Efficient subnetting

Posted in networking by aangelis on 06 May 2016

With the following setup I will try to illustrate a more efficient use of IP subnets. With this method assuming that you are using linux kernel based devices (servers and routers), we can avoid wasting IPs in network and broadcast addresses.

Moreover it is one method of securing our network from network abuse, for example attacking other devices on the same subnet or spoofing IPs that belong to other devices on the same subnet.

                   |-switch2---|                               |-switch1---|
                   |      trunk|-- (ether2) router1 (ether1) --|           |
server1  (eth0) ---|vlan2      |              |                |           |
                   |           |           (ether3)            |           |
server2 (enps3) ---|vlan3      |              |                |           |
                   |      trunk|-- (ether2) router2 (ether1) --|           |
                   |-----------|                               |-----------|

We assume that we can use IPs for our servers from subnet

We will use only two IPs for our servers connectivity, .11 for the first one (centos) and .250 for the second (arch).

server1# cat /etc/sysconfig/network-scripts/ifcfg-eth0
UUID={ some UUID }

server1# cat /etc/sysconfig/network-scripts/route-eth0 dev eth0
default via dev eth0

server2# cat /etc/systemd/network/wired.network

Our two routers will have almost identical configuration.

router{1,2} > / interface vlan
              add arp=proxy-arp interface=ether2 name=vlan2 vlan-id=2
              add arp=proxy-arp interface=ether2 name=vlan3 vlan-id=3

              / ip address
              add address=10.20.30.{25,26}/24 interface=ether1
              add address=10.20.31.{1,2}/30 interface=ether3
              add address= interface=vrrp1 network=

              / interface vrrp
              add interface=ether3 name=vrrp1 on-backup=\
              "/ interface ethernet set [find name=ether2] disabled=yes;" on-master=\
              "/ interface ethernet set [find name=ether2] disabled=no;" preemption-mode=\
              no priority=100

              / ip route
              add distance=1 dst-address= gateway=vlan2
              add distance=1 dst-address= gateway=vlan3

              / routing ospf instance
              set [ find default=yes ] redistribute-static=as-type-1
              /routing ospf network
              add area=backbone network=

As we can see, each one of our servers is isolated in its own vlan. There are using one IP subnet with common gateway IP

Both routers configured with IP on an interface other than the vlan interfaces and they answer to ARP requests due to proxy arp.

With the use of VRRP we have high availability and combining that with OSPF running on "outside" ethernet interface (ether1), our routers learn (default and other) routes dynamically from the rest of the infrastructure. OSPF also redistributes static routes. We need that feature to advertise our servers IPs to the rest of the network.

Finally we test our setup.

server1# ip addr show dev eth0 | grep 'inet '
inet brd scope global eth0

server1# ip route dev eth0  scope link dev eth0  scope link  metric 1002
default via dev eth0

server1# ping -c 2
PING ( 56(84) bytes of data.
64 bytes from icmp_seq=1 ttl=64 time=1.35 ms
64 bytes from icmp_seq=2 ttl=64 time=1.12 ms
--- ping statistics ---
2 packets transmitted, 2 received, 0% packet loss

server1# ip neighbor dev eth0 lladdr xx:xx:xx:xx:xx:xx REACHABLE dev eth0 lladdr xx:xx:xx:xx:xx:xx STALE

server1# ping -c 2
PING ( 56(84) bytes of data.
64 bytes from icmp_seq=1 ttl=45 time=39.6 ms
64 bytes from icmp_seq=2 ttl=45 time=37.2 ms
--- ping statistics ---
2 packets transmitted, 2 received, 0% packet loss