Re: [fw-wiz] PIX Dual line Internet HDSL and ADSL

From: Daniel Linder (
Date: 11/03/05

  • Next message: David Lang: "Re: [fw-wiz] PIX Dual line Internet HDSL and ADSL"
    To: "Brian Loe" <>
    Date: Wed, 2 Nov 2005 22:45:53 -0600 (CST)

    Hash: SHA1

    (This e-mail will be more router oriented than firewall oriented.  If
    the list members want this taken off-line, just reply to me privately and
    we can continue there... -- Dan)

    On Wed, November 2, 2005 13:24, Brian Loe wrote:

    > I have a question about that. We too have two ISPs. When introduced

    > our network here they explained that the one ISP provided a route

    > the other for redundancy. I had questions, but I didn't question

    > The two internet routers are configured with HSRP addresses to talk

    > the PIX.


    > However, now that I've set up CACTI on a box here and pointed it at

    > our outside interfaces it's obvious that they're definately NOT

    > any kind of load balancing for our connection and ONLY serving as

    > we hope is a redundant link. Now my questions are: since our public

    > addresses are going to be routed to the primary ISP first, is it

    > possible to span both connections? Does this setup only work for

    > failover?


    > I know very little to nothing at all about HSRP, just so you all

    Some quick terminology:

    HSRP is a redundancy
    protocol to let multiple routers listen on a common IP address on a subnet
    and takeover when one of the rouers fails to respond to a heartbeat. 
    So, if Router-A-Eth0 is setup with a physical address of X.X.X.2, and
    Router-B-Eth0 with X.X.X.3, and both listen on HSRP address X.X.X.1, then
    any machine on the X.X.X-network can use the X.X.X.1 address as their
    gateway and if either router fails, they should still get out.

    BGP is a routing protocol
    that is used on the Internet to quickly "tell the world" how to
    get to big blocks of the address space (normally /28 and larger). 
    Thus, if you "own" (through a /28 block of live IP
    addresses, you can configure BGP with your multiple up-stream
    providers.  When properly configured, BGP will keep track of the
    "shortest" route to your block of addresses, and automatically
    prune dead paths.

    BGP is *not* a load balancing protocol (see note 1).  If BGP is
    properly setup, the difference in load could be due to one ISP being
    better connected than the other with a lower hopcount.  The other
    issue could be that the IP addresses you are using might be registered to
    only that one ISP and the rest of the world doesn't know that ISP-2 can
    get there, too.  This is most commonly due to an ISP
    "loaning" a subnet to a customer without officially transferring
    them to the customer via and assigning them a new
    "Autonomous System" number.

    > Finally, and maybe I'm just not thinking this through

    > enough, since the secondary link does show some traffic out, how do

    > those connections make it back? If they go out the secondary router

    > they'll be headed back in the primary wouldn't they?

    This could be due to asymetric routing.  Since the router is sending
    the packet through the link with the shortest "hop", it could be
    sending it to one ISP, but if that ISPs router does not know where your
    addresses are, it will send the response to their default gateway (i.e.
    the Internet) where it will route back through your connection.

    You might want to perform a test to ensure that your redundant ISP
    connections are truly working.  Setup an account with AOL or other
    major ISP who is *NOT* local to
    your city nor your ISPs locations, then use some simple traceroute and
    pings to see where the traffic is going.  You'll also want to sniff
    your router ports and setup some debugging within the router to ensure
    that packets are going where you expect them to be headed.


    Note 1: Cisco has added link bandwidth options to BGP so this is not 100%
    true.  See for
    some BGP related information.

    - - - - -

    "Wait for that wisest of all counselors, time." -- Pericles

    "I do not fear computer, I fear the lack of them." -- Isaac

    GPG fingerprint:6FFD DB94 7B96 0FD8 EADF 2EE0 B2B0 CC47 4FDE 9B68

    Version: GnuPG v1.4.1 (GNU/Linux)

    -----END PGP SIGNATURE-----

    firewall-wizards mailing list

  • Next message: David Lang: "Re: [fw-wiz] PIX Dual line Internet HDSL and ADSL"