Re: PIX Dual line Internet HDSL and ADSL

["Daniel Linder" <dan () linder org>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

(This e-mail will be more router oriented than firewall oriented.  If
the list members want this taken off-line, just reply to me privately and
we can continue there... -- Dan)



On Wed, November 2, 2005 13:24, Brian Loe wrote:

> I have a question about that. We too have two ISPs. When introduced
to

> our network here they explained that the one ISP provided a route
to

> the other for redundancy. I had questions, but I didn't question
him.

> The two internet routers are configured with HSRP addresses to talk
to

> the PIX.

>

> However, now that I've set up CACTI on a box here and pointed it at

> our outside interfaces it's obvious that they're definately NOT
doing

> any kind of load balancing for our connection and ONLY serving as
what

> we hope is a redundant link. Now my questions are: since our public
IP

> addresses are going to be routed to the primary ISP first, is it
even

> possible to span both connections? Does this setup only work for

> failover? 

>

> I know very little to nothing at all about HSRP, just so you all
know.



Some quick terminology:

HSRP is a redundancy
protocol to let multiple routers listen on a common IP address on a subnet
and takeover when one of the rouers fails to respond to a heartbeat. 
So, if Router-A-Eth0 is setup with a physical address of X.X.X.2, and
Router-B-Eth0 with X.X.X.3, and both listen on HSRP address X.X.X.1, then
any machine on the X.X.X-network can use the X.X.X.1 address as their
gateway and if either router fails, they should still get out.



BGP is a routing protocol
that is used on the Internet to quickly "tell the world" how to
get to big blocks of the address space (normally /28 and larger). 
Thus, if you "own" (through ARIN.net) a /28 block of live IP
addresses, you can configure BGP with your multiple up-stream
providers.  When properly configured, BGP will keep track of the
"shortest" route to your block of addresses, and automatically
prune dead paths.



BGP is *not* a load balancing protocol (see note 1).  If BGP is
properly setup, the difference in load could be due to one ISP being
better connected than the other with a lower hopcount.  The other
issue could be that the IP addresses you are using might be registered to
only that one ISP and the rest of the world doesn't know that ISP-2 can
get there, too.  This is most commonly due to an ISP
"loaning" a subnet to a customer without officially transferring
them to the customer via ARIN.net and assigning them a new
"Autonomous System" number.



> Finally, and maybe I'm just not thinking this through

> enough, since the secondary link does show some traffic out, how do

> those connections make it back? If they go out the secondary router

> they'll be headed back in the primary wouldn't they?



This could be due to asymetric routing.  Since the router is sending
the packet through the link with the shortest "hop", it could be
sending it to one ISP, but if that ISPs router does not know where your
addresses are, it will send the response to their default gateway (i.e.
the Internet) where it will route back through your connection.



You might want to perform a test to ensure that your redundant ISP
connections are truly working.  Setup an account with AOL or other
major ISP who is *NOT* local to
your city nor your ISPs locations, then use some simple traceroute and
pings to see where the traffic is going.  You'll also want to sniff
your router ports and setup some debugging within the router to ensure
that packets are going where you expect them to be headed.



Dan



Note 1: Cisco has added link bandwidth options to BGP so this is not 100%
true.  See
http://www.inetdaemon.com/columns/ask/internet-load-balancing.shtml for
some BGP related information.



- - - - -

"Wait for that wisest of all counselors, time." -- Pericles

"I do not fear computer, I fear the lack of them." -- Isaac
Asimov

GPG fingerprint:6FFD DB94 7B96 0FD8 EADF  2EE0 B2B0 CC47 4FDE 9B68

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)

iD8DBQFDaZYBsrDMR0/em2gRAlTKAKCV0DiLRBzVyVZnM/5TnqNFnOdJ+wCfV6vI
qcbIKwenz7W2/lAIyFqh+OM=
=MU7F
-----END PGP SIGNATURE-----