the basic concept of 3069 is to allow you to assign ip addresses one at a time to systems in a data center, but still keep them in separate broadcast domains and avoid ip "stealing". i have been doing this for quite some time (before i had ever seen the rfc) by using 1 vlan per customer and a subinterface per vlan. this allows me to use ip unnumbered on the subinterface and rely on proxy arp if for some reason customers need to talk to each other. install /32 routes pointing to the appropriate subint and turn on unicast source reachable and presto! this lets us keep ip waste to almost 0. also allows for shaping per customer.
anyway, i am now looking at pushing some of this down into the 6509 i'm playing with and there are 3 ways to get to the same place. 1. put port g#/# in switchport mode, then using vlan# interface with ip unnumbered. route to vlan# 2. create subint on port g#/# with dot1q native vlan and ip unnumber it. route to g#/#.# 3. assign fake ip (like 10.#.#.1/30) to base port. route to g#/# pro/cons: 1 probably give me the most flexibility, i can provide multiple ports to a single customer by putting them all in same vlan. but i wonder if processing will be heavier that way having to go through the vlan pseudo interface. 2. pretty close to what i do now. but can't have multiple ports per customer. since from what i can tell those vlans are just for in/outbound tagging and don't interact with switching fabric. 3. feels like might have the least overhead, but traceroute exposes fake ip. and i haven't determined if any of these would have problems with shaping. they all seem like full interfaces, so i would expect to be able to shape on any of them. no one may be as crazy as i am and doing anything like this, so feedback may be sparse. but, i'm curious if anyone has feelings about which of 1-3 would have the least overhead. i don't have enough time available to set up a good test between them. they all seem to work, but that's as far as i've gotten. as a small isp, we don't have huge amounts of traffic, so it may all be moot. i just want to keep the customer isolation without burning up ips. we have lots of single ip customers. and yes, i have v6 available, but only have 2 customers that have even started using it. all of these options work great for v6 since i can just give a /64 to each customer interface. _______________________________________________ cisco-nsp mailing list [email protected] https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
