote:
Background: Router A and B are connected via a common ethernet segment 1. Router A uses 10.10.10.1/30, and Router B uses 10.10.10.2/30. Router B also has another subnet configured for ethernet segment 1; 172.16.16.0/24.
When I setup a situation like the above, with Router B advertising the 172.16.16.0/24 to router A, router A sees a next hop of 10.10.10.2. This is not good since packets from A going to the 172.16.16 subnet get sent to Router B, which then ARPs the desitnation, instead of just being ARPed by router A.
I don't want to turn on ICMP redirects on B since they're insecure and ugly. I've also made sure I'm not using next-hop self. Is there a way to make this work?
Ralph Doncaster principal, IStop.com
participants (17)
-
Alex Rubenstein
-
alex@yuriev.com
-
Christopher L. Morrow
-
David Schwartz
-
E.B. Dreger
-
Ezequiel Carson
-
Jared Mauch
-
Jason Lixfeld
-
jlewis@lewis.org
-
John M. Brown
-
Majdi S. Abbas
-
Pete Templin
-
Peter E. Fry
-
Petri Helenius
-
Ralph Doncaster
-
Stephen J. Wilcox
-
Valdis.Kletnieks@vt.edu