Firewall Wizards mailing list archives
Re: PIX Dual line Internet HDSL and ADSL
From: "Daniel Linder" <dan () linder org>
Date: Wed, 2 Nov 2005 22:45:53 -0600 (CST)
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 (This e-mail will be more router oriented than firewall oriented. If the list members want this taken off-line, just reply to me privately and we can continue there... -- Dan) On Wed, November 2, 2005 13:24, Brian Loe wrote:
I have a question about that. We too have two ISPs. When introduced
to
our network here they explained that the one ISP provided a route
to
the other for redundancy. I had questions, but I didn't question
him.
The two internet routers are configured with HSRP addresses to talk
to
the PIX.
However, now that I've set up CACTI on a box here and pointed it at
our outside interfaces it's obvious that they're definately NOT
doing
any kind of load balancing for our connection and ONLY serving as
what
we hope is a redundant link. Now my questions are: since our public
IP
addresses are going to be routed to the primary ISP first, is it
even
possible to span both connections? Does this setup only work for
failover?
I know very little to nothing at all about HSRP, just so you all
know. Some quick terminology: HSRP is a redundancy protocol to let multiple routers listen on a common IP address on a subnet and takeover when one of the rouers fails to respond to a heartbeat. So, if Router-A-Eth0 is setup with a physical address of X.X.X.2, and Router-B-Eth0 with X.X.X.3, and both listen on HSRP address X.X.X.1, then any machine on the X.X.X-network can use the X.X.X.1 address as their gateway and if either router fails, they should still get out. BGP is a routing protocol that is used on the Internet to quickly "tell the world" how to get to big blocks of the address space (normally /28 and larger). Thus, if you "own" (through ARIN.net) a /28 block of live IP addresses, you can configure BGP with your multiple up-stream providers. When properly configured, BGP will keep track of the "shortest" route to your block of addresses, and automatically prune dead paths. BGP is *not* a load balancing protocol (see note 1). If BGP is properly setup, the difference in load could be due to one ISP being better connected than the other with a lower hopcount. The other issue could be that the IP addresses you are using might be registered to only that one ISP and the rest of the world doesn't know that ISP-2 can get there, too. This is most commonly due to an ISP "loaning" a subnet to a customer without officially transferring them to the customer via ARIN.net and assigning them a new "Autonomous System" number.
Finally, and maybe I'm just not thinking this through
enough, since the secondary link does show some traffic out, how do
those connections make it back? If they go out the secondary router
they'll be headed back in the primary wouldn't they?
This could be due to asymetric routing. Since the router is sending the packet through the link with the shortest "hop", it could be sending it to one ISP, but if that ISPs router does not know where your addresses are, it will send the response to their default gateway (i.e. the Internet) where it will route back through your connection. You might want to perform a test to ensure that your redundant ISP connections are truly working. Setup an account with AOL or other major ISP who is *NOT* local to your city nor your ISPs locations, then use some simple traceroute and pings to see where the traffic is going. You'll also want to sniff your router ports and setup some debugging within the router to ensure that packets are going where you expect them to be headed. Dan Note 1: Cisco has added link bandwidth options to BGP so this is not 100% true. See http://www.inetdaemon.com/columns/ask/internet-load-balancing.shtml for some BGP related information. - - - - - "Wait for that wisest of all counselors, time." -- Pericles "I do not fear computer, I fear the lack of them." -- Isaac Asimov GPG fingerprint:6FFD DB94 7B96 0FD8 EADF 2EE0 B2B0 CC47 4FDE 9B68 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (GNU/Linux) iD8DBQFDaZYBsrDMR0/em2gRAlTKAKCV0DiLRBzVyVZnM/5TnqNFnOdJ+wCfV6vI qcbIKwenz7W2/lAIyFqh+OM= =MU7F -----END PGP SIGNATURE-----
Current thread:
- RE: PIX Dual line Internet HDSL and ADSL Paul Melson (Nov 02)
- <Possible follow-ups>
- Re: PIX Dual line Internet HDSL and ADSL Daniel Linder (Nov 02)
- Re: PIX Dual line Internet HDSL and ADSL Brian Loe (Nov 02)
- Re: PIX Dual line Internet HDSL and ADSL Daniel Linder (Nov 04)
- Re: PIX Dual line Internet HDSL and ADSL Brian Loe (Nov 04)
- Re: PIX Dual line Internet HDSL and ADSL David Lang (Nov 06)
- Re: PIX Dual line Internet HDSL and ADSL Brian Loe (Nov 02)