From firewalls-gc Fri Jan 31 23:10:05 1997 From: Chris Lonvick Date: Fri, 31 Jan 1997 23:10:05 +0000 To: firewalls-gc Subject: Re: Highly available Internet connection X-MARC-Message: https://marc.info/?l=firewalls-gc&m=87619433410996 Hi folks, The details of HSRP (Hot Standby Router Protocol) can be found at: http://www.cisco.com/warp/public/417/27.html I wouldn't say that there is any "load sharing" between the two (or more) routers participating in HSRP. In essence, a Virtual MAC (VMAC) address is passed back in response to an ARP from the Priamry HSRP router. The Primary HSRP router will accept packets destined to that VMAC. If it dies, then the Secondary will accept packets destined to the VMAC after the funeral (... uhh, I mean to say, after the Secondary doesn't see any HSRP-Hello's within a timeout period - usually 10 seconds, but it's configurable.) While these devices maintain a VMAC between them, each does have their own unique MAC, and IP addresses and each maintains its' own routing tables. So, if the primary fails, it should either have a real route to all known destinations, or should have a default route. If both are on the same internal LAN segment as well as external LAN segment (DMZ) then they will both have the same routing table. As far as load sharing or balancing goes, if the routers have different routing paths (one router has a connection to ISP-A and another has a connection to ISP-B rather than being on the same DMZ LAN), they will maintain different routing tables. So, if you configure a workstation with a default gateway (the Primary HSRP router), and it sends packets towards it, then the Primary HSRP router may respond with an ICMP-redirect which points to one of the backup HSRP routers. In this way, some sessions may go across the HSRP backup router. Getting back to the original question, I'd opt for diversity throughout your enterprise if it's _that_ important to you. Most of the systems I've seen have dealt with: o what if my firewall dies? o what if my link to my ISP dies? o what if my ISP dies? Which have the same single point of failure: your central site. Living in Houston, as elsewhere along the Gulf Coast, we worry about: what if all communications to the city becomes unavailable? (Not to press our luck, but I think that we're statistically overdue for a really big hurricane.) So, to line this out with an example, if your Transaction Processing machines (redundant, of course) are in Wichita and Des Moines, then you should have ISP links in each of those cities which both of your TP machines could access if o the primary link were to fail o the other TP machine were to fail o that really big hurricane was to get to one city or the other. +++ Some commercialism follows +++ stop reading here if this offends you. (hey, I gotta' make a living!) The Cisco PIX does have a failover feature. http://www.cisco.com/warp/public/146/Intrafirewall.html which does address the issue of "what if my firewall dies?" It is usually deployed on the same internal LAN and same DMZ-LAN. However, just thinking about it, it should be possible to deploy them both on an internal LAN, but on different external LANs with routers going to different ISPs. Since the PIX is session stateful (the routers are, by default, not stateful), sessions would be broken if the primary fails but general connectivity would be maintained. Hope this helps, Chris Lonvick Cisco Systems Consulting Engineering Houston, TX, USA +1-713-778-5663 At 10:38 AM 1/31/97 -0500, CCCRE.CCULL@capital.ge.com wrote: > >>Are they one on the same box or is it two different router that > >>automatically drop to a redundancy ? Thanks. > > >>-- Joel > > i didn't get your e-mail address joel, so i'm having to repond > here... > > they are 2 physically seperate boxes (referring to cisco's hot standby > protocol). i'm not sure if they do anything like load balancing, or > if the split between the 2 is more static. however, i do know that > when one fails, the other one picks up it's load. i'm working from 4 > month old memory here, so this stuff is a little foggy.... but it > seems like the 2 routers are seen (ip-wise) as 1 virtual router. i > guess each router knows the other's routing table, but just ignores > that portion as long as the other router is functional. if they DIDN'T > know each others table, and 1 of the routers failed, there'd be a > lag while it updated, and i remember no perceptible lag when we > tested these.... > > chris cull > cccre.ccull@capital.ge.com > >