Virtual IP'ing

E

Ehren8879

Supreme [H]ardness
Joined
Sep 24, 2004
Messages
4,499
Let's say a person is assigned the following address block 22.33.44.0 /29

Set up is: Cisco router -> Fiber Connection -> Firewall (Watchguard, Sonicwall, pfsense etc) -> Servers (priv net)

With it 22.33.44.2 is assigned to the external interface of the gateway/firewall. Behind the router exists the arbitrary private network 10.1.0.0 /24 with various servers with 1:1 NAT statements set up in the firewall's config.

Under normal operating conditions the Cisco router shows the following in its arp cache:

Internet 22.33.44.1 - aaaa.2222.cccc ARPA

Internet 22.33.44.2 4 4444.dddd.5555 ARPA
Internet 22.33.44.4 71 4444.dddd.5555 ARPA
Internet 22.33.44.5 7 4444.dddd.5555 ARPA
Internet 22.33.44.6 236 4444.dddd.5555 ARPA

22.33.44.1 is the gateway and aaaa.2222.cccc is the mac of the router, no issue there.

However, 22.33.44.2 - 6 are all presented with the same mac address (mac address of the firewall's external interface). Preserving the topology and function of the 1:1 NAT is there a technique used so that all public IPs are presented to the router with different mac addresses? Goal is for the servers to remain behind the firewall but have a one IP per mac public presence.

I've read some about proxy arp and IP aliasing, but am unsure if either is relevant. this sort of network configuration is beyond what I typically do, so I'm rather ignorant to the specifics.
 
Any particular reason you want each ip to look like a specific mac address from the cisco point of view?

Because looking at the topology you have:

Cisco < One L2 network > Firewall < Another L2 network > Server(s)

Even most transparent firewalls will remain the same as above (they are only transparent at layer 3).

PaloAlto Networks have firewalls that can work in what they call VWIRE (Virtual WIRE) mode (among other modes) and is used to keep the L3 intact, but I dont know if the L2 is intact aswell when using VWIRE or if its transparent also at layer 2.
 
Is there a reason you are wanting this? As soon as it goes out the Cisco it will just strip off the MAC addresses anyways and add it's own.
 
/usr/home said:
Is there a reason you are wanting this? As soon as it goes out the Cisco it will just strip off the MAC addresses anyways and add it's own.
Click to expand...

I've encountered random problems that have only been solved by either statically routing individual IPs to the IP of the outside interface or by routing the entire IP block to a separate, individual IP. Not all customers are familiar with the set up of the latter and keeping track of a bunch of special case static routes gets messy.

Our routing is fine otherwise and typically the "normal" set up works fine. Randomly it will quit for certain customers or weird connection drops are reported. I'm trying to find a simple way to overcome it and restore reliabilty. When there is one mac per IP we never have any issues.
 
I doubt that the mac addresses would have something to do with this.

Sure proxy-arp:ing could be an issue so I often recommend to disable such bad behaviour but other than that your cisco shouldnt have any issues to route traffic to your firewall as nexthop for a bunch of ip addresses.

What you could do if you want to lower mac addresses handled/seen by the cisco is to setup a dedicated linknet between your cisco and your firewall.

Like:

Cisco [10.0.0.1/30] - [10.0.0.2/30] Firewall

and in your cisco setup:

ip route 22.33.44.0 255.255.255.192 nexthop 10.0.0.2

This way the only mac address your cisco will see/handle is the mac address of the firewall for ip 10.0.0.2.

The 22.33.44.0/29 stuff will just be thrown at the firewall to deal with.
 
Apachez said:
I doubt that the mac addresses would have something to do with this.

Sure proxy-arp:ing could be an issue so I often recommend to disable such bad behaviour but other than that your cisco shouldnt have any issues to route traffic to your firewall as nexthop for a bunch of ip addresses.

What you could do if you want to lower mac addresses handled/seen by the cisco is to setup a dedicated linknet between your cisco and your firewall.

Like:

Cisco [10.0.0.1/30] - [10.0.0.2/30] Firewall

and in your cisco setup:

ip route 22.33.44.0 255.255.255.192 nexthop 10.0.0.2

This way the only mac address your cisco will see/handle is the mac address of the firewall for ip 10.0.0.2.

The 22.33.44.0/29 stuff will just be thrown at the firewall to deal with.
Click to expand...

This makes the most sense to me on how to set it up. It's how I would do it anyways.
 
The afformentioned router is an edge router. With it we've been doing something similiar, but with a separate public IP. Everything is statically routed, no routing protocols are in use.

Still I'm curious if there's a way to make a customer's firewall appliance behave the way I've described.

We're currently also talking to Cisco to see if this is an IOS bug.
 
You must log in or register to reply here.
Back
Top