Efficient subnetting

Posted in networking by aangelis on 06 May 2016

With the following setup I will try to illustrate a more efficient use of IP subnets. With this method assuming that you are using linux kernel based devices (servers and routers), we can avoid wasting IPs in network and broadcast addresses.

Moreover it is one method of securing our network from network abuse, for example attacking other devices on the same subnet or spoofing IPs that belong to other devices on the same subnet.

                   |-switch2---|                               |-switch1---|
                   |      trunk|-- (ether2) router1 (ether1) --|           |
server1  (eth0) ---|vlan2      |              |                |           |
                   |           |           (ether3)            |           |
server2 (enps3) ---|vlan3      |              |                |           |
                   |      trunk|-- (ether2) router2 (ether1) --|           |
                   |-----------|                               |-----------|

We assume that we can use IPs for our servers from subnet 54.54.54.0/24

We will use only two IPs for our servers connectivity, .11 for the first one (centos) and .250 for the second (arch).

server1# cat /etc/sysconfig/network-scripts/ifcfg-eth0
DEVICE=eth0
HWADDR=xx:xx:xx:xx:xx:xx
TYPE=Ethernet
UUID={ some UUID }
ONBOOT=yes
NM_CONTROLLED=yes
BOOTPROTO=none
IPADDR=54.54.54.11
NETMASK=255.255.255.255
DNS1=xxx.xxx.xxx.xxx
DNS2=xxx.xxx.xxx.xxx

server1# cat /etc/sysconfig/network-scripts/route-eth0
54.54.54.0 dev eth0
default via 54.54.54.0 dev eth0

server2# cat /etc/systemd/network/wired.network
[Match]
Name=enp0s3
[Address]
DNS=xxx.xxx.xxx.xxx
Address=54.54.54.250
Peer=54.54.54.0/32
[Network]
Gateway=54.54.54.0

Our two routers will have almost identical configuration.

router{1,2} > / interface vlan
              add arp=proxy-arp interface=ether2 name=vlan2 vlan-id=2
              add arp=proxy-arp interface=ether2 name=vlan3 vlan-id=3

              / ip address
              add address=10.20.30.{25,26}/24 interface=ether1
              add address=10.20.31.{1,2}/30 interface=ether3
              add address=54.54.54.0/24 interface=vrrp1 network=54.54.54.0

              / interface vrrp
              add interface=ether3 name=vrrp1 on-backup=\
              "/ interface ethernet set [find name=ether2] disabled=yes;" on-master=\
              "/ interface ethernet set [find name=ether2] disabled=no;" preemption-mode=\
              no priority=100

              / ip route
              add distance=1 dst-address=54.54.54.11/32 gateway=vlan2
              add distance=1 dst-address=54.54.54.250/32 gateway=vlan3

              / routing ospf instance
              set [ find default=yes ] redistribute-static=as-type-1
              /routing ospf network
              add area=backbone network=10.20.30.0/24

As we can see, each one of our servers is isolated in its own vlan. There are using one IP subnet with common gateway IP 54.54.54.0.

Both routers configured with 54.54.54.0 IP on an interface other than the vlan interfaces and they answer to ARP requests due to proxy arp.

With the use of VRRP we have high availability and combining that with OSPF running on "outside" ethernet interface (ether1), our routers learn (default and other) routes dynamically from the rest of the infrastructure. OSPF also redistributes static routes. We need that feature to advertise our servers IPs to the rest of the network.

Finally we test our setup.

server1# ip addr show dev eth0 | grep 'inet '
inet 54.54.54.11/32 brd 54.54.54.11 scope global eth0

server1# ip route
54.54.54.0 dev eth0  scope link
169.254.0.0/16 dev eth0  scope link  metric 1002
default via 54.54.54.0 dev eth0

server1# ping -c 2 54.54.54.0
PING 54.54.54.0 (54.54.54.0) 56(84) bytes of data.
64 bytes from 54.54.54.0: icmp_seq=1 ttl=64 time=1.35 ms
64 bytes from 54.54.54.0: icmp_seq=2 ttl=64 time=1.12 ms
--- 54.54.54.0 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss

server1# ip neighbor
54.54.54.0 dev eth0 lladdr xx:xx:xx:xx:xx:xx REACHABLE
10.20.30.25 dev eth0 lladdr xx:xx:xx:xx:xx:xx STALE

server1# ping -c 2 8.8.8.8
PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data.
64 bytes from 8.8.8.8: icmp_seq=1 ttl=45 time=39.6 ms
64 bytes from 8.8.8.8: icmp_seq=2 ttl=45 time=37.2 ms
--- 8.8.8.8 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss