Answer the question
In order to leave comments, you need to log in
D
D
Dmitry2017-08-07 18:58:15
Dmitry, 2017-08-07 18:58:15
How does traffic flow from the backup ISP's interface?
Good day to all!
There is a Cisco C2911 G2 router, IOS 15.4M
External ("public") addresses are configured on two interfaces:
Gi0/1 1.1.1.2/30 (ISP1)
Gi0/2 2.2.2.2/30 (ISP2)
Internal address on gi0/0, for example, 192.168.0.1
The default route is configured, statically: ip route 0.0.0.0 0.0.0.0 1.1.1.1
Further, ip sla will be attached to this, etc., but so far so.
The problem is that both interfaces and both addresses are always available from the Internet. That is, from an external independent host, I can ping both 1.1.1.2 and 2.2.2.2.
Which, in general, should not be - the second provider (my external address) should be unavailable, because the router does not know (should not know) how to properly respond to requests to the second address.
Does anyone know what this could be related to? it looks like the responses somehow get through the first provider.
Moreover, backup flexVPN tunnels also go up and work through the second provider, which brings some kind of mess into the routing. Likewise, they shouldn't work.
I observe it only on one piece of iron. There is another with a similar setting, and everything is fine there.
Firmware tried c2900-universalk9-mz.SPA.156-3.M0a and c2900-universalk9-mz.SPA.154-3.M
2 answer(s)
@gikido
@Mystray
Why shouldn't he? It has 0.0.0.0/0 - that's enough to send a response to a request from ANY address on the Internet. Routing - you know, it does not take into account (without special magic like PBR or VRF) Source addresses. All she needs is a destination address.
Another question is that all smart providers do not allow their clients to write anything in Source instead of the address given to the client, but yours allows, and therefore a request comes to the white address of the second provider, and the answer flies away with the source of the second but - through the first. No magic.
D
Dmitry, 2017-08-08 @gikido
In general, Mystray was right, probably everything went through the second provider, although their technical support did not admit (and did nothing).
I won by setting myself up - in general, the standard option, I confess - I didn’t know - checking uRPF on the backup interface:
interface GigabitEthernet0/2
...
ip verify unicast source reachable-via rx
....
end
M
Mystray, 2017-08-07 @Mystray
should not be - the second provider (my external address) must be unreachable, because the router does not (should not know) how to correctly respond to requests to the second address.
Why shouldn't he? It has 0.0.0.0/0 - that's enough to send a response to a request from ANY address on the Internet. Routing - you know, it does not take into account (without special magic like PBR or VRF) Source addresses. All she needs is a destination address.
Another question is that all smart providers do not allow their clients to write anything in Source instead of the address given to the client, but yours allows, and therefore a request comes to the white address of the second provider, and the answer flies away with the source of the second but - through the first. No magic.
Similar questions
D
Dmitry Onatsky2016-11-16 21:33:50
The ISP's DHCP service is not working properly. What to do?
3Reply
F
A
C
G
Didn't find what you were looking for?
Ask your questionAsk a Question
731 491 924 answers to any question