would automatically route anything addressed to the two subnets beyond B to B which would route to the correct sub-net. But that isn’t what’s happening, and a static routes is still required at A for each of the subnets via Router B, ie:
AS Dst-address 10.17.17.0/24…Gateway 10.17.16.2
AS Dst-address 10.17.18.0/24…Gateway 10.17.16.2
I presume this is a natted net. No masquerade or srcnats in router B.
Change router A’s address/netmask to 10.17.16.1/24. Change router B’s address/netmask to 10.17.16.2/24.
Router B has these two subnets on other interfaces: 10.17.17.0/24 and 10.17.18.0/24.
In router A:
?You mean that a packet addressed to, say, 10.17.17.10 arriving at B from A has a ‘choice’ of routes out of A? - ie to the correct subnet via 10.17.17.0/24 or back to A as part of 10.17.16.0/20?
I thought that too, but read somewhere that in that situation the route with the longest netmask prevails.
My understanding was that a well-designed network with ‘nested’ sub-nets pretty much routed itself but you’re saying that static routing is always required?
The netmask length is kinda true, but more important is the unique subnets throughout the network. The routers only know about the addresses on the local router interfaces. Router A does not know about ip/netmask assignments on router B (except the interface on router B it connects to) unless you tell it with a route. I have a router C (connected to router B) and a router D (connected to router C). They all do just fine.
The problem you had was router B did not know which of the interfaces the local ips were on. They were not unique. For example the ip 10.17.17.10. On router B, it could have been on ether1 (connected to router A), or ether2, where it probably was. Does that make sense?
Yes and no. Yes in that I understand it, but no in that it merely confirms that I thought I understood it but…
Under my scheme a packet arriving at A addressed to 10.17.17.10 only has one way to go - to B as part of the 10.17.16.0/20 subnet. Once in B it has three ‘doors’, one behind it marked 10.17.16.0/20, one marked 10.17.17.0/24 and one marked 10.17.18.0/24. Both the first two include it, the third doesn’t. If the ‘longest subnet first’ rule is applied it will go the right way.
I can see that roadracer96’s suggestion of a /30 subnet ‘locks the door’ behind the packet when it arrives at B, but the /30 subnetting requires a static route at A for 10.17.17.0/24 and the need for any static routing is what I thought we could avoid.
A packet generated on the 10.17.17.0/24 subnet addressed to A (10.17.16.1) arriving at B has only one route - out of the 10.17.16.2 door?
So why is the ‘subnet length’ rule only ‘kinda true’, as this seems to be what the whole thing hinges upon?
You are correct. The routes hinge on subnet length, providing there are no duplicate subnets in the network. Here is a thought. You have three routers connected to router A localnet.
Router B with 10.17.16.2/20
Router C with 10.17.16.3/20
Router D with 10.17.16.4/20.
According to your routing theory
Which has the 10.17.17.0/24 localnet?
Which has the 10.17.18.0/24 localnet?
Can’t tell? Neither can router A. You could just “broadcast” over all of them, but that is as bad as WDS.
If you really want to get confused, one of those routers (B, C, or D) has a wireless ap issuing 192.168.0.0/24 ips. Which has it? I don’t see a 192.168.x.x assignment.
ADD: Now the same with unique subnets and routes.
The ips are:
Router B has 10.17.16.2/24
Router C has 10.17.16.3/24
Router D has 10.17.16.4/24
The routes are
add dst-address=10.17.17.0/24 gateway=10.17.16.3
add dst-address=10.17.18.0/24 gateway=10.17.16.4
add dst-address=192.168.0.0/24 gateway=10.17.16.3
I can tell where every subnet is now. So can router A.
I take your point and agree, but that’s not my routing theory. I’m working with the situation as per the pic. which to my mind ought to work without static routes at all - but doesn’t.
It won’t work. You have duplicate/overlapping subnets on the network that are not isolated from each other with a masquerade or srcnat.
.
The problem is between router A and router B. The subnet 10.17.0.0/16 is a localnet assignment on router A. All packets destined for any addresses in that subnet will be broadcast (not forwarded to router B) on that localnet by router A. That is where router A sees all those ips. To it, there is no other subnet. No reason to forward to router B. This address is my localnet.
ADD: The way I see the routing table work is it checks the interface localnets first (distance=0). If the destination ip is in its localnets, that is the last check in the route table. It broadcasts on that interface.
If it does not find a localnet that contains that ip, then it starts in the routing table (by lowest distance), working from the bottom up, smallest network (largest netmask) first. Last evaluated would be the dst-address=0.0.0.0/0 route (default gateway). Then it forwards the packets to the gateway ip listed in the routing table for that ip/netmask.
Do you understand now what I meant by “kinda true”?
so it won’t have a gateway as such - in this case 10.17.0.2.
But in this example there is only one place the packet could go, B, which would be able to deal with it in turn as there’s only one valid route out of it with a longer netmask.
So how does broadcasting differ from forwarding? What’s the purpose of dynamic entries in the routing table?
?And all that’s needed is a static entry at A viz:
If the route is distance=0, that is a local interface. The route shows up as a dynamic. Note it is at the bottom of “/ip route”, so they are evaluated first. Then distance=1, and on…
You are assuming that if the ip doesn’t respond on the localnet, that the router will take it upon itself to “figure out” where all these subnets are. From my experience with distance=0, I would say “no”. Not how the route table works. The first match there is where it goes.
Any ip in that range will match the localnet for your 10.17.0.0/16 net, and that is where it broadcasts. Router B will not just assume that it should relay/forward those packets unless router A tells it to.
I was OK up to this point. (Maybe this ought to be in the beginner’s basics forum.)
I thought the whole justification for a router’s existence was to route. It lives to relay/forward packets if it can and to quietly bury them hoping no-one notices, if it can’t. If it ain’t gonna do that you might as well take it out back and shoot it!
But seriously - what do you mean “unless router A tells it to”? A packet arrives on Router B’s interface to Router A, addressed to (say) 10.17.17.40. Isn’t Router B honour-bound to scan its routing table for matches, see that both 10.17.0.0/16 (Router B) and 10.17.16.0/20 (Router C1) both include it and send it on its way to C1 with a pat on the bottom, as that has the longer netmask?
Perhaps the same question in a different form - why should I need a static route which duplicates a dynamic one?
But seriously - what do you mean “unless router A tells it to”? A packet arrives on Router B’s interface to Router A, addressed to (say) 10.17.17.40. Isn’t Router B honour-bound to scan its routing table for matches, see that both 10.17.0.0/16 (Router B) and 10.17.16.0/20 (Router C1) both include it and send it on its way to C1 with a pat on the bottom, as that has the longer netmask?
The packet never arrives on the router B’s interface. If a host is on 172.17.0.0/16 and is told to send a packet to 172.17.17.40 it will ARP for that IP address because it assumes it is reachable on the local broadcast domain. The ARP times out, the packet doesn’t get sent. Router A assumes the IP address is locally reachable because it has a directly connected route, so it doesn’t think to send the packet to router B for processing. Router B shouldn’t be involved, because the whole /16 is reachable DIRECTLY on that network, without a need for a next hop. When you insert the more specific routes, the shorter prefix matches and the packets are forwarded instead.
Your choices are to either stop overlapping IP addressing space, which is incredibly bad practice, or to insert all the static routes you need, or to run a dynamic routing protocol so the routers automatically learn about the more specific subnets behind neighbor routers.
@fewi: Just my own ignorance showing here, but the route table is evaluated by distance primarily, then by netmask, isn’t it? I can’t enter a distance=0 route with the CLI, so I can’t figure out how you would “reroute” a local interface “sub-subnet” through another router. Can you do that?
Looking at that picture, isn’t this how proxy arp subnetting should work? If proxy arp was enabled on “outer” interfaces (10.17.0.2, 10.17.16.2, 10.17.17.2, …) it should work. Or am I wrong?
OK (to check my comprehension of this) Router A shouts: “Hey, is 172.17.17.40 out there?” 172.17.17.40 doesn’t answer because it’s still two routers away and B doesn’t answer because 172.17.17.40 is no concern of B’s, so the packet gets shoved into a corner by A to die of neglect? Yeah I can understand that, which would make it nice if it was right as well.
How is it bad practice? You still only need one static route (if it’s for 172.17.0.0/16 flick it on to B to worry about) - or maybe two with a default route the other way - and you’ve everything covered.
I did try OSPF but it filled the routing tables with invalid routes, and RIP, but that turned a perfectly good routing table with three entries into what looked like a form card for the Grand National.
Take a look at this: http://www.mikrotik.com/testdocs/ros/2.9/ip/address.php
Select “Proxy-ARP feature” link.
When router A says “hey, is this address out there?”, this will make router B tell router A “yes, it is!”, and accept the packets for that address.
I didn’t know you couldn’t manually specify an administrative distance of 0. I’m curious if you can for routing protocols, via routing filters.
[…]
I did try OSPF but it filled the routing tables with invalid routes, and RIP, but that turned a perfectly good routing table with three entries into what looked like a form card for the Grand National.[/quote]
It’s bad because you’re needlessly eliminating future options, though you might not need them yet. With proxy-arp subnetting you’ll never be able to have redundant links, for example, since just one router can proxy the ARP request. You might not need redundant links yet, but if you ever do you’re got a nightmare ahead of you. You’ll face similar problems if you ever need to run VPNs between deeply nested overlapping subnets. There’s solutions to overlapping subnets because they happen in real life (company with 10/8 merges with a company with 10/16), but that’s no reason to build them if you’re coming up with a new solution.
I don’t know why you think having many entries in a routing table is bad. The routers handle it just fine. If you want to see fewer, turn on route summarization.
It seems bad to me because disentangling a routing table with a dozen entries to work out what’s going where and what isn’t, really is a nightmare. I was under the apparently mistaken belief that using nested subnets to drill down into a network with the minimum of routing was one of the points of the whole netmask design.
I can see I’ll have to re-visit and properly digest the whole proxy-arp thing. It seemed to be like one of those ‘quail’s eggs in aspic’ kind of things on the menu when I first came across it, and I’m a fish-and-chips sort of guy!
