From: Don Rogers (drogers@xxxxxxxxxxx)
Date: Fri Dec 14 2001 - 23:15:31 GMT-3
On a PIX, you have two options for configuring a default gateway.
1. Configure a specific IP address. If you are using HSRP, this would
probably be the virtual IP address. If it is the PIX will obtain the MAC
address from the active HSRP router. If it is not the HSRP virtual IP
address, the PIX will arp for the MAC address. If proxy arp is turned on, the
router with a route will respond. If both routers have a route, both will
respond. The first response received by the PIX goes in the arp table. When
both routers respond, over time, each is first about half of the time.
Theoretically, the router with the lightest load should respond first. This
appears to result in load balancing. It is not perfect. But, it is pretty
good.
2. Configure the PIX's IP address as the IP address of the default gateway.
This will cause the PIX to arp for the for the next hop IP address. If proxy
arp is turned on, the router with a route will respond. If both routers have
a route, both will respond. The first response received by the PIX goes in
the arp table. Over time, this appears to result in load balancing.
If you do not use a default gateway and configure a static route, the PIX will
arp for the MAC address for the next hop destination IP address. If you use
the HSRP virtual IP address as the next hop address in the static route, the
active router will respond. If you use another IP address, the router or
routers that have a route will respond. If both respond, the first goes in
the arp table.
If allowed, a router sends an ICMP redirect when a packet comes in and must
go out on the same physical interface. In your example, R1 would send a
redirect when R1 receives a packet from the PIX and R1 must send the packet to
R2 across the Ethernet LAN.
I do not know what the PIX will do with the ICMP redirect. My best guess is
that it will ignore the redirect. PIX's generally are not very trusting.
"Lupi, Guy" wrote:
> Ok, want to get something straight in my head. You have 2 routers, each
> is
> connected to an ISP, you are running bgp. Each router has an ethernet
> port
> that is on the same network, they are bgp neighbors. They are running
> hsrp,
> connected to the same ethernet network is a PIX that has a default route
> to
> the virtual ip of the hsrp group. Now, since they are bgp neighbors,
> they
> exchange route information and have routes from each other to networks
> for
> which they are best path. Now for the questions:
>
> If you weren't running HSRP, the router would send an ICMP redirect to
> the
> PIX if the other router was best path for that network, correct?
>
> If you are running HSRP, what happens? I have this set up and the
> router
> that is the active router for the HSRP group is getting all the traffic
> from
> the PIX and forwarding it, nothing is getting sent to the standby
> router.
> Is this the correct behavior, even if the standby router has a better
> path
> to the destination network? Thanks.
>
> r1 r2
> | |
> | |
> |------------|-----------|
> |
> |
> Pix
>
> Guy H. Lupi
> ------------------------------------------------------------------------
>
> Part 1.2 Type: application/ms-tnef
> Encoding: base64
This archive was generated by hypermail 2.1.4 : Thu Jun 13 2002 - 10:32:43 GMT-3