Loopback interfaces on RX1500

Recently we decided to convert a bunch of layer 3 radio links into layer 2 links in order to simplify our OSPF routing database, work around a couple of nasty OSPF bugs in the radios and achieve better balancing when there are equal cost paths.  However this took me down a bit of a rabbit hole that I wasn't expecting - consider the topology change below:

On the left, all of the central routers interfaces are in one vlan/subnet.  On the right the interfaces all have their own IP addresses.  This creates a problem - what IP address does one use when wanting to ssh into the device?  We can use any of the IP addresses of course, but what about monitoring via SNMP?  What about terminating VPN endpoints?  Which IP do we choose, when any of the radio links might be down for whatever reason, and therefore the associated IP address will be unavailable?

On Cisco devices (although not all of them, looking at you ASA's) one can create a loopback interface which is always up - and so long as you can reach the router somehow and the route is advertised appropriately then you are good to go.  After searching the RX1500 documentation I couldn't find a way to assign an address to the loopback adapter - however there is a dummy0 interface available to assign an IP address to.   My initial attempt was to assign an IP (with a /32 mask) in the same subnet as an existing interface any hoping that proxy arp would take care of things, but unfortunately it did not.  A route is required to get this to work even for the case where the IP is in the same subnet.  I think this is different for the case of cisco and juniper routers but there we go.

A special note for L2TP IPSec VPNs in this configuration:  A IPSec/L2TP VPN will still need to terminate on an actual interface IP address - it seems that the L2TP daemon looks for a IPSec tunnel with an IP address associated with the egress interface, and of course the egress interface is not going to be the VLAN interface, but whatever actual interface is being used.  The L2TP traffic in this case does not get put into the tunnel but straight out the encompassing interface.

| March 6th, 2018 | Posted in Networking |

Leave a Reply