Solved: Exactly what I was trying to

Bob Boklewski · ‎05-01-2017

Say we have the given scenario, see diagram. The building has given us two routable addresses (66.56.77.24 and 11.54.21.12), one for each of their ISP's for redundancy to the firewall in our suite. So ISP1 routed the 66.56.77.16/28 to the building's firewall, and the building puts a sub-interface on the insided interface of their firewall (Top firewall) so our suite firewall can use that routable network. Is it possible for the building firewall to route this 66.56.77.16/28 over ISP2 if ISP1 goes down? Wouldn't return traffic be a problem if ISP1 were down since ISP1 is routing that block to the building firewall? I don't ever see ISP2 being able to route incoming traffic to the building firewall for this public subnet. I know BGP is a whole different animal, assume no BGP is used.

cofee · ‎05-03-2017

I don't think there would be any issue with the outbound traffic, but inbound traffic will have issues unless both your ISPs cloud interconnect and they route to networks you specified.

ISP1 = 66.56.77.24/X - You can route outbound traffic that belongs to ISP1 via ISP 2 but the inbound traffic wouldn't be routed unless it meets the requirement specified above. If the destination address is 66.56.77.24/x, routers in the internet routing system just care about the first 8 bits since it's is a class a address and it will be routed to the border router of your ISP that owns this network. Once the packet is within your ISP cloud they can route it based on how the network is divided into subnets. So if your ISP1 circuit is down, this packet will reach you, unless it meets requirements that I mentioned above and I believe this is what Julio was saying.

Same principles applied to the other circuit. You should talk to your circuit provider and check with them. We had 2 active circuits provided by the same vendor, but they won't route packets to one another if a circuit was down. They gave us a reason that at the time of circuit procurement we didn't ask for redundancy, therefore they would need more money to make that happen.

View solution in original post

Julio E. Moisa · ‎05-01-2017

Hi

If they are different ISPs you could not route that network segment through the ISP2, because each ISP handles their different networks unless they have any Inter AS method or something like that to share network segments.

:-)

>> Marcar como útil o contestado, si la respuesta resolvió la duda, esto ayuda a futuras consultas de otros miembros de la comunidad. <<

Bob Boklewski · ‎05-01-2017

See I just saw return traffic as an issue since ISP1 is routing that subnet. You are saying you cannot route outbound from the top firewall out to ISP2 at all? Can you expand on that.

Julio E. Moisa · ‎05-01-2017

Hi

Please correct me if Im understanding the question wrong. You want to route this network segment 66.56.77.24/X through the ISP2 on the firewall.

If you have 2 network segment, and they are allowed on your firewall:

ISP1 = 66.56.77.24/X

ISP2 = 11.54.21.12/X

Each ISP handled their own networks segments in few words they don't share network segments between them unless they have some method like Inter-AS or any relationship between them to advertise the prefixes from both ISP networks.

The public ranges belong to each service provider.

>> Marcar como útil o contestado, si la respuesta resolvió la duda, esto ayuda a futuras consultas de otros miembros de la comunidad. <<

Bob Boklewski · ‎05-01-2017

Right, so ISP2 doesn't have the static route entries for that subnet that ISP1 has so it won't accept that outbound traffic from the top firewall, correct?

Julio E. Moisa · ‎05-01-2017

Hi,

Yes, that is correct.

>> Marcar como útil o contestado, si la respuesta resolvió la duda, esto ayuda a futuras consultas de otros miembros de la comunidad. <<

Bob Boklewski · ‎05-02-2017

I guess I am still confused though, since the ISP2 router should only be worried about the destination address, not the source address (66.56.77.24) when sending outbound traffic. I don't see why that ISP2 router would check the source address against it's routing table. I can see how inbound traffic back to 66.56.77.24 would be checked and it obviously wouldn't make it because ONLY ISP1 would have the route to the top firewall.

Assuming here to there is a public subnet connecting the ISP2 router and the top firewall. Let's say 23.32.43.1 on the ISP 2 router and 23.32.43.2 on the top firewall.

Bob Boklewski · ‎05-02-2017

Appreciate the help Julio, let me know if my thinking here is off.

Bob Boklewski · ‎05-03-2017

Anybody else want to weigh in?

Julio E. Moisa · ‎05-03-2017

Hi Bob

Apologies for the late response, please correct me, the following subnets are the public ranges provided by specific ISP

ISP1 = 66.56.77.24/X

ISP2 = 11.54.21.12/X

Is that correct?

>> Marcar como útil o contestado, si la respuesta resolvió la duda, esto ayuda a futuras consultas de otros miembros de la comunidad. <<

Bob Boklewski · ‎05-03-2017

Hey Julio,

So I put the network diagram in first post if you can take a look. First ISP1 serves 66.56.77.24/xx and ISP2 serves 11.54.21.12/xx. So, I guess I am trying to figure out here why a subnet from ISP1 would be blocked by ISP2 in terms of outbound traffic. As I see it like this:

ISP1 fails, so suite firewall sends outbound traffic using routable source address (66.56.77.24), Top firewall says okay, I have a sub interface of (66.56.77.23), then the firewall would have a route to send any destination traffic to ISP2 (Assume ISP router to top firewall has public addresses assigned, say in the 22.34.43.4/30 network, so ISP2 router has 22.34.43.5 where outbound traffic would route to). I don't see how ISP2 wouldn't accept this outbound traffic. As I see it inbound traffic would be a problem as there would be no route to 66.x.x.x network from ISP2, but shouldn't hinder outbound traffic, correct?

Julio E. Moisa · ‎05-03-2017

Hi Bob

Apologies I think I understand wrong the question, I was thinking they provided you a public range but I see that ranges are your internal network, so you are splitting the traffic once subnet is using the ISP1 and the other traffic is manipulated to reach Internet through the ISP2, is that correct?

Well If that is correct. the ISP2 should not block any traffic for the other network at all because it is your internal traffic.

Im not used to use public ranges as internal networks for users. I thought the providers gave you public ranges to get Internet or for NATs. Apologies again.

>> Marcar como útil o contestado, si la respuesta resolvió la duda, esto ayuda a futuras consultas de otros miembros de la comunidad. <<

Bob Boklewski · ‎05-03-2017

So those IP subnets are from the ISP, so they are routable. So,

ISP1 has route to top firewall for 66.56.77.x/x

and

ISP2 has route to top firewall for 11.54.21.x/x

Then the top firewall uses those and creates sub interfaces for my suite router to use those subnets, first subnet goes to my WAN1 interface and the other subnet to my WAN2 interface. I guess I would need the breakdown as to why if ISP1 goes down, the subnet ISP1 provides (66.56.77.x/x) can't be used to be routed out ISP2. Can you list how that would break down and why that wouldn't work? As I see it:

ISP1 fails, suite router still sending traffic using 66.56.77.x to top router (Top router has sub-interface for this network so traffic makes it there). What would prevent ISP2 router from accepting that next frame from top firewall? At that point ISP2 doesn't care about the source address (66.56.77.x/x). I figure the top firewall would be like okay, send frame out xx interface to ISP2 as I have a static entry that says 66.56.77.x/x route to ISP2 router interface ip 22.34.43.5.

cofee · ‎05-03-2017

I don't think there would be any issue with the outbound traffic, but inbound traffic will have issues unless both your ISPs cloud interconnect and they route to networks you specified.

ISP1 = 66.56.77.24/X - You can route outbound traffic that belongs to ISP1 via ISP 2 but the inbound traffic wouldn't be routed unless it meets the requirement specified above. If the destination address is 66.56.77.24/x, routers in the internet routing system just care about the first 8 bits since it's is a class a address and it will be routed to the border router of your ISP that owns this network. Once the packet is within your ISP cloud they can route it based on how the network is divided into subnets. So if your ISP1 circuit is down, this packet will reach you, unless it meets requirements that I mentioned above and I believe this is what Julio was saying.

Same principles applied to the other circuit. You should talk to your circuit provider and check with them. We had 2 active circuits provided by the same vendor, but they won't route packets to one another if a circuit was down. They gave us a reason that at the time of circuit procurement we didn't ask for redundancy, therefore they would need more money to make that happen.

Bob Boklewski · ‎05-03-2017

Exactly what I was trying to say. Except I think you meant to say "So if your ISP1 circuit is down, this packet will not reach you" because ISP2 doesn't have a return route unless like you said both ISP's route for that same subnet (66.56.77.24/x). Just wanted to make sure my thinking process was correct.

Routing Question