Hi Folks.
I recently passed my ENCOR exam, yet a new work project I have is revealing 2 questions I've had for a while...
Question1: How does the ISP work with the enterprise when the enterprise wants to use a public IP address on its border router? What is expected of the ISP? Will the enterprise need to set up BGP routing on its border router?
Question 2a: Without a DMVPN setup, is it possible (however impractical) to set up a VPN in which a public IP addressed, pre-configured router plugs into an ethernet port at a residence, probably inside an ISP's private network, so that the router will achieve VPN connectivity to the enterprise office?
Question 2b: Is the above solution possible if the router does not locate behind a NAT gateway?
Thank you! :)
Jim
(ENCORE 12.21)
Normally, the ISP will have the equipment set up so that you can specify an IP address for the point-to-point connection between their box and your external router. The outbound route from your enterprise can be directed to the IP address on your external router and then your external router just shoves all the traffic into the ISP box, no worries. The routing principles remain the same whether or not you utilize public or private IPv4 address spaces.
For the VPN situation, you're looking at utilizing a home-grade Internet connection, which is not as flexible as a commercial connection. This will depend upon the ISP, but I'd generally say no to that. The gear that I see being shipped out to homes for WFA (Work From Anywhere) situations usually involves a Meraki, Aruba, Mist, or other cloud-managed solution. This means that, regardless of the home IP address, the employee will be able to access the corporate network via a cloud gateway available via that WFA solution. Zscaler and products like that remove the need for hardware, but do not allow non-PC devices to connect. So, if the WFA person needs a hard phone or printer, we're looking at a cloud-managed access point.
I may need a little more clarification around your use cases to help dial in the right solution, but that's what I'm thinking so far.
Quote from: mrome74 on December 26, 2021, 10:59:08 AM
Question1: How does the ISP work with the enterprise when the enterprise wants to use a public IP address on its border router? What is expected of the ISP? Will the enterprise need to set up BGP routing on its border router?
So if the company owns their own IP address block, they can work out an agreement with the ISP to advertise their networks to the internet.
through BGP. There will be a point to point link /30 or /31 (depending on redundancy needs), between said company and ISP where the BGP relationship is built across. the ISP updates their side of the BGP connection to allow the company owned IP block to be accepted.
The company also have option to lease some ISP provider IP space, if available. Then the ISP just forwards the routing for the IP space to the company next hop router.
Hope that helps.
..awww deanwebb beat me to it...
Thank you 2 so much for your responses. They are very valuable to me. <3
Please inform me-- Was I right in my response to the client that he would need to contact the ISP?
CLIENT- " i want to give out a remote cisco router to each end user, and have them plug it into their home internet connection. This remote cisco router will tunnel to my local cisco router, and assign a real IP address of mine to the remote cisco router that i gave them. Then they can plug into the LAN port of that cisco router whatever they want it will have as its public ip address.
ME- "For this strategy to work you will need to contact the ISP of each client and instruct them that client "A" is to be associated with public IP address "a".
--------
ALSO-- The more I think about the client's strategy, the more confused I become.
1. Is it possible to configure this architecture technology?
2. If so, is it still possible if the remote router is behind a NAT in which the OUTSIDE LAN is also a private, non-routable, network?
Quote from: mrome74 on December 27, 2021, 06:16:18 AM
Please inform me-- Was I right in my response to the client that he would need to contact the ISP?
CLIENT- " i want to give out a remote cisco router to each end user, and have them plug it into their home internet connection. This remote cisco router will tunnel to my local cisco router, and assign a real IP address of mine to the remote cisco router that i gave them. Then they can plug into the LAN port of that cisco router whatever they want it will have as its public ip address.
ME- "For this strategy to work you will need to contact the ISP of each client and instruct them that client "A" is to be associated with public IP address "a".
--------
ALSO-- The more I think about the client's strategy, the more confused I become.
1. Is it possible to configure this architecture technology?
2. If so, is it still possible if the remote router is behind a NAT in which the OUTSIDE LAN is also a private, non-routable, network?
no you cant tell isp to use your IP in that fashion for multiple sites, each site would need to obtain IP from ISP, and tunnels would be created from the company router to each site router at the ISP assigned IP address.
Thanks for your response. I appreciate it.
I have no experience communicating with ISP's. Could I tell the ISP I want to use my already controlled pubic IP addresses on the WAN interface of my router?
yes,
if it were a very large subnet, you could possibly subnet it, and assign blocks to your leaf sites, in turn they could contact ISP. and have those subnetwork advertised through ISP, IPS won't do less than a /24. Now all leaf sites had the same ISP. the ISP may be able to provide services for a DMVPN
^^^
This entire strategy is why solutions from Meraki, Mist, and Aruba exist. Those routers are going to be expensive and difficult to configure. I'd advise client to consider one of those cloud-based options.
Quote from: deanwebb on December 28, 2021, 08:57:04 AM
^^^
This entire strategy is why solutions from Meraki, Mist, and Aruba exist. Those routers are going to be expensive and difficult to configure. I'd advise client to consider one of those cloud-based options.
Software as a Service (SaaS)?
Platform as a Service (PaaS)?
Infrastructure as a Service (IaaS)?
Yes, they're something or other as a service. :smug:
Thank you all for your helpful replies. <3
Forums as a Service (FaaS)?
If they are dead set on using routers at remote sites there is the option to use a flex-vpn (possibly even a DMVPN) without the need for distributing public IP space. The external interface can be configured to use the private IP DHCP assignment from a home router which is being NAT'd by the ISP anyway.