Best practice for ptp/loopback numbering for "small" enterprise multihome setup

• Previous message (by thread): IP reputation lookup (prefix not single IP)
• Next message (by thread): Best practice for ptp/loopback numbering for "small" enterprise multihome setup
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hello,

tl;dr - If I only have a /24 PI - is there any way to use this and not “chop it up / deagg” to use for ptp/loopbacks ?

Hopefully I can explain this in a manner that makes sense.

Say I have a vanilla dual router/dual upstream setup (think enterprise internet edge).

It’s basically an “H” shape:

- Two ISPs
- Two routers (“crosslink” is the middle of the H - iBGP)
- Each router has at least a link downstream into my public “outside” segment.  I run an FHRP here.  This is where my DMZ firewalls, VPN endpoints etc. have their outside interfaces.

Let’s also say I only have a /24 of PI.

I need to number the crosslink and the loopbacks.  The upstreams will use their own /30 / /31 let’s say for the top of the H.  My downstream interfaces will have my /24 (or parts of it) on the bottom of the H.

My understanding and instinct is that at least the crosslink should be numbered with public addresses.  One scenario where this might matter is if router2 loses his inside interface (ex: switch failure) - he still needs to be able to deliver traffic via crosslink via router1 and onward downstream.  When this traffic traverses here, if there is any kind of error (i.e. router is sourcing an ICMP packet of some kind) - this will be sourced from router1’s crosslink yes (assuming router1 is generating the error of course) ?

Loopback’s may be negotiable, as only router1/2 are using these to pin up iBGP.  Nevertheless, my instinct would be to also use public addresses here.

As I said in the tl;dr - my main point of contention here is breaking up my /24 I.e. use the very top /30s / /31s for ptp/loop.  I would then have at most the bottom /25 to use contig. on my “lan” - and I would need to use the next /26, /27 and so on in some manner for the space to be useable...

Here are some other options, and my understanding of the pros/cons:

- Use RFC1918
	Makes my eye twitch out of the gate.  Not to mention packets sourced from here *should* get blocked by my upstreams by way of uRPF.  Likely to be filtered at other points and directions as well…

- Get a /29 from one of the ISPs for ptp/loops
	Better than RFC1918.  Kind of weird.  If this is from isp1 - should have no issues sourcing toward them.  Might have issues (uRPF) toward isp2.  Announce this via BGP / no-export to both ISPs ?  Now it’s getting even weirder…

- Use my own PI space
	Should have no filtering issues at all.  Now I have to deagg my /24 and use the pieces (largest /25).

Am I making too big of a deal of this ?  If you’ve read this far - I do appreciate it.  Anxious to hear feedback on this.

PS: I would likely ACL on my upstream interfaces to block direct packets to my routers themselves as well.

• Previous message (by thread): IP reputation lookup (prefix not single IP)
• Next message (by thread): Best practice for ptp/loopback numbering for "small" enterprise multihome setup
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]