0

My employer subscribes to a fiber based leased Internet from a publicly owned incumbent ISP. The ISP admin says that he cannot give a subnet bigger than /30 because he fears that the ISP edge router would become unstable and start rebooting because of ARP broadcast from larger subnets. But I badly require a /29 subnet. I told him that ARP flooding only affects switches and not routers. But he says that the ISP edge router usually gets flooded by ARP broadcasts from the customers who are already assigned larger subnets. According to him many times it has rebooted only because of it. The largest subnet assigned directly from the edge router is /28. None of the customers have more than 20 mbps bandwidth. The router is Cisco 7500 series. I believe that ARP broadcast flooding would never result in reboots. I need to convince him that that ARP broadcast does not affect routers and somehow I should get /29 subnet. So, what is the best step to take with this strange situation?

EDIT1: For one year I had a /29 subnet from the same ip. Because of budgetary constraints I could get only one server (with 6 ethernet interfaces) from my employer to be used as server and router (with Ubuntu server). As my users (who browse internet from the LAN) visit dodgy websites, I setup one pub ip from the /29 subnet on one interface for NATing traffic to local LAN for my users. I used another pub ip on another interface through which I hosted some websites (I used policy routing from iproute2 to send my website from the interface/ip which is different from the pub ip used by the LAN users). This is done just to avoid the domain associated ip to be blacklisted/probed if LAN users browse dodgy sites with the same ip. And I also use another pub ip on another interface to NAT traffic to a another separate group of users.

Now I'm buying a 3 times faster link from the same ISP for which I have to use a separate pub ip subnet. And they told me in advance that I'll get connected to ISP only with a /30 subnet, but I might get a /29 subnet which is routed through /30 subnet. This setup requires a new router, which I don't want to have. And more importantly, I'm going to miss the awesome setup where I used one server for everything. Or is there a way to use ip's from both /30 and /29 subnets on the same router (as the router has multiple interfaces)?

In the city where I live all the ISP's (even a tier 1 ISP) provide direct connection with only /30 subnet. If we ask for more ips, they proived a /29 subnet routed through the previously provided /30 subnet. And everyone fears ARP flooding on their edge routers. ARP flooding causing routers to reboot seems like a baseless urban myth.

EDIT2: On my current /29 subnet I used tcpdump to listen to arp requests/replies. The gateway for /29 (ISP's edge router) replies with its MAC for many 10.x.x.x, 172.x.x.x, and 192.x.x.x adresses. For an hour more than 100 different ip addresses were advertized (even though there were no requests for those addresses). Every time it is the same MAC address, the same one for my /29 gateway ip. Seems like they use proxy arp excessively. Would this affect the performance of their edge router?

nixnotwin
  • 1,543
  • 5
  • 35
  • 55
  • 3
    Wow, you've got an amazingly dodgy ISP there. I'd be working real hard to replace them with a provider that knows what the hell they're doing. – womble May 19 '12 at 11:01
  • If you explain why you want the subnet to be larger, there's probably a way to get the same effect. For example, if it's for link endpoint redundancy, there are other ways to get that -- for example, the single endpoint IP can float between two routers. – David Schwartz May 19 '12 at 11:55
  • My question is updated with some more information. – nixnotwin May 19 '12 at 14:58
  • Maybe you could promise to code static ARP bindings in all of your devices, thus reducing the ARP load on his router in exchange for a /29? =) – Jason Seemann May 20 '12 at 14:12
  • @JasonSeemann I can setup static arp from my side on all my devices, but he cannot do the samething on his edge router as it's connected to huge number of devises. Would it matter much if he does not do it? – nixnotwin May 20 '12 at 14:52

3 Answers3

2

Actually, you don't really care of the wan subnet beeing a /30, if the provider can route more IPs/subnets to you.

The wan subnet is just an interconnexion between your router and your provider's.

Consider the following scenario:

  • provider's 7500 IP (also your default gateway): 192.0.2.1/30
  • your router wan IP address: 192.0.2.2/30

And then you ask for more ip addresses, and the provider gets you 192.0.2.16/28. He will then route it to you:

7500(config)# ip route 192.0.2.16 255.255.255.240 192.0.2.2

You can then use it the way you want. No arp issues.

petrus
  • 5,297
  • 26
  • 42
  • I think you're missing the point of his question. He wants to have more nodes that can route packets to his ISP. With a /30, he can only have one, making a single point of failure. – David Schwartz May 19 '12 at 11:54
  • @DavidSchwartz: I know that. I just proposed a workaround to his limitations. – petrus May 19 '12 at 13:35
  • How does that work around the limitation? He'd still only be able to have a single node that can reach his ISP's router directly, leaving the single point of failure. (Assuming that's what his issue is. He wasn't clear about it. But it's the most likely reason he wants a larger subnet assigned directly from the edge router.) – David Schwartz May 19 '12 at 13:40
1

If the provider's router is being adversely effected by ARP traffic then it is misconfigured. Have them look into control plane policing (CoPP), which will protect the device's CPU not only from ARP traffic but from a number of other potential threats. Check out http://www.cisco.com/en/US/prod/collateral/iosswrel/ps8802/ps6970/ps1838/prod_white_paper0900aecd804ac831.pdf for some examples and suggestions.

Also, as mentioned, ARP would be a moot point if they just routed the subnet to you.

rnxrx
  • 8,143
  • 3
  • 22
  • 31
  • I will certianly show the white paper on CoPP to the ISP admins. They do accept and sometimes implement suggestions from the customers. – nixnotwin May 20 '12 at 01:12
0

Problems with broadcast may affect router if network is badly designed and there are humongous amount of broadcasts. Cisco router tends to reboot if its CPU load is very high.

But it doesn't relate to subnet mask. ARP broadcast will be sent in /30 also, when using broadcast media.

To provide you a valid arguments for you ISP more details on network structure is needed.

DukeLion
  • 3,259
  • 1
  • 18
  • 19