As far as address conservation goes, they're better off addressing the wan links between the 7206 and the 827's as /30, and letting the 827's provide dhcp address to the home users. The home networks can all be the same network (and 1000 duplicate addresses, who cares). As far as the rest of the network is concerned, there's only one address for each home network, the unique nat outside address of the 827. Using IP unnumbered on the wan links is only going to eat up more addresses because they will have to advertise the networks on the home side of the 827's. They can burn up 1000 /30s or 1000 /28s. The 827s can be build with a cookie cutter config. The only thing that needs to be different on each one is the wan ip address. Nobody needs to keep track of what addresses are in use at what house, no static address database is needed (for these 1000 links anyway - I don't know what the rest of their network looks like), and the home pc's could be built cooke cutter, too. They could save a ton of money on man hours if layer 8 wasn't in the way. -Rob Fielding CCIE #7996 ----- Original Message ----- From: "Chuck Larrieu" To: Sent: Saturday, September 01, 2001 6:43 AM Subject: RE: I have a customer who... food for thought - static routes [7:18180] > you know something? That's an interesting idea! May I think out loud here? > > core_network------------7200------------------------------827----------home_ > user > routed NAT<>inside_network > subinterfaces global outside<> who cares > what's inside? > > need an ip on the 7200 side and the 827 side - takes up two hosts of the /28 > the customer is specifying... > > well, let's see... there is still the matter of the home user inside > addressing. Care needs be taken because even though there is private > addressing in place, there is still the possibility of overlap with other > parts of the network. hhhmmm....... > > on the 7200 side, all subnets are on directly connected interfaces. run the > routing protocol of choice, and summarize the subnets into the core. > eventually there will be several hundred /28's. at 16x28 per /24, that means > a lot of /24's eventually. if the customer played their cards right, they > could advertise what? a single /20 or so? maybe even a /19? > > for address conservation, the customer is insisting on ip unnumbered on the > links. I'm pondering the relative merits - does NAT'ing create more or less > work? Does it require more or fewer things to keep track of? on the other > hand, it does answer a number of the customer expressed concerns and > policies. > > You know, Rob, it would be a hell of a lot easier dealing with you than with > the particular group > I am dealing with. At least you have some creativity and some understanding > of the alternatives. I'll bet the two of us could come up with a solution > that would knock their socks off. So far I've had to listen to the bogus > route flapping argument ( "every time a DSL user turns off his equipment, > we'll see route flaps in our core" ) the bogus default route advertisement > argument > ( "these guys will connect a router at home and start advertising a default > that will screw up the entire company" ) ok, so we put them in their own > domain and redistribute with strict filtering. or we use On Demand Routing. > "well we don't want CDP running on these routers because it's insecure" OK. > I give up. "well we don't understand why you have to do it this way anyway. > when we were with X company all we did was use a static default" yes but X > company was an ISP and you were using a VPN with the associated overhead. > our solution is equivalent to a frame relay network, and can be treated > accordingly. and the final definitive argument, against which there is no > counter - "our policy does not allow routing to remote access users" > > As I said someplace else, the real issue here lies somewhere above layer 7. > Hey, Howard, at what layer are ignorance and lack of clue? ;-> > > Chuck > > -----Original Message----- > From: Rob Fielding [mailto:[EMAIL PROTECTED]] > Sent: Friday, August 31, 2001 6:06 PM > To: Chuck Larrieu; [EMAIL PROTECTED] > Subject: Re: I have a customer who... food for thought - static routes > [7:18108] > > > Actually, when I mentioned bridging, I was only talking about the 827s. > They should still have to route through the 7206 to reach each other. But, > bridging is just a bad idea anyway. Instead, you could NAT the home side of > the 827 to the address of the 827s wan interface. Each link between the > 7206 and the 827s is a separate routed link, but the 7206 doesn't need to > know about the networks behind the 827s. It only needs to know about the > links that are directly connected. No bridging and no statics needed, and > if the wan links are addressed properly, then they can all be summarized to > the rest of the corporate network. Since security is a concern, then I > would suggest an access list on the 827s to only allow established > connections inbound. > > -Rob Fielding CCIE #7996 > > > > ----- Original Message ----- > From: "Chuck Larrieu" > To: "Rob Fielding" ; > Sent: Friday, August 31, 2001 5:07 PM > Subject: RE: I have a customer who... food for thought - static routes > [7:18108] > > > > yes - sheer numbers of devices in the shared bridging domain. we are > talking > > 500 to a thousand home users, many of whom are technically savvy folks who > > may have reasons good or bad to connect multiple devices to the home part > of > > the remote access network. not to mention the fact that bridging would > mean > > direct and unrestricted access from each of these home guys to eachother. > I > > can just see the little rascals Code Redding eachother! ;-> > > > > Chuck > > > > -----Original Message----- > > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of > > Rob Fielding > > Sent: Friday, August 31, 2001 9:58 AM > > To: [EMAIL PROTECTED] > > Subject: Re: I have a customer who... food for thought - static routes > > [7:18108] > > > > > > I just quickly glanced at the 827 docs on cisco.com, so please correct me > if > > I'm wrong about them. According to the docs, you can configure the 827's > > for bridging or NAT. You could avoid static routes on this edge of the > > customer's network entirely (except for defaults on the 827's). The 7206 > > would see all of the home networks as being directly connected. NAT > > overload would probably be my first choice because the 827 could assign > > addresses to the home pc's with DHCP, so the users wouldn't have to > > configure anything, and any number of home pc's would just share the 827's > > wan interface address. No need for statics at all. > > Does the customer have any issues about this type of config? > > > > -Rob Fielding CCIE #7996 > > > > > > > > ----- Original Message ----- > > From: "Chuck Larrieu" > > To: > > Sent: Thursday, August 30, 2001 10:38 PM > > Subject: RE: I have a customer who... food for thought - static routes > > [7:18038] > > > > > > > There have been several good replies to my post. In addition to Tony's > > > insight below, Leigh Anne and Jim both had excellent observations that > > > covered issues my customer raised. > > > > > > The customer expressed concerns were with engineers who for any number > of > > > reasons, whether careless, inconsiderate, malicious, or as part of their > > > jobs, might bring down various segments. this is something that > apparently > > > happens with some regularity in the customer production network. > > > > > > there were concerns with route flapping at the core. we are in > California, > > > after all, and we still live under the threat of rolling blackouts. plus > > > many folks out here are doing their part by shutting things down at > night, > > > or when not in use. The flapping issue is bogus, as one could always > > > advertise only the summaries into the core, but again, the customer > > engineer > > > would not hear of it. > > > > > > the customer deliberately turns off CDP. I did not discuss this with > him, > > > but I suspect there is a bit of concern with revealing information that > > CDP > > > transmits. > > > > > > my point in bringing up this situation was in part to stimulate thought > > > about using various forms of routing as one means of enforcing policy. > > > Static routing is not necessarily a bad thing. On the other hand, there > > are > > > other ways to deal with the stated concerns other than massive static > > > routing. > > > > > > enjoyed the comments. thanks, everyone. > > > > > > Chuck > > > > > > -----Original Message----- > > > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of > > > Tony Medeiros > > > Sent: Thursday, August 30, 2001 12:23 AM > > > To: [EMAIL PROTECTED] > > > Subject: Re: I have a customer who... food for thought - static routes > > > [7:17826] > > > > > > > > > I'll bite: > > > PROS: > > > > > > 1) If DSL user decides to change his network for some reason and it > > overlaps > > > another on somewhere, dynamic routing will hose the core. (could prevent > > > with route filtering but that would be an even bigger hassle). > > > > > > 2) 7206 might fold with that many routing protocol neigbors (depends on > > > routing protocol) > > > > > > 3) Job security for the guy managing the network :) > > > > > > 4) ODR needs CDP and that many neighbors could fold the core too maybe > ?? > > > Don't know about that. > > > > > > 5) Less overhead in general. > > > > > > 6) Security, Don't want some guy to announce a boatload of bogus > > networks. > > > > > > 7) Unless the routing protocol of choice can only send a default route, > > > Those little DSL routers would get killed with a big table. OSPF is > would > > > do it but would each little router would need to be in it's own area or > > the > > > LS database would kill the little guys . RIP seems like a good choice, > > but > > > again, there would be need for a lot of filtering to keep the table > > small. > > > You could have a default static on all the little guys and filter ALL > > > updates coming out of the core. But there is the security thing again. > > > > > > 8) Stability, The static way will be the most stable for sure, > > > > > > CONS: > > > 1) Managment nightmare. > > > > > > I think I see their point already Chuck. I don't quite see why CDP > > wouldn't > > > be allowed though. > > > Am I close ? > > > Tony M. > > > > > > ----- Original Message ----- > > > From: "Chuck Larrieu" > > > To: > > > Sent: Wednesday, August 29, 2001 11:28 PM > > > Subject: I have a customer who... food for thought - static routes > > [7:17819] > > > > > > > > > > I have a customer who... don't you love it when a post begins with > those > > > > words? > > > > > > > > In my case, I am hoping this can serve as food for thought, a > > springboard > > > > for discussion. So here goes.... > > > > > > > > My customer is a high tech firm whose name you would all recognize, if > I > > > > were to exhibit ill manners by revealing it. > > > > > > > > My project ( well, I'm just the junior assistant engineer ) is to > > develop > > > > and proof configurations for a private remote access network. DSL at > the > > > > home, ATM at the central site. Not a VPN. This circuit does not touch > > the > > > > internet. > > > > > > > > In any case, the client is expecting 500-1000 home users on this > > network. > > > > > > > > Here's the kicker. the client refuses to allow routing protocols on > > either > > > > the home user routers ( Cisco 827's ) or the central site router ( > Cisco > > > > 7206 ) That means how many static routes at the host site? :-0 > > > > > > > > Food for thought - what are some of the reasons the customer might not > > > want > > > > a routing protocol of any kind on this network? When discussing with > the > > > > customer engineer in charge of this project, I was given a couple of > > > > reasons, and upon hearing them I saw the point and agreed the concerns > > > were > > > > valid. > > > > > > > > BTW, the point was not that the customer hates me and wants me to > spend > > > the > > > > next three weeks typing in static routes. Nor is it that the customer > > does > > > > not "get it". It is not a matter of good or bad design. > > > > > > > > So, in light of the old saw that static routes are not scalable, and > > > should > > > > be avoided, what might be some reasons that a designer would demand a > > > > network of this size and relative complexity, with users being added, > > > > subtracted, and relocated, thus creating long term employment for the > > > router > > > > administrator, be composed entirely of static routes? What are the > > > plusses? > > > > What is the downside? > > > > > > > > Your analyses, please. > > > > > > > > Chuck > > > > > > > > P.S. I think I'm going to try again. Maybe On Demand Routing would > solve > > > my > > > > problem and the customer's. Oops, that's right. The major component of > > ODR > > > > is not allowed on this network either. ( hint ) Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=18189&t=18189 -------------------------------------------------- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
