Comments on: IP Addressing for HA Links for ASA/FWSM/ACE Etc- Poll

By: Tony

Tony — Tue, 20 Dec 2011 08:34:00 +0000

Just wondering here, why did you choose to update your post to recommend using 192.0.2.0/24 instead of the 169.254.0.0/16 range? I would have thought that the 169.254.0.0/16 was more appropriate as it is only locally significant, but of course please do correct me if I am wrong?

By: Gregory Wiktor - ADCOM Corp.

Gregory Wiktor - ADCOM Corp. — Sat, 15 Oct 2011 07:36:00 +0000

In response to your post update on High Availability Network Addresses, it would be nice if there was some form of super-symmetry amongst the various vendors when it comes to following the latest RFC’s and following the proper methods amongst ICANN/ISC/ARIN-RIPE etc so that there will be a decent form of compatibility amongs not only internet addressing, but the next generation of VPN and IP Telephony Devices.
Private IP-Addressing has continued to be a pre-existing problem especially amongst older hardware where it was not possible to establish VPN connections due to NAT and IP Address Space conflicts.
It is unfortunate that vendors still cling to the 192.168.1.0/24 and 192.168.0.0/24 address spaces on the most abundant number of non-enterprise level routing devices on the current generation of the Internet (Circa 1986/rom ARPA-NET/DARPA). At least the Internet2 Project has forced requirements on network design for availability and minimum link speeds. Internet2 is basically what the current public internet was when it started up, a University/Research Based Network (ref: internet2.org).
I forsee that the Private IPv4 Address Spaces 192.168, 172.16, and 10.0 will continue to be used in the mainstream of most networks for many years to come. Even though IPv6 is now officially deployed, there is just too much hardware out there that relies on IPv4 technologies. If you include the most deployed device in the world of IP, the PC, even current plans to migrate from IPv4 to IPv6 could take many decades.
Society actually depends on the IPv4 networks. Some Examples of Legacy IPv4 Hardware still in use include: Public Works and Utilities, Nearly all legacy (pre-fiber GPON) analog/digital Telephone Exchange Switches, Public Works, and so much more as they were deployed without exhaustion foresight.
The IPv4 network basically makes it possible for a government or community to operate on any level. Consider even the 1980′s and 1990′s era DDS/56k/Analog/T1 Fixed-Wire interconnects that still exist today in order to maintain our base-level Communications Infrastructure, of which without the internet could not exist. The communications infrastructure is held together by dedicated terminals and fixed ipv4 based links of which without, we would be living in the early 20th Century.
If you don’t already have connectivity, you may see the next generation soon. Now it is easily possible to have Gigabit Ethernet directly to the Public Internet, even in the size of today’s conventional cablemodem like the Motorola ONT1400GTI or ONT1120GE(4x1GbE). Same size as a cable modem, but instead there is a Single-Mode fiber drop connected instead of RG-6 COAX.
In the networks of the future, the Fiber GPON/LPON’s like the Motorola AXS1800 and Motorola AXS2200 GPON OLT are the most significant advancements in that they have actually been deployed, put into service in many localities. With 10GbE Internet Uplinks, Not only are they capable of IPv6, they are the first Head-Ends that have been able to replace the AT&T 5ESS and Nortel DMS-100 switches that have been in use for decades amongst the NANPA.

By: tgronke

tgronke — Wed, 06 Oct 2010 17:45:03 +0000

HA links have used private address ranges in the managed hosting run by my employers. But since our employers do not have a standard implementation document for Cisco PIX/ASA (they did have one for Checkpoint firewalls), the HA addressing was usually chosen by the architect designing the individual customer environment or the engineer installing the hardware. The common usage is a Class C in the 192.168.x.x range (e.g., 192.168.0.0/24). IP addressing in 10.0.0.0/8 and 172.16.0.0/12 were avoided because these ranges were commonly used for internal networks or customer networks in the hosting environments. Even the use of 192.168.0.0/16 occasionaly is a problem — not because of customer usage, but because of of other poorly-documented private management networks in the hosting environment, such as a high-availability synchronization network between IBM p-Series AIX servers.

By: Greg Ferro

Greg Ferro — Fri, 20 Nov 2009 08:24:18 +0000

I take it that WLC is a Wireless LAN Controller ? And they use 1.1.1.1 as some type of special address ?

Also, note that the firewall HA links are only locally significant. The actual IP address used is not relevant to your network.

By: SteveP

SteveP — Thu, 19 Nov 2009 19:44:14 +0000

I tried to AVOID the use of 1.1.1.0/30 as 1.1.1.1/32 is used on the WLC’s and it generally serves to confuse those who are not so clued up

By: Greg Ferro

Greg Ferro — Sat, 10 Jan 2009 12:50:58 +0000

Thats a very good suggestion. Deserves another post I think.

By: Charles

Charles — Thu, 08 Jan 2009 18:50:08 +0000

reserved range 192.0.2.x/24

By: Greg Ferro

Greg Ferro — Thu, 06 Nov 2008 20:45:54 +0000

this is a great suggestion – the only downside might be that you could theoretically use this range on the inside interface – but then 1.1.1.1 might become legal one day as well. I like it.

By: Colin

Colin — Thu, 06 Nov 2008 20:26:55 +0000

And on occasion when I cut’n'paste from the template I already open I’m retarded and forget to change everything :-/

failover interface ip failover 169.254.255.249 255.255.255.252 standby 169.254.255.250
failover interface ip failover-state 169.254.255.253 255.255.255.252 standby 169.254.255.254

By: Colin

Colin — Thu, 06 Nov 2008 20:23:39 +0000

I’m a big fan of using /30′s out of the 169.254.0.0/16 link local allocation.

It’s the “zeroconf” range and should never be routed or permitted through firewalls, I normally route to null0 or have a generic denial/drop within input firewall rules. And it will never conflict with normal RFC1918 private addressing that might also be in use.

ie. on ASA/PIX with stateful failover,

failover interface ip failover 169.254.255.249 255.255.255.252 standby 172.31.255.250
failover interface ip failover-state 169.254.255.253 255.255.255.252 standby 172.31.255.254