Traditional Setup:
The customer has an AS and a public IP 1.1.1.1/32 and delegates on the ISP the prefix announcement. The ISP delivers the traffic to 1.1.1.1/32 through a private transit LAN.
CPE Config:
CPE#sh run | s interface
interface GigabitEthernet0/0
ip address 23.10.20.15 255.255.255.0
interface GigabitEthernet0/1
ip address 192.168.5.1 255.255.255.0
!
CPE#sh ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
a - application route
+ - replicated route, % - next hop override, p - overrides from PfR
Gateway of last resort is 23.10.20.1 to network 0.0.0.0
!
S* 0.0.0.0/0 [1/0] via 23.10.20.1
1.0.0.0/32 is subnetted, 1 subnets
S 1.1.1.1 [1/0] via 192.168.5.6
23.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C 23.10.20.0/24 is directly connected, GigabitEthernet0/0
L 23.10.20.15/32 is directly connected, GigabitEthernet0/0
192.168.5.0/24 is variably subnetted, 2 subnets, 2 masks
C 192.168.5.0/24 is directly connected, GigabitEthernet0/1
L 192.168.5.1/32 is directly connected, GigabitEthernet0/1
CPE#
Proxy ARP Setup:
The customer has an AS and a public IP 1.1.1.1/32 and delegates on the ISP the prefix announcement. The ISP delivers the traffic to 1.1.1.1/32 through a private transit LAN. The Customer configures de public IP on port1 interface with no secondary IP.
After configuring the public IP on FortiGate's port1, the CPE starts to send the following ARP-REQUESTs:
The CPE cannot deliver traffic to the public IP, because it does not know the next hop's MAC address. To solve this problem it is possible to use the proxy-arp feature as follows:
# config system proxy-arp edit 1 set interface "port1" set ip 192.168.5.6 next end
Now, the FortiGate is sending the ARP-REPLY packets back:
And some ARP-REQUEST packets to find its next hop's MAC address:
FortiGate config:
# config system interface edit "port1" set vdom "root" set ip 1.1.1.1 255.255.255.255 set allowaccess ping set type physical set device-identification enable set snmp-index 1 next edit "port2" set vdom "root" set ip 10.3.3.21 255.255.255.0 set allowaccess ping https ssh http set type physical set device-identification enable set lldp-transmission enable set role lan set snmp-index 2 next end
# config router static edit 1 set gateway 192.168.5.1 set device "port1" next end
# config system proxy-arp edit 1 set interface "port1" set ip 192.168.5.6 next end
# config firewall policy edit 1 set name "toINET" set uuid 804c0770-b846-51ed-a435-1a650f5789f6 set srcintf "port2" set dstintf "port1" set action accept set srcaddr "all" set dstaddr "all" set schedule "always" set service "ALL" set logtraffic all set logtraffic-start enable set nat enable next end
Use Cases:
- Use SNAT with the 'Outgoing Interface Address' option.
- SD-WAN does not support Loopback interfaces.
- ACME does not support Loopback interfaces.
|