05-27-2012 02:17 AM - edited 03-04-2019 04:29 PM
Hi,
We are recieving two separate last mile fibers from our ISP. We are receving two separate /30 subnets from the ISP and a separate /28 pool. Now the first pool for instance is x.x.x.128/30, the second one is x.x.x.136/30 and the last pool is x.x.x.160/28. We have an eBGP relationship with the ISP. We were informed that the /28 pool is for live IPs for our servers which would be in a DMZ zone on the firewall. I am assuming that we will need to give a static route to these servers from our edge router (eBGP running router with ISP), through the firewall to the server and advertise the /28 live ip pool via BGP to the ISP. In this scenario if the connection fails over from the first connection to the ISP to the second one the live IPs will still be accessible via the second link. I won't be creating a NAT entry for these entries on the routers since these are being pubicly advertised over the internet. Now firstly, am I right in understaiding that this design is right? Also, on the DMZ interface on the firewall should I assign the x.x.x.161/28 IP as a secondary IP (secondary IP because that zone already has a private IP addressing scheme for INSIDE users on the firewall. The server in that zone for instance would have the second useable IP in that range. x.x.x.162. This would give my servers a live IP on the internet. Am I right here?
Thanks.
05-27-2012 07:29 AM
You can use the /28 to NAT your servers on the firewall. I'm not sure how to assign secondary addresses on the servers.
Thanks.
06-02-2012 01:15 AM
Hi,
Well, after further investigations with the client and their ISP. I have learnt that the two /30 pools were for running eBGP with the ISP. The links were configured for failover using the Local Preference attribute. The other /28 pool was not assigned on any WAN facing interface rather it was for assigning Public IPs directly on the servers. I assigned the /28 pool on the server facing DMZ interface on the firewall allowing ports that needed to be accessed from outside and routed that live pool in OSPF which made it reachable from the edge router and then advertised that particular pool in BGP to send it across to the ISP. Worked perfectly. I didn't NAT those IPs on the servers because I didn't assign them any private IPs. Instead I assigned them live IPs hence I had to route them in OSPF and advertise them in BGP so as to send them across to the ISP.
Thanks,
Vick.
06-02-2012 11:02 PM
altaddr /set can be used on win 2008 servers to set an alternate IP.
rais wrote:
You can use the /28 to NAT your servers on the firewall. I'm not sure how to assign secondary addresses on the servers.
Thanks.
06-03-2012 06:51 AM
Hi,
Yes, but that wouldn't be the best design scenario now would it? It would create a double NAT scenario with NAT being configured on the firewall and the Internet Edge router. Also, it would defeat the main purpose of obtaining a /28 pool from the ISP. For eg. a web server hosted locally having a LIVE IP means we do not have to use the DNS Round-Robin approach anymore. Well, the firewall does not allow assigning a secondary IP on it's physical interface hence on the same NIC on the server it would be an unfruitful activity to assign a secondary IP.
Thanks,
Vick.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: