IP management

Note

IPv6 addresses are not managed using allocations and delegations at this time

IP management features in Bonded Internet allow IP networks to be managed in very powerful ways, defining exactly what networks are valid at a routing group and which spaces are allowed to use which subnets of those networks. For instructions on adding, updating, and removing IP management records, see Managing IP allocations and delegations.

image0

This example demonstrates how public IPs could be allocated in a Bonded Internet environment. In most circumstances, private IPs do not need to be allocated.

IP management allows two main capabilities:

  • Verification that IPs are only used at routing groups where the IP is valid. This prevents accidentally assigning IPs valid at one datacentre to bonds running on aggregators at a different datacentre.
  • Delegation of networks from a parent space to a child space, indicating that the child space is allowed to use the subnet and to allow users in the child space to assign IPs from the subnet to bonds in the space.

Routing group validation

The first main use for IP management is to ensure that IPs are only used at routing groups where they are actually available—to prevent, for example, an IP address only valid at a partner’s Vancouver datacentre from being assigned to a bond running on an aggregator at its New York datacentre.

In the example above, a bond in GN could be assigned an IP from 198.18.0.0/24 (except for 198.18.0.0/28, as noted earlier, because that is delegated to CDC) no matter if it was assigned to an aggregator in the Vancouver routing group or New York routing group, because 198.18.0.0/24 is valid at both routing groups. The bond could have a primary aggregator in Vancouver and a secondary aggregator in New York, or vice versa.

However, if a bond in GN was assigned an IP from 198.51.100.0/24, then it could only be assigned to aggregators (primary or secondary) in the Vancouver routing group, because 198.51.100.0/24 is only valid at Vancouver. It could not have, for example, a primary aggregator in Vancouver and a secondary aggregator in New York, because its IPs would not work if it was failed over to its secondary aggregator.

Routing group validation applies to bonds in child spaces too—a bond in CDC only assigned IPs in 198.18.0.0/28 could be assigned to a primary aggregator in Vancouver and a secondary aggregator in New York, but a bond in CDC assigned an IP in 198.51.100.0/28 could only be assigned to aggregators in Vancouver.

Network delegation

The second use for IP management is to specify IP networks that can be used in a particular space, and to allow child spaces to use certain specific subnets from a parent’s network allocations. This is for convenience and for security—it prevents unknown networks from being configured on a bond or private WAN space such that the network would be announced by aggregators or private WAN routers into a partner’s OSPF or BGP routing network. Bonds cannot be assigned public connected IPs, CPE NAT IPs, or routes, nor private WAN spaces configured with 1:1 NAT, port forward, or NAT gateway rules, unless the necessary public IPs have been allocated to the space.

In the example above, Granville Networks (GN) has allocated the following networks:

  • 198.18.0.0/24, valid at both the Vancouver and New York routing groups
  • 198.51.100.0/24, valid at the Vancouver routing group only
  • 203.0.113.0/24, valid at the New York routing group only

GN has delegated a /28 from each of those subnets to their child space Chase Dental Clinics (CDC), but has not delegated any subnets to Stanley Internet (SI) because SI has its own routing group, aggregators, and IP address assignments.

Because GN has allocated 198.18.0.0/24 at both its routing groups, bonds in GN can be assigned connected IPs, CPE NAT IPs, and routes from 198.18.0.0/24, except for 198.18.0.0/28, which has been delegated to CDC. Networks delegated to a child space cannot be used in the parent space. Bonds in CDC could be assigned IPs from 198.18.0.0/28, or IPs in 198.18.0.0/28 could be used to configure private WAN rules if CDC used private WAN.

Similarly, SI has allocated 192.0.2.0/24 at its Fremont routing group and delegated 192.0.2.10 to Murphy Electrical (ME). A bond in ME could be configured with a private connected IP (for example, 192.168.1.1/24) and a CPE NAT IP of 192.0.2.10. The private connected IP would not require an IP allocation.