Routing for Verizon FIOS -- Reward for answer
Bookmark this page:
 Yahoo!
 Google
 Windows Live
 del.icio.us
 digg
 Netscape
|
|
|||||||||||||||||||
|
Posted by Fletcher James on May 3, 2008, 12:24 pm
Please log in for more thread options cookies, with the first correct answer.) I suspect that the right person can solve this problem in a snap, but the solution has been eluding us for over a month. We have been assigned a block of 64 static IP addresses (actually, 61) by Verizon, for our Business FIOS network. Let's call our addresses 70.x.x.64/26. We wish to place a Cisco 1841 directly on the FIOS connection, and then have a handful of devices inside (perimeter network), connected by a simple Ethernet switch. Most of the addresses will be handled by an ISA server (firewall/NAT, which protects our LAN and a separate Web Server zone), but a few other devices will be independent (e.g. a videoteleconference unit which doesn't play well inside the firewall, a wireless router for untrusted devices, etc.) For many reasons, it would be best if we were simply routing our traffic to the inside of the Cisco, so that our 70.x.x.64/26 subnet is on the INSIDE of the 1841. The problem we have is this: Verizon's gateway is 70.x.x.1. Unlike our other ISPs, they have NOT assigned us a separate 30-bit subnet with an address for our router (in this case, that would be 70.x.x.2). I think Verizon just expected us to NAT everything immediately after their interface, the way that residential customers do with their Actiontec router/firewall units. So the problem is: What do we use as an address for the outside interface of our router, which will allow it to route traffic to the gateway, OR, how do we otherwise deal with this problem? To demonstrate: If we assign our router's outside to .66 (they've told us not to use .65) then we need a netmask of 255.255.255.128 so that we can route outbound through the gateway. Unfortunately, that then defines ALL of our public addresses as being on the outside of the router. We've looked at a long list of solutions, and none of them are very good: OPTION A: Currently, we have declared our outside interface as 70.x.x.126/24. We then force all of our inbound traffic to the inside with a long list of entries such as: ip route 70.x.x.69 255.255.255.255 FastEthernet0/0 This works, but poorly -- I suspect there's a lot of unnecessary ARPing going on. OPTION B: We could keep the public addresses on the outside, and then NAT them to private addresses between the Cisco and the perimeter network (e.g. 70.x.x.69 --> 10.0.0.69) and then NAT them a second time in the ISA server.
Yuch.
OPTION C: We could "steal" the address 70.x.x.2/30 for our outside interface,and hope that it never causes a problem (We've tried this, but have had inconsistent results -- it works, and then when we re-boot our router it mysteriously fails.) OPTION D: We could assign a PRIVATE address to the outside of our router -- say, 10.1.1.1. But then, how would we direct traffic to our gateway? If we provide a default route just by interface ip route 0.0.0.0 0.0.0.0 FastEthernet0/1) then it's got to ARP for every single outbound address. QUESTION: would the following solve that problem: ip route 0.0.0.0 0.0.0.0 70.x.x.1 ip route 70.x.x.1 255.255.255.255 FastEthernet0/1 OPTION E: You're the genius. Tell us Option E. I would very much appreciate it if you could cc me directly on any reply. Thanks! Fletcher James President Levit & James, Inc. 703-771-1549 http://www.levitjames.com | |||||||||||||||||||
|
Posted by Trendkill on May 3, 2008, 3:23 pm
Please log in for more thread options > This is your opportunity to be a Cisco hero (and to earn a tin of incredib=
le
> cookies, with the first correct answer.) =A0I suspect that the right perso=
n
> can solve this problem in a snap, but the solution has been eluding us for=
> over a month.
ve
> > We have been assigned a block of 64 static IP addresses (actually, 61) by > Verizon, for our Business FIOS network. =A0Let's call our addresses > 70.x.x.64/26. > > We wish to place a Cisco 1841 directly on the FIOS connection, and then ha= > a handful of devices inside (perimeter network), connected by a simple
> Ethernet switch. =A0Most of the addresses will be handled by an ISA server= > (firewall/NAT, which protects our LAN and a separate Web Server zone), but=
a
> few other devices will be independent (e.g. a videoteleconference unit whi=
ch
> doesn't play well inside the firewall, a wireless router for untrusted
o
> devices, etc.) > > For many reasons, it would be best if we were simply routing our traffic t= > the inside of the Cisco, so that our 70.x.x.64/26 subnet is on the INSIDE =
of
> the 1841.
ur
> > The problem we have is this: =A0Verizon's gateway is 70.x.x.1. =A0Unlike o= > other ISPs, they have NOT assigned us a separate 30-bit subnet with an
ce
> address for our router (in this case, that would be 70.x.x.2). =A0I think > Verizon just expected us to NAT everything immediately after their > interface, the way that residential customers do with their Actiontec > router/firewall units. > > So the problem is: =A0What do we use as an address for the outside interfa= > of our router, which will allow it to route traffic to the gateway, OR, ho=
w
> do we otherwise deal with this problem?
us
> > To demonstrate: =A0If we assign our router's outside to .66 (they've told = > not to use .65) then we need a netmask of 255.255.255.128 so that we can
L of
> route outbound through the gateway. =A0Unfortunately, that then defines AL= > our public addresses as being on the outside of the router. =A0We've looke=
d at
> a long list of solutions, and none of them are very good:
ith
> > OPTION A: Currently, we have declared our outside interface as > 70.x.x.126/24. =A0We then force all of our inbound traffic to the inside w= > a long list of entries such as:
.
> > ip route 70.x.x.69 255.255.255.255 FastEthernet0/0 > > This works, but poorly -- I suspect there's a lot of unnecessary ARPing > going on. > > OPTION B: We could keep the public addresses on the outside, and then NAT > them to private addresses between the Cisco and the perimeter network (e.g= > 70.x.x.69 --> 10.0.0.69) and then NAT them a second time in the ISA server=
.
> Yuch.
r -- =A0
> > OPTION C: We could "steal" the address 70.x.x.2/30 for our outside > interface,and hope that it never causes a problem (We've tried this, but > have had inconsistent results -- it works, and then when we re-boot our > router it mysteriously fails.) > > OPTION D: =A0We could assign a PRIVATE address to the outside of our route= > say, 10.1.1.1. =A0But then, how would we direct traffic to our gateway? =
=A0If we
> provide a default route just by interface
the
> > ip route 0.0.0.0 0.0.0.0 FastEthernet0/1) > > then it's got to ARP for every single outbound address. =A0QUESTION: would= > following solve that problem:
> > ip route 0.0.0.0 0.0.0.0 70.x.x.1 > > ip route 70.x.x.1 255.255.255.255 FastEthernet0/1 > > OPTION E: > You're the genius. =A0Tell us Option E. > > I would very much appreciate it if you could cc me directly on any reply. > > Thanks! > > Fletcher James > President > Levit & James, Inc. > 703-771-1549http://www.levitjames.com Can you get verizon to sell you another separate /31 (yes a /31 works, we use them all the time for point to point routing adjacencies) and then setup routing on both sides? Else I don't see why you can't carve out the /30 as you have said, and ensure that Verizon and you are advertising properly on both sides. Or install a switch between them and you for external hosts and NAT for anything going internal. Not sure you can do that with FIOS, never had to deal with it. | |||||||||||||||||||
|
Posted by Thrill5 on May 4, 2008, 3:14 am
Please log in for more thread options It is never "best" to simply route traffic to your inside network. The
only reason you need a public IP is if you are accepting connections from an internet source, which should only be a few devices (your mail server, web server and VPN concentrator, etc.) All of your inside traffic for web browsing can be NATed to a singe outside address Your video conference station should be able to have two addresses, the inside address on your LAN, and the outside address that it is NATed to. You can also request a separate address from Verizon so that the connection between your router and their connection is on a different subnet than the block they assigned you. If you can't do that, your only option is to bridge the traffic which, in my opinion, is the worst case option. > This is your opportunity to be a Cisco hero (and to earn a tin of
> incredible cookies, with the first correct answer.) I suspect that the > right person can solve this problem in a snap, but the solution has been > eluding us for over a month. > > We have been assigned a block of 64 static IP addresses (actually, 61) by > Verizon, for our Business FIOS network. Let's call our addresses > 70.x.x.64/26. > > We wish to place a Cisco 1841 directly on the FIOS connection, and then > have a handful of devices inside (perimeter network), connected by a > simple Ethernet switch. Most of the addresses will be handled by an ISA > server (firewall/NAT, which protects our LAN and a separate Web Server > zone), but a few other devices will be independent (e.g. a > videoteleconference unit which doesn't play well inside the firewall, a > wireless router for untrusted devices, etc.) > > For many reasons, it would be best if we were simply routing our traffic > to the inside of the Cisco, so that our 70.x.x.64/26 subnet is on the > INSIDE of the 1841. > > The problem we have is this: Verizon's gateway is 70.x.x.1. Unlike our > other ISPs, they have NOT assigned us a separate 30-bit subnet with an > address for our router (in this case, that would be 70.x.x.2). I think > Verizon just expected us to NAT everything immediately after their > interface, the way that residential customers do with their Actiontec > router/firewall units. > > So the problem is: What do we use as an address for the outside interface > of our router, which will allow it to route traffic to the gateway, OR, > how do we otherwise deal with this problem? > > To demonstrate: If we assign our router's outside to .66 (they've told us > not to use .65) then we need a netmask of 255.255.255.128 so that we can > route outbound through the gateway. Unfortunately, that then defines ALL > of our public addresses as being on the outside of the router. We've > looked at a long list of solutions, and none of them are very good: > > OPTION A: Currently, we have declared our outside interface as > 70.x.x.126/24. We then force all of our inbound traffic to the inside > with a long list of entries such as: > > ip route 70.x.x.69 255.255.255.255 FastEthernet0/0 > > This works, but poorly -- I suspect there's a lot of unnecessary ARPing > going on. > > OPTION B: We could keep the public addresses on the outside, and then NAT > them to private addresses between the Cisco and the perimeter network > (e.g. 70.x.x.69 --> 10.0.0.69) and then NAT them a second time in the ISA > server. Yuch. > > OPTION C: We could "steal" the address 70.x.x.2/30 for our outside > interface,and hope that it never causes a problem (We've tried this, but > have had inconsistent results -- it works, and then when we re-boot our > router it mysteriously fails.) > > OPTION D: We could assign a PRIVATE address to the outside of our > router -- say, 10.1.1.1. But then, how would we direct traffic to our > gateway? If we provide a default route just by interface > > ip route 0.0.0.0 0.0.0.0 FastEthernet0/1) > > then it's got to ARP for every single outbound address. QUESTION: would > the following solve that problem: > > ip route 0.0.0.0 0.0.0.0 70.x.x.1 > > ip route 70.x.x.1 255.255.255.255 FastEthernet0/1 > > OPTION E: > You're the genius. Tell us Option E. > > I would very much appreciate it if you could cc me directly on any reply. > > Thanks! > > Fletcher James > President > Levit & James, Inc. > 703-771-1549 > http://www.levitjames.com > > > | |||||||||||||||||||
|
Posted by Darren Green on May 4, 2008, 7:16 am
Please log in for more thread options > It is never "best" to simply route traffic =A0to your inside network. =A0T=
he
> only reason you need a public IP is if you are accepting connections from =
an
> internet source, which should only be a few devices (your mail server, web=
> server and VPN concentrator, etc.) =A0All of your inside traffic for web
> browsing can be NATed to a singe outside address =A0 Your video conference= > station should be able to have two addresses, the inside address on your
n
> LAN, and the outside address that it is NATed to. > > You can also request a separate address from Verizon so that the connectio= > between your router and their connection is on a different subnet than the=
> block they assigned you. =A0If you can't do that, your only option is to
> bridge the traffic which, in my opinion, is the worst case option. > > > > > > > This is your opportunity to be a Cisco hero (and to earn a tin of
e
> > incredible cookies, with the first correct answer.) =A0I suspect that th= > > right person can solve this problem in a snap, but the solution has been=
> > eluding us for over a month.
>
> > We have been assigned a block of 64 static IP addresses (actually, 61) b=
y
> > Verizon, for our Business FIOS network. =A0Let's call our addresses
> > 70.x.x.64/26. >
> > We wish to place a Cisco 1841 directly on the FIOS connection, and then
SA
> > have a handful of devices inside (perimeter network), connected by a > > simple Ethernet switch. =A0Most of the addresses will be handled by an I= > > server (firewall/NAT, which protects our LAN and a separate Web Server
> > zone), but a few other devices will be independent (e.g. a > > videoteleconference unit which doesn't play well inside the firewall, a > > wireless router for untrusted devices, etc.) >
> > For many reasons, it would be best if we were simply routing our traffic=
> > to the inside of the Cisco, so that our 70.x.x.64/26 subnet is on the
> > INSIDE of the 1841. >
> > The problem we have is this: =A0Verizon's gateway is 70.x.x.1. =A0Unlike=
our
> > other ISPs, they have NOT assigned us a separate 30-bit subnet with an
k
> > address for our router (in this case, that would be 70.x.x.2). =A0I thin= > > Verizon just expected us to NAT everything immediately after their
> > interface, the way that residential customers do with their Actiontec > > router/firewall units. >
> > So the problem is: =A0What do we use as an address for the outside inter=
face
> > of our router, which will allow it to route traffic to the gateway, OR,
> > how do we otherwise deal with this problem? >
> > To demonstrate: =A0If we assign our router's outside to .66 (they've tol=
d us
> > not to use .65) then we need a netmask of 255.255.255.128 so that we can=
> > route outbound through the gateway. =A0Unfortunately, that then defines =
ALL
> > of our public addresses as being on the outside of the router. =A0We've
> > looked at a long list of solutions, and none of them are very good: >
> > OPTION A: Currently, we have declared our outside interface as
> > 70.x.x.126/24. =A0We then force all of our inbound traffic to the inside= > > with a long list of entries such as:
>
> > ip route 70.x.x.69 255.255.255.255 FastEthernet0/0
>
> > This works, but poorly -- I suspect there's a lot of unnecessary ARPing
> > going on. >
> > OPTION B: We could keep the public addresses on the outside, and then NA=
T
> > them to private addresses between the Cisco and the perimeter network
A
> > (e.g. 70.x.x.69 --> 10.0.0.69) and then NAT them a second time in the IS= > > server. Yuch.
>
> > OPTION C: We could "steal" the address 70.x.x.2/30 for our outside
> > interface,and hope that it never causes a problem (We've tried this, but= > > have had inconsistent results -- it works, and then when we re-boot our
> > router it mysteriously fails.) >
> > OPTION D: =A0We could assign a PRIVATE address to the outside of our
our
> > router -- =A0say, 10.1.1.1. =A0But then, how would we direct traffic to = > > gateway? =A0If we provide a default route just by interface
>
> > ip route 0.0.0.0 0.0.0.0 FastEthernet0/1)
>
> > then it's got to ARP for every single outbound address. =A0QUESTION: wou=
ld
> > the following solve that problem:
>
> > ip route 0.0.0.0 0.0.0.0 70.x.x.1
>
> > ip route 70.x.x.1 255.255.255.255 FastEthernet0/1
>
> > OPTION E:
> > You're the genius. =A0Tell us Option E. >
> > I would very much appreciate it if you could cc me directly on any reply=
.
>
> > Thanks!
>
> > Fletcher James
> > President > > Levit & James, Inc. > > 703-771-1549 > >http://www.levitjames.com- Hide quoted text - >
> - Show quoted text - Out of interest, could you not assign the ip address to the LAN side of the router and on the WAN port use ip unnumbered to the LAN interface. int Fa0/X ip address 70.x.x.X /26 int Serial X/X ip unnumbered Fa0/X I seem to recall I have have done this in the past mainly on ADSL boxes where the client wanted to present a public IP address internally.. Regards Darren | |||||||||||||||||||
|
Posted by Merv on May 4, 2008, 4:26 pm
Please log in for more thread options
1. It appears that the router in question is using a Fast Ethernet interface facing the FIOS ONT. If this is in fact the case then an ip unnumbered command will be rejected on a multi-access interface. ip unnumbered can only be used on point-to-point serial interfaces. 2. The following static routing construct is viable: ip classless ip route 0.0.0.0 0.0.0.0 70.x.x.1 ip route 70.x.x.1 255.255.255.255 FastEthernet0/1 Option D would probably work but it is definitely a cludge. The suggestion by other responders to approach Verizon to see if they will provide a /30 or /31 for the FIOS link would definitely be worthwhile pursuing. However be forewarned that if Verizon has not planned for this "feature", it will impact their service provisioning systems and they will less inclined to provide what you are looking for - i.e a /30 for the FIOS link. | |||||||||||||||||||
