I think this will be a pretty easy question but wanted to get a second opinion since I've never configured it.
I have several types of servers that will never be contacted by the internet at all... middle-tier and back-end servers. The front end webs of course need to be publicly accessible, but I want to build in an easy migration path to a load-balancer in the future, so I'm giving them proviate IP's as well and plan on using statis NATs to reach them in the meantime. In a few weeks we will also be getting a second public IP allocation, and possibly (probably) a thrard after that from a second ISP. I understand NAT's pretty well and think I know exactly how I need to do this I just haven't before and want to cover my bases.
My questions are:
o Can I use the 'ip nat inside' command on an SVI? I want to place that command on the internal L3 vlan interface that the machines will be using as their default gateway.
o In the future when I have multiple publiuc subnets I will need connections from both of those gettiung to these servers. I want to make sure I can place 'ip nat outside' on the interface to that subnet as well and have NAT's in place for theses servers there. It would require therouter to know whech connections cam in through which interfaces and send replies to that connection back ou the same interface. Doable?
Finally, we will be using BGP to load-balance in bound and outbound connections to both ISP's. Will there be any conflicts with determining which connection the servers packets are sent our since it will have two static NATs defined, one on each interface to the ISP's?
2. TCP sessions will correspond to the ip addresses. If you are natting one server with two public addresses you will have issues. The LB algorithms don't care which line the packet came in on when selecting a path back to the source. If you source your server on a different IP address on each path, then the packets that ACK back on a session may or may not have the expected source IP address.
1. I used the term 'switch' loosely. In reality this is a 6509 w/dual Sup 720's. The sups are handling routing and should fully capable of pretty much everything I want to do.
2. I understand that TCP sessions correspnd to IP addresses. The question is: Is IOS smart enough to realize that a conneciton came in on interface 6/1 AND WAS NATTED, so it has to go back out through the same interface.
The 'Background' section of this articel implies that is is possible since a translation already exists and would match the traffic being replied to:
...and in case I am interpretting the info incorrectly:
o How do most organization handle having one set of servers that need to respond to connection coming from multiple ISPs?
o Do they advertize one IP space out through both ISP's with BGP?
o What happens if they have multiple subnets and multiple ISPs?
I'm sure you see where I'm going with this. If there's a doc or something I'm more than happy to read it, I just haven't been introduced to the problem before. This is why experience trumps tests, including the CCNP.
In general you must have your own registered IP blocks and AS number to get multiple ISP's to advertise out the same range of IP addresses. Very rarely can you get ISP1 to advertise out a blocked owned by ISP2. In general you will advertise out all your blocks on all your ISP's. In some cases if you want to force traffic over one link and modifing the AS path does not work you may end up only advertising over 1 ISP. Normally you can get traffic to flow the way you want with ASPATH.
On NAT question you have a couple of issues. The first being how will a outside user know that both the external nat addresses go to the same server. There are tricky DNS things that can be done to use both. If you manage to do that you get to the problem you mentioned. The router is not smart enough to know which nat translation the packet came in on. One solution I have seen recommended is to put multiple IP's on the server. You can then nat the 2 external nat addresses to different inside addresses. You could then use policy routing to forece the traffic to return correctly.
You know what may work in this situation is that you policy route the traffic coming from the server where if it uses ip address A as a source, it uses path A and so on. Because your load distribution for the server will come from DNS round robin or the like. Then your other outbound traffing could LB using per destination. This is nothing I have tried but just an idea.
We are pleased to announce availability of Beta software for 16.6.3.
16.6.3 will be the second rebuild on the 16.6 release train targeted
towards Catalyst 9500/9400/9300/3850/3650 switching platforms. We are
looking for early feedback from customers befor...
Introduction Featured Speakers Luis Espejel is the Telecommunications
Manager of IENova, an Oil & Gas company. Currently he works with Cisco
IOS® and Cisco IOS XE platforms, and NX to some extent. He has also
worked as a Senior Engineer with the Routing P...
In this session you can learn more about Layer 3 multicast and the best
practices to identify possible threats and take security measures. It
provides an overview of basic multicast, the best security practices for
use of this technology, and recommendati...