Categories

JavaScriptPHPHTMLCssPythonWordPressWeb developmentLinuxMySQLAndroidWindowsJavaC++ / C#LayoutReactUbuntuYiiDjangoProgramming1C-BitrixLaravelSystem administrationTelegramJSONDebianPostgreSQLIOSGoogleHtaccessWindows ServerGitMacOSGoogle ChromeCMSWooСommerceBootstrapNginxSQLUnityAPI
Make a leaderReport
D
D
Dmitry2017-08-07 18:58:15
network hardware
Dmitry, 2017-08-07 18:58:15

How does traffic flow from the backup ISP's interface?

Good day to all!
There is a Cisco C2911 G2 router, IOS 15.4M
External ("public") addresses are configured on two interfaces:
Gi0/1 1.1.1.2/30 (ISP1)
Gi0/2 2.2.2.2/30 (ISP2)
Internal address on gi0/0, for example, 192.168.0.1
The default route is configured, statically: ip route 0.0.0.0 0.0.0.0 1.1.1.1
Further, ip sla will be attached to this, etc., but so far so.
The problem is that both interfaces and both addresses are always available from the Internet. That is, from an external independent host, I can ping both 1.1.1.2 and 2.2.2.2.
Which, in general, should not be - the second provider (my external address) should be unavailable, because the router does not know (should not know) how to properly respond to requests to the second address.
Does anyone know what this could be related to? it looks like the responses somehow get through the first provider.
Moreover, backup flexVPN tunnels also go up and work through the second provider, which brings some kind of mess into the routing. Likewise, they shouldn't work.
I observe it only on one piece of iron. There is another with a similar setting, and everything is fine there.
Firmware tried c2900-universalk9-mz.SPA.156-3.M0a and c2900-universalk9-mz.SPA.154-3.M

Reply
Answer the question

Answer the question

In order to leave comments, you need to log in

2 answer(s)
Report
D
Dmitry, 2017-08-08
@gikido

In general, Mystray was right, probably everything went through the second provider, although their technical support did not admit (and did nothing).
I won by setting myself up - in general, the standard option, I confess - I didn’t know - checking uRPF on the backup interface:
interface GigabitEthernet0/2
...
ip verify unicast source reachable-via rx
....
end

Report
M
Mystray, 2017-08-07
@Mystray

should not be - the second provider (my external address) must be unreachable, because the router does not (should not know) how to correctly respond to requests to the second address.

Why shouldn't he? It has 0.0.0.0/0 - that's enough to send a response to a request from ANY address on the Internet. Routing - you know, it does not take into account (without special magic like PBR or VRF) Source addresses. All she needs is a destination address.
Another question is that all smart providers do not allow their clients to write anything in Source instead of the address given to the client, but yours allows, and therefore a request comes to the white address of the second provider, and the answer flies away with the source of the second but - through the first. No magic.

Similar questions
S
Stanislav Timoshko2020-08-26 15:59:40
Why is port forwarding not working from the gateway address? 1Reply
A
Alexander2018-10-08 13:08:00
How to connect 2 routers to one network? 2Reply
G
gaikmanu2016-05-13 16:23:08
WiFi router for the cottage? 0Reply
D
Dmitry2018-10-15 11:53:10
How to remotely transmit video surveillance data packet? 3Reply
I
Intelide2016-05-18 15:11:13
How to close rdp port from outside? 3Reply

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question