Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
809
Views
0
Helpful
8
Replies

dual isp NAT question

Go to solution
Amafsha1
Level 2
Level 2

‎06-14-2018 07:03 PM - edited ‎03-05-2019 10:35 AM

Hello folks.  Let's say I get a default route from ISP1.  I also have ISP2 as backup.  I advertise 1 subnet to ISP1 and ISP2...lets say 199.x.x.199/24, so people can reach my servers from outside. Lets also say that this ip address is provided to me by ARIN so I fully own it, listed to my company.

 

Now Let's say that I get a public ip address /24 space from ISP1(Not ARIN)- 67.x.x.67/24.  I use that public IP address of ISP1 to do some NAT for internal hosts like my branches to get outside and surf the web.

 

Question: If 67.x.x.67 is owned by ISP1 company, what happens when my ISP1 link fails and I make the cutover to ISP2.  I understand that my own 199.x.x.199 address will still be allowed to be accessed from the outside still because of BGP and since I own that IP address space from ARIN.... but what will happen to ISP1s address space 67.x.x.67/24 I still use for NAT of internal hosts?  I heard that an address owned by ISP1 cannot leave and come back into ISP2 interface, correct?  

 

 

 

 

 

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
rais
Level 7
Level 7

‎06-14-2018 08:19 PM - edited ‎06-14-2018 08:21 PM

Could leave but not come back.

HTH.

View solution in original post

0 Helpful

Go to solution
Kanan Huseynli
VIP
VIP
In response to Amafsha1

‎06-15-2018 03:00 AM

Hi,

 

it will leave if you configured NAT. If ISP1 still somehow advertises that subnet in BGP, return traffic will go to ISP1, but since link failed there is no way that ISP1 sends traffic to your device. Else if ISP1 does not advertise that subnet, traffic will be blackholed somewhere while returns (destination unreachable).

 

HTH,

HTH,
Please rate and mark as an accepted solution if you have found any of the information provided useful.

View solution in original post

0 Helpful
8 Replies 8

Go to solution
rais
Level 7
Level 7

‎06-14-2018 08:19 PM - edited ‎06-14-2018 08:21 PM

Could leave but not come back.

HTH.

0 Helpful

Go to solution
Amafsha1
Level 2
Level 2
In response to rais

‎06-14-2018 08:54 PM

thanks.  why is that btw?  

0 Helpful

Go to solution
Kanan Huseynli
VIP
VIP
In response to Amafsha1

‎06-15-2018 03:00 AM

Hi,

 

it will leave if you configured NAT. If ISP1 still somehow advertises that subnet in BGP, return traffic will go to ISP1, but since link failed there is no way that ISP1 sends traffic to your device. Else if ISP1 does not advertise that subnet, traffic will be blackholed somewhere while returns (destination unreachable).

 

HTH,

HTH,
Please rate and mark as an accepted solution if you have found any of the information provided useful.

0 Helpful

Go to solution
Amafsha1
Level 2
Level 2
In response to Kanan Huseynli

‎06-15-2018 10:40 AM

is their a work-around for this?  we have so many IPs we use from ISP1 to NAT our internal resources.  If ISP1 were to fail, none of these IPs would work through ISP2.  Do you have any suggestions?

0 Helpful

Go to solution
Kanan Huseynli
VIP
VIP
In response to Amafsha1

‎06-15-2018 12:45 PM

I'm not ISP guy ,but will answer from routing point of view.

In this design the key point is return traffic. I see only way is to advertise that subnet in BGP. So, return traffic enters ISP2 and is sent to you. But whether it is true/legal or not I am not sure. AFAIK, it is not true if you advertise subnet owned by other company. Hence, the only option is to buy that subnet.

HTH,
Please rate and mark as an accepted solution if you have found any of the information provided useful.

0 Helpful

Go to solution
Amafsha1
Level 2
Level 2
In response to Kanan Huseynli

‎06-18-2018 12:21 PM

Sorry, I'm still confused lol.  So is this more of a routing issue or a legal issue?  

0 Helpful

Go to solution
Kanan Huseynli
VIP
VIP
In response to Amafsha1

‎06-19-2018 09:42 AM

Currently, you have routing issue. You do NAT to ISP1-owned subnet and return traffic goes to ISP1 not to you (in case of link between you and ISP1 is down). You may solve this issue without touching NAT entries, if you advertise NAT subnets (which is actually owned by ISP1) via eBGP toward ISP2.

there are 2 results here:

1) ISP1 does not advertise that subnet and traffic destined to subnet goes to your router.

2) Both you and ISP1 advertise that subnet, based on BGP bestpath traffic either goes to your router or ISP1.

 

 

In general, it must not be true if you advertise others' subnet, as in this case.

HTH,
Please rate and mark as an accepted solution if you have found any of the information provided useful.

0 Helpful

Go to solution
Amafsha1
Level 2
Level 2
In response to Kanan Huseynli

‎06-19-2018 09:48 AM

oh ok lol.  I get it now.  Thank you, that was actually pretty straightforward.  Makes sense

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card