I was just wondering if anyone has any pointers on how we can do the following. I have tried pretty much everything and I'm not too sure I have the best possible deployment. The router is a 1800 series ISR with IOS 15.0.1(M5). Although we will be using ZBF, the firewall is currently disabled while we resolve this issue.
The issue we are having is the second subnet /28 just doesn't work. In fact the ISP can't pint our router and we can't ping the gateway from the router or the host. The VLAN is up, line protocol is up. The funny thing is, we can ping the gateway for /29 subnet.
Basically we have 2 subnets from a single ISP, a /29 and a /28 block delivered via a single ethernet cable into FastEthernet0 (our WAN port). The /29 is used to connect internal web users to the internet via NAT, and for VPN access inbound.
The second block, /28 is used solely for routing the range of public IP addresses directly through to the servers (DMZ). The hosts themselves will be provided with their own public IP. We want to avoid using NAT as this is a nightmare to keep on top of, and also that many NAT statements is going to run slow on an 1800. We did try a transparent configuration but in that case the router could not become a VPN endpoint.
So for the two ranges let's use some examples with some /24 masks: 22.214.171.124/24 with gateway 126.96.36.199 and 188.8.131.52/24 and gateway 184.108.40.206.
220.127.116.11 is our FastEthernet interface, and 18.104.22.168 is set on VLAN 20 for example. I am using PBR to ensure source addresses are routed properly and even created static routes.
WAN interface configuration:
ip address 22.214.171.124 255.255.255.0
no ip redirects
no ip unreachables
ip proxy-arp (security risk, I know, but enabled for testing)
no ip directed-broadcast
no cdp enable
ip verify unicast reverse-path (have tried removing this)
The configuration for the interface VLAN 20 (DMZ):
interface Vlan 20
description DMZ NETWORK
ip address 126.96.36.199 255.255.255.0
ip policy route-map DMZ
access-list 121 permit ip 188.8.131.52 0.0.0.255 any
route-map DMZ permit
match ip address 121
set ip next-hop 184.108.40.206
IP Static Routes:
ip route 220.127.116.11 255.255.255.0 18.104.22.168
ip route 22.214.171.124 255.255.255.0 126.96.36.199
ip route 0.0.0.0 0.0.0.0 188.8.131.52
I have also tried defining the interface too, as per:
ip route 184.108.40.206 255.255.255.0 fastethernet0 220.127.116.11
Does any one have any ideas why 18.104.22.168 is pingable, and internet will also work from the router or any host connected to router (but not VLAN 20) and meanwhile 22.214.171.124 is just not reachable, yet a host which sits on 126.96.36.199 is reachable ONLY from the router (not from outside). It appears like a routing issue and I am not sure how you do this? I am sure it's possible somehow. Otherwise, is this an ISP issue? I have tested both gateways as working.
I must be missing something..... I'm sure we've all been here at some point when we've just exhausted all the options and have to ask someone else.
Many thanks in advance, and also if anyone is interested in looking at this professionally with payment, please do let me know.
Usually when the ISP provisions a location, they give you LAN subnets and WAN subnets.
The WAN subnet will be placed on your WAN port (FastEthernet0) while the LAN subnet can be placed on any other internal facing interfaces.
It seems, you only have the LAN subnets, you must ask for the WAN subnet.
Once you have the WAN subnet, you setup a default route pointing to the ISP router and designated the .1 address for each block assigned to you.
Per your example
interface vlan 10
ip address 188.8.131.52 255.255.255.0
interface vlan 20
ip address 184.108.40.206 255.255.255.0
The ISP should have a route back to you towards those subnets via the WAN subnet.
Thank you for your response.
I am not sure what you mean by WAN subnet? You mean the full address block? I think they VLAN on their side actually, into these two subnets.
They only provided me with two subnets, both of them are public addresses. The 72.x.x.x address is only an example I used for the forum too.
If I was doing this in a lab for testing, what would an example be of a WAN subnet for the example addreses?
Typical ISP provisioning
[ISP Router] (10.1.1.1/30) <----(internet cloud)--> (10.1.1.2/30) [Your Router]
10.1.1.0/30 is your WAN subnet
Then ISP provides you with LAN subnets for you to allocate to devices in the public segment, for instance:
Then in your router, you can configure those addresses under 'interface vlans' so you can have more devices using that block.
In your case, you assigned the public address block to a routed interface that is directly connected to the ISP router.
How do you plan to assign public addresses to other devices in your network while they are sitting behind this router?
Can you provide me with a physical topology of your network?
The network runs as below:
[ISP Router] ( Note 1* ) <----(internet cloud)--> ( Note 2* ) [Our Router] -- [VLAN 10 / Private NAT]
-- [VLAN 20 / Public Subnet ]
Note 1* The only addresses I was provided with for the ISP router are the two gateways 220.127.116.11 /29 and 18.104.22.168 /28, nothing else whatsoever.
Note 2* The WAN interface on our router is then assigned an IP from the /29 block, 22.214.171.124 for example. This allows us to reach 126.96.36.199 fine, and the Private VLAN 10 works. On the other hand as you quite rightly say VLAN 20 is sat internally so probably doesn't advertise on the Faste0 interface.
The public IP addresses for other devices are sitting on VLAN 20 and use Our router as the default gateway. I still realise why it's not working, but the ISP basically says it should work, but they did also recommend using the firewall in transparent mode which does work but then means we cant use the device as a VPN endpoint.
The WAN subnet, I guess it's possible they are failing to provide this to me...
Hope the above helps. Thanks again for your assistance.
As far as I understand the ISP seems to say the /29 is for the router to communicate, and the /28 is the subnet to use for servers. However, I still cant see how the /28 has it's own gateway and can route traffic. Seems very odd.
Ok, I understand your setup a lot better now.
You are terminating your ISP connection into a L2 port, not a L3 port as originally stated.
The L2 port is part of a Vlan being shared with other public facing devices.
What you need to do is configure the new block given by the ISP as secondary IP address.
interface vlan 20
ip add 72.1.10.x 255.255.255.0
ip add 72.1.20.x 255.255.255.0 secondary
No need to modify the current default route as it points to the same physical device.
As for using the new IP block on devices, configure the same vlan on the attached interfaces and apply the new IP block on those devices with default gateway pointing to the secondary IP address on the router.
Not quite right.
The first block is assigned to the Faste0, the second assigned to L2 interface, VLAN. VLANs are inside interface, so they are not advertised on the Faste0 so the ISP cant see them, hence this issue.
I found a way to do it by bridging the VLAN and Faste0, is this okay?
Bridging would work but why bridging?
You can connect the ISP handoff to a Layer 2 port and associate that Layer 2 to a Vlan.
On the Vlan interface, enter the IP address from the ISP.
On later inspection, bridging breaks NAT.
We only have one WAN port, so I dont think we can get it to work I'm afraid. I have asked if we can have one subnet instead. I think it's the fact both subnets are seperate and both have seperate default gateways.
Can you confirm that it is pretty much impossible to route two subnets (both seperate with their own gateway at the ISP) over a single WAN interface? Or am I missing something here.
With a single physical handoff - you can route 2 subnets by using subinterfaces - but this is one form of trunking.
You need to confirm with the ISP how their router is configured and match your setting with theirs.
I think what they did was adding a secondary IP address under their interface.
As for using the default route pointing to 2 different gateways, the router will round-robin the flows.
Some flows will go via one gateway and other flows will use the different gateway, unless you use some kind of PBR.
Yes, I think that is what they have done. Created a VLAN for us on their side and assigned a pair of subnets to us. For some reason though the second subnet gateway is never pingable unless the router has the second subnet on it's interface. I dont think their ARP table is updating either, because it's only seeing our router.
The key here is they need a route to us for the second subnet pointing back to our router on the first subnet, I think. So I think they will have to create a static route right?