Hi Jon,

First to answer your questions:

a. Currently no, there are managed switches but not L3. My intention would be to purpose a L3 swtich behind the edge router that has the /28 to handle routing and VLANs. 

b. Yes. All routers can be part of the same subnet.

But this is where I don't understand how an "internal" tunnel could possibly work. The way I see it, we would have to get two blocks from the ISP. One could be a /30 which would serve as the connection from the provider to the edge router. Then we would get a larger block, say a /26 and have the ISP set a static route to the edge router's outside IP address which is in that /30 network. From there I would use a L3 switch to create VLANs and assign each smaller blocks of /30s or /29s for end users. Using static routes pretty much. This is actually a very small ISP that is needing a solution but I've not done work in the ISP realm so I am not 100% sure what normal practices are.

The client is saying that he wants to get a /28 on the outside and then give routers on the inside addresses from that space... and that could possibly be done with some kind of VTI or GRE tunnel. I can't see how this is possible. From how I understand VTIs and GRE is that they are used to connect one private network to another private network, most often used in conjunction with routing protocols due to multicast support.. and generally with IPsec for security. 

With a single block we would HAVE to NAT from one IP address on the outside to one private address on the inside. The reason why this isn't being done is that the end client feels that having an address that is NATted to them could cause issues with VPN connections. I think most of that is rubbish but I do agree having a true static IP address is best in general. Also, since this is a small ISP he is worried that the upstream ISP would not give him two blocks as I would assume would be necessary.

Thanks for your input.

Nathan

Nathan

You don't necessarily need a L3 switch as long as you can create a vlan on the L2 switch and then trunk to the router LAN interface ie. you could routing on a stick and I believe that would work although a L3 switch may make it easier.

A /30 and a /26 would certainly make life easier but let assume you can't do that for the moment.

I don't believe you need a tunnel and am also unsure of how it would work although others may want to comment on that.  

Here's an example of what I believe would work. I have assumed a L3 switch but like i say i suspect it could be done on the same router -

subnet = 192.168.10.0 255.255.255.240 (obviously your IPs would be public IPs)

router IP 192.168.10.1

ISP IP 192.168.10.2

what you would need to do is -

a) split into two smaller subnets ie.

192.168.10.0 255.255.255.248

192.168.10.8 255.255.255.248

b) change the subnet mask on your router IP from 255.255.255.240 to 255.255.255.248

c) add a route to the router -

192.168.10.8 255.255.255.248 172.16.0.x (where the 172.x.x.x IP is the switch end of the connection)

d) create a vlan on the switch for that subnet together with an SVI and allocate ports into it.

As long as your existing router IP and the ISP IP fall into the same new /29 range it should work ie. using the example above -

192.168.10.1 and 192.168.10.2 both fall within 192.168.10.0/29 so both ends still think they are in the same subnet.

If however your end was 192.168.10.1 and the ISP was 192.168.10.15 then that would be an issue because with the new /29 subnet mask at your end the router thinks the ISP end is in a different IP subnet (although the ISP still thinks you are in the same subnet).

It would need testing but I can't see why it wouldn't work.

Hope that makes sense.

Edit - if you used routing on a stick rather than a L3 switch you would not need step c) in the above and you wouldn't need an SVI on the switch in step d).

Jon

That makes a lot of sense. It is a waste of IP addresses though but it would get the job done. I used GNS3 to map it out and it does work, I am using a L3 (etherswitch) on this topology though. I'll give it a try with subinterfaces next. 

With the caveat you mentioned at the end where the ISP has it's IP address at the top of the range, couldn't you just swap the ranges you use? Have the edge router at 192.168.10.9 /29 and route the 192.168.10.0/29 network inside?

Nathan

Nathan

With the caveat you mentioned at the end where the ISP has it's IP address at the top of the range, couldn't you just swap the ranges you use? Have the edge router at 192.168.10.9 /29 and route the 192.168.10.0/29 network inside?

Yes you could but the ISP will have a route for the whole subnet probably pointing to your existing IP so you would need to liase with them to get it updated.

Jon

Sorry for the delayed response!

I convinced the client to get a routed solution from the ISP. He will keep his /28 block as his own and use an additional /27 block for clients and route them directly to where they need to go. We are going to setup VLANs in order to deliver these subnets to clients. I now need to research the best way to split up this block of IP addresses. Some users just need a /30 while others need a /29 or /28. 

To answer the questions... yes, NAT/PAT is possible and is what the client was doing. The issue was that one of his client's corporate IT people said that the didn't want a NAT'd solution and wanted a routed solution. They said that it would cause issues with the client's VPN connections... which I don't see how that would be the case. The issue I see is that they would have a private address as their public and that may cause confusion or maybe they just don't like the idea.

The only issue with swapping the ranges is that you can come into issues with subnetting. If you wanted to deliver a client a larger range like a /28 then the range used for the edge router and the internal client route would overlap or end up with a lot of wasted IP addresses. 

I'm really curious as to the pro's and cons of using a routed solution over a NAT'd solution. Which protocols would have issues with this? Theyare not doing any type of inspection or firewalling, just translation. I can see how VPN tunnels would have to take this into effect with NAT-T but what else? 

Thanks for the comments! 

quick side question, there is no firewall in this config? and routing public ip's internally without NAT?

Chris

As I understand it there is no firewall.

And yes the idea is to try and route part of the subnet allocated between the router and the ISP internally.

Do you have an alternative solution in mind ?

I ask because as Nathan says, the solution I suggested does waste some public IPs which is never a good thing to do if you can help it :-)

Jon

The way I have always worked it was to use NAT or PAT. 

Why can you not use NAT?