Best way to make this traffic flow the way I want

RadiclDreamer

Diamond Member
Aug 8, 2004
8,622
40
91
I have a public ip block we'll call 1.1.1.x that is connected to our facility which uses 172.25.x.x as internal scheme.

We have a sister facility connected by fiber with 172.17.225.x as their internal

I have a server currently using one of the public IP addresses out of the class C block we'll call 1.1.1.1 and I have a redundant server at the sister facility that will have 172.17.225.x

I want to do a trial failover so that when my users type in 1.1.1.1 they get the server located at the other facility 172.17.225.x.

Now I thought, easy! Change the IP on the remote machine and then static route and ta da! But alas its a directly connected network for my router so the admin distance is 0 and the static route is 1 so that wont work. My next thought would be to NAT 1.1.1.1 > 172.17.225..x but wasn't entirely sure this would work.

Can I do this for just one address? Can it be done period?

I know dns would have been a better alternative, but since the dawn of time at my facility they have used ip to access this application and I dont really want to redirect 1500 clients.

If this sounds confusing, sorry. I can provide any information that might make this easier to understand.
 

ScottMac

Moderator<br>Networking<br>Elite member
Mar 19, 2001
5,471
2
0
Check out HSRP or VRRP

Multiple physical gateways with a single logical appearance. Prinary fails and a logical backup takes the traffic.
 

RadiclDreamer

Diamond Member
Aug 8, 2004
8,622
40
91
Originally posted by: Pantlegz1
why not just add the route and manually set the AD to something higher?

Im afraid of what other chaos that might introduce, also i didnt think you could change the AD of a direct connect.
 

drebo

Diamond Member
Feb 24, 2006
7,034
1
81
How do you have a server using the public IP without NAT? Is it set up before your firewall or something...i.e. does it have an interface in both the green and the red? If so, that's bad-bad-bad. NAT is the way you should be doing this. If the server is physically connected to the red network (outside the firewall) and you attempt to NAT that IP address to an internal server, you will need to clear the ARP cache on your router (not the firewall) in order for it to be seen.

I don't understand why this wasn't set up as a static NAT to begin with. Maybe I'm not understanding your exact setup.
 

Pantlegz

Diamond Member
Jun 6, 2007
4,627
4
81
Originally posted by: RadiclDreamer
Originally posted by: Pantlegz1
why not just add the route and manually set the AD to something higher?

Im afraid of what other chaos that might introduce, also i didnt think you could change the AD of a direct connect.

Well if the link is only going to this server, or the server network/subnet or whatever just set the AD to like 100k if it's the fall back, so it will only be used to go to this one network only if there is no other route.
 

sactwnguy

Member
Apr 17, 2007
101
0
76
Unfortunately to really solve your issue more information on your network infrastructure would be needed to figure out packet flows and the placement of the NAT. If the packet is not NATed before it hits the router that is directly connected to 1.1.1.0 the directly connected interface always wins and the packet will not get natted. Using static NAT for a single server failover is very limited in that you have to do it manually when you want to fail over. Messing around with route AD will only work if you lose the complete route to the 1.1.1.0 network. Also HSRP is limited to router redundancy and VRRP is generally for servers located on the same subnet. The best solution in your case would be to use some form of load balancer if of coarse you had access to one.
 

mcmilljb

Platinum Member
May 17, 2005
2,144
2
81
Originally posted by: RadiclDreamer
I have a public ip block we'll call 1.1.1.x that is connected to our facility which uses 172.25.x.x as internal scheme.

We have a sister facility connected by fiber with 172.17.225.x as their internal

I have a server currently using one of the public IP addresses out of the class C block we'll call 1.1.1.1 and I have a redundant server at the sister facility that will have 172.17.225.x

I want to do a trial failover so that when my users type in 1.1.1.1 they get the server located at the other facility 172.17.225.x.

Now I thought, easy! Change the IP on the remote machine and then static route and ta da! But alas its a directly connected network for my router so the admin distance is 0 and the static route is 1 so that wont work. My next thought would be to NAT 1.1.1.1 > 172.17.225..x but wasn't entirely sure this would work.

Can I do this for just one address? Can it be done period?

I know dns would have been a better alternative, but since the dawn of time at my facility they have used ip to access this application and I dont really want to redirect 1500 clients.

If this sounds confusing, sorry. I can provide any information that might make this easier to understand.

Can the users manually change the ip address to a dns entry? Just send out a notice that after such and such day, that ip address will not work. Problem solved.