Re: [fw-wiz] PIX Dual line Internet HDSL and ADSL

From: Daniel Linder (dan_at_linder.org)
Date: 11/03/05

  • Next message: David Lang: "Re: [fw-wiz] PIX Dual line Internet HDSL and ADSL"
    To: "Brian Loe" <knobdy@gmail.com>
    Date: Wed, 2 Nov 2005 22:45:53 -0600 (CST)
    
    

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    (This e-mail will be more router oriented than firewall oriented.  If
    the list members want this taken off-line, just reply to me privately and
    we can continue there... -- Dan)

    On Wed, November 2, 2005 13:24, Brian Loe wrote:

    > I have a question about that. We too have two ISPs. When introduced
    to

    > our network here they explained that the one ISP provided a route
    to

    > the other for redundancy. I had questions, but I didn't question
    him.

    > The two internet routers are configured with HSRP addresses to talk
    to

    > the PIX.

    >

    > However, now that I've set up CACTI on a box here and pointed it at

    > our outside interfaces it's obvious that they're definately NOT
    doing

    > any kind of load balancing for our connection and ONLY serving as
    what

    > we hope is a redundant link. Now my questions are: since our public
    IP

    > addresses are going to be routed to the primary ISP first, is it
    even

    > possible to span both connections? Does this setup only work for

    > failover?

    >

    > I know very little to nothing at all about HSRP, just so you all
    know.

    Some quick terminology:

    HSRP is a redundancy
    protocol to let multiple routers listen on a common IP address on a subnet
    and takeover when one of the rouers fails to respond to a heartbeat. 
    So, if Router-A-Eth0 is setup with a physical address of X.X.X.2, and
    Router-B-Eth0 with X.X.X.3, and both listen on HSRP address X.X.X.1, then
    any machine on the X.X.X-network can use the X.X.X.1 address as their
    gateway and if either router fails, they should still get out.

    BGP is a routing protocol
    that is used on the Internet to quickly "tell the world" how to
    get to big blocks of the address space (normally /28 and larger). 
    Thus, if you "own" (through ARIN.net) a /28 block of live IP
    addresses, you can configure BGP with your multiple up-stream
    providers.  When properly configured, BGP will keep track of the
    "shortest" route to your block of addresses, and automatically
    prune dead paths.

    BGP is *not* a load balancing protocol (see note 1).  If BGP is
    properly setup, the difference in load could be due to one ISP being
    better connected than the other with a lower hopcount.  The other
    issue could be that the IP addresses you are using might be registered to
    only that one ISP and the rest of the world doesn't know that ISP-2 can
    get there, too.  This is most commonly due to an ISP
    "loaning" a subnet to a customer without officially transferring
    them to the customer via ARIN.net and assigning them a new
    "Autonomous System" number.

    > Finally, and maybe I'm just not thinking this through

    > enough, since the secondary link does show some traffic out, how do

    > those connections make it back? If they go out the secondary router

    > they'll be headed back in the primary wouldn't they?

    This could be due to asymetric routing.  Since the router is sending
    the packet through the link with the shortest "hop", it could be
    sending it to one ISP, but if that ISPs router does not know where your
    addresses are, it will send the response to their default gateway (i.e.
    the Internet) where it will route back through your connection.

    You might want to perform a test to ensure that your redundant ISP
    connections are truly working.  Setup an account with AOL or other
    major ISP who is *NOT* local to
    your city nor your ISPs locations, then use some simple traceroute and
    pings to see where the traffic is going.  You'll also want to sniff
    your router ports and setup some debugging within the router to ensure
    that packets are going where you expect them to be headed.

    Dan

    Note 1: Cisco has added link bandwidth options to BGP so this is not 100%
    true.  See
    http://www.inetdaemon.com/columns/ask/internet-load-balancing.shtml for
    some BGP related information.

    - - - - -

    "Wait for that wisest of all counselors, time." -- Pericles

    "I do not fear computer, I fear the lack of them." -- Isaac
    Asimov

    GPG fingerprint:6FFD DB94 7B96 0FD8 EADF 2EE0 B2B0 CC47 4FDE 9B68

    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.4.1 (GNU/Linux)

    iD8DBQFDaZYBsrDMR0/em2gRAlTKAKCV0DiLRBzVyVZnM/5TnqNFnOdJ+wCfV6vI
    qcbIKwenz7W2/lAIyFqh+OM=
    =MU7F
    -----END PGP SIGNATURE-----

    _______________________________________________
    firewall-wizards mailing list
    firewall-wizards@honor.icsalabs.com
    http://honor.icsalabs.com/mailman/listinfo/firewall-wizards


  • Next message: David Lang: "Re: [fw-wiz] PIX Dual line Internet HDSL and ADSL"

    Relevant Pages

    • Re: A Sorry Tale
      ... result I now have a perfectly good ASDL router that will only work on a 10. ... certain Well-Known Trick to make sure it's not actually the ISP. ... system which *does not support DTMF*, so I can't get through the ISP's ... I notice the connection is now back up. ...
      (alt.sysadmin.recovery)
    • Re: Advice needed - running Exchange
      ... the router to your nic ... You'll need to have your ISP create two additional DNS records for your ... delivery is set to the Exchange mailbox, ... I currently only have one NIC in my SBS server ...
      (microsoft.public.windows.server.sbs)
    • Re: Connecting a user to AOL (anything I should know?!)
      ... presume broadband) ISP ... They have sent her a router. ... it could be the cable connecting your computer to your router (cable ... If ipconfig displays nothing more than "Windows IP configuration" i.e. ...
      (uk.comp.homebuilt)
    • Re: Network Upgrade
      ... MPLS over IPsec could have??? ... model) then simply has an ethernet connection to the ISP router. ... limited to dynamic routing protocols and fragmentation. ...
      (Security-Basics)
    • Re: NDR delivery delayed errors keep coming, any advice?
      ... If so, you might try the 'black hole router' test, as IP fragmentation can prevent successful SMTP conversations. ... Do the ping tests, but don't follow the resolution steps just yet - typically with xDSL, and where you have a PPPoE aware router, you change the MTU settings on the router. ... If the shoe fits (xDSL connection, and router with PPPoE login) you might have a look see what the MTU setting is on the router. ... The ISP will deliver when it gets around ...
      (microsoft.public.windows.server.sbs)