|
Traditional Setup:
The customer has an AS and a public IP 1.1.1.1/32 and delegates on the ISP the prefix announcement. The ISP delivers the traffic to 1.1.1.1/32 through a private transit LAN.
CPE Config:
CPE#sh run | s interface
interface GigabitEthernet0/0
ip address 23.10.20.15 255.255.255.0
interface GigabitEthernet0/1
ip address 192.168.5.1 255.255.255.0
!
CPE#sh ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
a - application route
+ - replicated route, % - next hop override, p - overrides from PfR
Gateway of last resort is 23.10.20.1 to network 0.0.0.0
!
S* 0.0.0.0/0 [1/0] via 23.10.20.1
1.0.0.0/32 is subnetted, 1 subnets
S 1.1.1.1 [1/0] via 192.168.5.6
23.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C 23.10.20.0/24 is directly connected, GigabitEthernet0/0
L 23.10.20.15/32 is directly connected, GigabitEthernet0/0
192.168.5.0/24 is variably subnetted, 2 subnets, 2 masks
C 192.168.5.0/24 is directly connected, GigabitEthernet0/1
L 192.168.5.1/32 is directly connected, GigabitEthernet0/1
CPE#
Proxy ARP Setup:
The customer has an AS and a public IP 1.1.1.1/32 and delegates on the ISP the prefix announcement. The ISP delivers the traffic to 1.1.1.1/32 through a private transit LAN. The Customer configures de public IP on port1 interface with no secondary IP.
After configuring the public IP on FortiGate's port1, the CPE starts to send the following ARP-REQUESTs:
The CPE cannot deliver traffic to the public IP, because it does not know the next hop's MAC address. To solve this problem it is possible to use the proxy-arp feature as follows:
config system proxy-arp
edit 1
set interface "port1"
set ip 192.168.5.6
next
end
Now, the FortiGate is sending the ARP-REPLY packets back:
And some ARP-REQUEST packets to find its next hop's MAC address:
FortiGate config:
config system interface
edit "port1"
set vdom "root"
set ip 1.1.1.1 255.255.255.255
set allowaccess ping
set type physical
set device-identification enable
set snmp-index 1
next
edit "port2"
set vdom "root"
set ip 10.3.3.21 255.255.255.0
set allowaccess ping https ssh http
set type physical
set device-identification enable
set lldp-transmission enable
set role lan
set snmp-index 2
next
end
config router static
edit 1
set gateway 192.168.5.1
set device "port1"
next
end
config system proxy-arp
edit 1
set interface "port1"
set ip 192.168.5.6
next
end
config firewall policy
edit 1
set name "toINET"
set uuid 804c0770-b846-51ed-a435-1a650f5789f6
set srcintf "port2"
set dstintf "port1"
set action accept
set srcaddr "all"
set dstaddr "all"
set schedule "always"
set service "ALL"
set logtraffic all
set logtraffic-start enable
set nat enable
next
end
Use cases:
- Use SNAT with the 'Outgoing Interface Address' option.
- SD-WAN does not support Loopback interfaces.
- ACME does not support Loopback interfaces.
|
