not understand of secondary ip

CHUN FAI LAW · ‎05-22-2013

An ISP give me two ip address for broadband service which is public and private, they are 172.21.71.54 /30 & 210.X.X.128 /28.

Out IT ask me to input them into outside interface as the following

int g0/0

ip address 172.21.71.54 255.255.255.252

ip address 210.x.x.128 255.255.255.240 secondary

ip route 0.0.0.0 0.0.0.0 172.21.71.53

I am not sure the default-route point to private ip is correct or not, but the internet working find anyway. I don't understand what the theory in this kind of setting.

milan.kulik · ‎05-22-2013

Hi,

it seems the ISP gave you a private IP address to use if you need just to browse the Internet (the ISP then will run NAT for you).

He also gave you a public subnet for your possible DMZ?

But forgot to tell you which IP address to use as the default GW for that public subnet.

Are you able to Ping any other device within the public subnet?

BTW, 210.x.x.128 is the subnet address when 255.255.255.240 subnet mask is used.

So your interface IP address should be one from the 210.x.x.129 - 210.x.x.143 range.

Best regards,

Milan

CHUN FAI LAW · ‎05-22-2013

Oh yes, my mistake, the ip should be 210.X.X.130/28 =o=

Actually what is the meaning for one interface holding two ip address? Is that means if someone request the arp request to this two ip address, the router is going reply both of them?

Simon Brooks · ‎05-22-2013

Agreed. Who advised you to put a subnet ip as a secondary. It shouldnt need to be applied as an interface ip at all. Your isp will be routing all traffic for that range to the private ip. Its up to your router then to decide where to send the traffic based on NAT rules.

Sent from Cisco Technical Support Android App

CHUN FAI LAW · ‎05-22-2013

i have done a test, a firewall as ISP and router as customer side

with this setting, 1.1.1.1 is act as public ip

Router: (Customer)

interface FastEthernet0/0

description outside

ip address 1.1.1.1 255.255.255.0 secondary

ip address 172.16.0.2 255.255.255.0

ip virtual-reassembly

ip route-cache flow

duplex auto

speed auto

ip route 0.0.0.0 0.0.0.0 172.16.0.1

Firewall: (ISP)

interface fastethernet0/4

description test-interface

ip address 172.16.0.1 255.255.255.0

I can success to ping the public ip, i think the suitation is similar as this case. Actually ISP support to put a router in between they equipment and our router, but that customer ask ISP to remove that router. That's why we should config one interface with ip address.

Richard Burts · ‎05-22-2013

To answer the specific question that was asked, yes - if a router interface is configured with a secondary address then the router will respond to arp request for either or both of the interfaces.

In my experience this would be a pretty unusual configuration to use both addresses from the ISP on the router interface. My experience is mostly that if the ISP provides two addresses that one is for the interface connecting to the ISP and the other is to be used either for address translation or for DMZ or something like that. But if it is working satisfactorily with the secondary address configuration then perhaps that is what the ISP really intended this time.

HTH

Rick

HTH

Rick

Simon Brooks · ‎05-23-2013

Agreed. Seems pointless having this ip unless the space between router and isp is dmz. Or its just public ip space available for your nating with. As I said the isp will be routing all traffic for this subnet to your router. Do you use any of the ips in that subnet elsewhere?

Sent from Cisco Technical Support Android App

CHUN FAI LAW · ‎05-23-2013

Actually i just need one ip address for broadband service, because all traffic is go out thorugh nat overload. And there is no any web server and mail server within the network. This is the first time to face this suitation. Thx for all good advice.