Print

Please login or register.
1 Hour 1 Day 1 Week 1 Month Forever
Login with username, password and session length

[XGS_Is_On]

On the use of mapping:

No need to burn IPs routing them - no gateway or broadcast.

Can either forward everything, unwise, or specific ports.

The LAN is a simplification in the diagrams. There are other VLANs not featured. The DMZ using the public IPs is a /28: no public IP mapping to hosts in the subnet where the regular devices live, those are masquerade / SNAT only.

[Weaver]

Carl, are you also an IPv6 fan? I’m seeing a lot of IPv4 (we all of us still love it sometimes, if truth be told).

[dee.jay]

I'm starting to become a fan of CGNAT seeing as I now operate an ISP network...

[Weaver]

It’s just that I didn’t see any IPv6 addresses on XGS’s network diagram, but maybe doing everything internally twice is just madness?

[Alex Atkin UK]

I'm starting to become a fan of CGNAT seeing as I now operate an ISP network...

BAN THE HERETIC!

[Weaver]

Quite right Alex. Speaking as someone with a real IPv4 address here.

[XGS_Is_On]

Carl, are you also an IPv6 fan? I’m seeing a lot of IPv4 (we all of us still love it sometimes, if truth be told).

Indifferent, Sir. The backup link is dual stack however this is problematic given the difference in capacity between the two links.

Awaiting full dual stack support from SD-WAN software and ISP then I'll implement it.

[XGS_Is_On]

It’s just that I didn’t see any IPv6 addresses on XGS’s network diagram, but maybe doing everything internally twice is just madness?

IPv6 that's publicly routable as delivered by regular providers would break things as it has to be tied to a single ISP. A major point of the network I describe in the diagrams is that it isn't dependent on a single ISP.

Before I implement I need a way of ensuring that a similar level of resilience is in place as with v4 NAT.

As above not opposed and will implement when available but has to deliver the same redundancy as v4 else not happening.

[Alex Atkin UK]

Quite right Alex. Speaking as someone with a real IPv4 address here.

I do wonder why you have more than one though?

I had a block years ago on Plusnet but never found I needed them.

[dee.jay]

BAN THE HERETIC!

Yes but when IPv4 costs $50 per address and you are servicing thousands of customers, you suddenly understand the need for CGNAT...

Me personally, I could not abide CGNAT as a user. I have a routed /29.

[Weaver]

[Apologies for wandering off-topic. Might want to split this conversation off, my friends?]

Agreed. I have had all my machines inside a routed /26 for over ten years.

What about simply getting rid of IPv4 completely and using DNS64 + NAT64, is that viable ? (AA can do this but I think they don’t advertise it much.)  And customers who want real IPv4 addresses could pay extra for them?

[XGS_Is_On]

[Apologies for wandering off-topic. Might want to split this conversation off, my friends?]

For me it's fine. Nerd on.

[Chrysalis]

Weaver due to google's daft happy eyes balls policy on their browser I only browse single stacked now.  IPv6 is back on my PC but all IPv6 set to deny on windows firewall for the executable.

Had to also do same on steam (seems they inherited it with chrome framework), as without it, downloads went over 200mbit AAISP tunnel instead of gigabit.

[XGS_Is_On]

Wrote this elsewhere but thought it'd be good here, too.

You see Mikrotik, QNAP, their 25G switch was a steal despite awful software, and you see a server running Aruba EdgeConnect. That fella in turn connects via hubs in Amsterdam, London and Warsaw to about a hundred other devices via an SD-WAN fabric, along with taking some of my Internet traffic to Amsterdam and some being allowed to break out locally.

As you can see there are two Internet connections there and the EdgeConnect uses both - the second one is sent to the secondary Internet connection via a dedicated VLAN and access port on the switch at the other end.



The main home network lives in 192.168.0.0/22. I'm lazy.
There are 2 DHCP servers, one handing out 192.168.0.2-192.168.0.254 the other 192.168.2.1-192.168.2.254. Both in the same broadcast domain so both answer DHCP requests. I don't care which offer a device takes: it doesn't matter. It does mean if one dies the other can continue to provide addresses.

The 2116 and the RB5009 have a VRRP VIP of the default gateway, 192.168.0.1, and actual IPs in 192.168.1.0-255 - a range reserved for static addressing.

The 2116 receives its default gateway from the SD-WAN appliance. It has a higher metric default route to the RB5009. These are in a logically separate network, 192.168.222.0/29 in its own VLAN on the switches: the slipstream network.

The SD-WAN appliance also advertises a bunch of routes from the SD-WAN fabric to both 2116 and RB5009.

The RB5009 has two routing tables, a main one for most traffic and one for traffic arriving from the SD-WAN. There are also two BGP sessions, one for each routing table to ensure that traffic heading to the SD-WAN gets there whatever address it arrives on knowing that it'll be encapsulated and then can be sent out the RB5009 Internet connection via the tunnel.

The alternative table besides those routes on the SD-WAN sends everything out of its connection. If traffic has reached it there is a problem with the 2116.

If after it's sent to the SD-WAN via the Slipstream it still has nowhere to go when it comes back via the WAN and VLAN 4 it goes into the alternate table that sends everything out of its Internet connection to ensure that there's no loop. Traffic hitting there should be destined for the Internet always. The SD-WAN learns the internal networks via the BGP session across the slipstream.

Lastly as noted in the diagram both 2116 and RB5009 advertise to the SD-WAN, however the 5009 uses AS-Path prepending so it advertises a longer path than the 2116: it'll only be used if the session to the 2116 goes down.

That happens if VRRP is still as normal traffic will traverse both routers on its way to the SD-WAN and will come back to the client via the 5009 directly.

It's more of a lab than a home network, it's obviously ridiculously complicated for one.

[XGS_Is_On]

See the attachment for some of the detail I can see now. Great product for network visibility.