Re: (ASCEND) P50 routing on LAN side

To: Kevin Smith <kevin@ascend.com>
Subject: Re: (ASCEND) P50 routing on LAN side
From: Phillip Vandry <vandry@Mlink.NET>
Date: Thu, 8 Jan 1998 16:06:34 -0500 (EST)
cc: ascend-users@bungi.com
In-reply-to: Your message of "Thu, 08 Jan 1998 10:59:01 EST." <3.0.5.32.19980108105901.00b84380@mktg_srv.ascend.com>
Sender: owner-ascend-users@max.bungi.com

> At 02:26 PM 1/7/98 -0500, Todd A. Scalzott wrote:
> >
> >What's happening is that I can see the ARP request make it all the way 
> >through from a shell account on a different provider to the P50 and then 
> >on through to the firewall.  What the firewall manufacturer tells me is 
> >that I need to have the P50 configured with a static route pointing to the 
> >external interface of my firewall as a router for the class C.    But the 
> >P50 already establishes a /24 route to the ie0 interface:
> 
> What is the IP address of the P50? And the external i/f of the firewall?
> 
> >ascend% iproute show
> >
> >Destination        Gateway         IF       Flg   Pref Met     Use     Age
> >0.0.0.0/0          205.177.45.89   wan9     SGP    100   1    1539     642
> >127.0.0.1/32       -               lo0      CP       0   0       0 7203241
> >127.0.0.2/32       -               rj0      CP       0   0       0 7203241
> >127.0.0.3/32       -               bh0      CP       0   0       0 7203241
> >172.17.1.0/24      -               ie0      C        0   0      94    2669
> >172.17.1.2/32      -               lo0      C        0   0       0    2669
> >205.177.45.0/24    205.177.45.89   wan9     rGT    100   1       0     509
> >205.177.45.0/24    205.177.45.89   wan9     *SG    120   7       0     643
> >205.177.45.89/32   205.177.45.89   wan9     rT     100   1      17     509
> >205.177.45.89/32   205.177.45.89   wan9     *SP    120   7       2     984
> >207.176.66.0/24    -               ie0      C        0   0    8773    2670
> >207.176.66.2/32    -               lo0      CP       0   0     124    2670
> >255.255.255.255/32 -               ie0      CP       0   0       0     643
> >
> >
> >So something like "iproute add 207.176.66.0/24 207.176.66.40 1" won't 
> >work--the existing route will always take precedence.
> 
> Maybe experimenting with the second interface address may help?

Whenever I've done configs like this I always use a small real Ethernet
and a larger virtual Ethernet:

Pipeline: x.y.z.1/27
Firewall: x.y.z.2/27
Various servers that are outside the firewall: x.y.z.3/27 and up

With a static route on the Pipeline:

x.y.z.0/24 --> x.y.z.2

Then the firewall will receive (without using Proxy ARP) all packets
addressed to x.y.z.32 through x.y.z.255, so those are the addresses it is
free to use.

This works well and IMHO it is a clean setup.

-Phil
++ Ascend Users Mailing List ++
To unsubscribe:	send unsubscribe to ascend-users-request@bungi.com
To get FAQ'd:	<http://www.nealis.net/ascend/faq>

References:

Re: (ASCEND) P50 routing on LAN side

From: Kevin Smith <kevin@ascend.com>

Prev by Date: (ASCEND) SNMP Set to Reboot Max
Next by Date: Re: (ASCEND) 5.1Ap9 for Pipelines
Prev by thread: Re: (ASCEND) P50 routing on LAN side
Next by thread: RE: (ASCEND) P50 routing on LAN side
Index(es):
- Main
- Thread