cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
413
Views
0
Helpful
7
Replies

Two ISPs

Jaro
Level 1
Level 1

Hello,

 

If I have 2 providers, and one device will comunicate uplink via ISP1 and dowlink via ISP2, will it be a problem ? Please see picture in attachement.

 

Thank you.

7 Replies 7

Reza Sharifi
Hall of Fame
Hall of Fame

Hi,

Multihoming to 2 different providers should not be an issue. 

HTH

Joseph W. Doherty
Hall of Fame
Hall of Fame
As Reza notes, it shouldn't be a problem assuming you have your own public Internet IPs independent of both your ISPs. However, if you're using ISP provided IPs, it likely will be a problem.

I believe that Joseph has identified an important issue about address space being used. Another potential issue is the type of device used for the Internet connection. The drawing shows something that looks like a switch. And that would be ok. But if the device were something that did stateful inspection (as many firewalls like ASA do) then the asymmetric path would be a problem.

 

HTH

 

Rick

HTH

Rick

Hello, Thanks for your replies.

 

@Joseph W. Doherty - There are two independent IPs from different ISPs, so it should be okay.

 

@Richard Burts - Yes, as you assumed, there is Cisco ASA, which has a statefull inspection.

 

So, is there any way to solve it and keep routes as it is in drawing?

 

Thank you 

If you have two different IPs, then traffic will only return to the IP the traffic was sourced from. I.e. in you drawing green out will want to return to green in, and red out will want to return to red in.

You could split your outbound traffic. If you lose either ISP, "in-flight" traffic on one ISP will be lost, but "new" traffic should use the remaining ISP.

The drawing in the original post was quite simple. It showed a host connected through a device that appears to be a switch to 2 ISP with traffic going through one and returning via the other. Now we are finding that the situation is more complex than that. There are different IPs and there is an ASA firewall. We really need a better understanding of the environment to be able to give good answers.

 

But based on the incomplete information that we have so far I would suggest these points:

- if we have an IP packet whose source address is a Green address and we send it out through the Red ISP then it should come back to us from the Green ISP. This assumes that the Red ISP accepted the packet with a source address that was not one of its networks. Some ISPs have restrictive policies about what source addresses they will accept (one of the motivations here would be to prevent address spoofing), some do not have restrictive policies, and some are willing to negotiate about what they will accept. We do not know which category the Red and Green ISP fall into.

- for devices like ASA when a packet goes out one interface it expects the response to come through that same interface (this is one of the essential aspects of stateful inspection). It is not clear in the drawing where the ASA is and whether both ISP might connect through the same ASA interface or connect through different interfaces.

 

HTH

 

Rick

HTH

Rick

Rick brings up a great point, which I didn't note, i.e. sending traffic out to an ISP using an IP from the other ISP. This, I would consider, a bit unusual, but as Rick notes, assuming the ISP allows it, it should flow as Rick describes.

Rick's other comment on an ASA expecting return traffic to come back on the same interface, I cannot comment on concerning an ASA. However, on other firewalls products (i.e. brand X), traffic can return on different interface, as on those firewalls state inspection doesn't require the same interface. In fact, on some other firewall products, two independent firewalls, that have a link that allows them to share state information, can accept a return packet even on a physically different firewall.
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: