Any Way to Lock TCP Traffic to One Router

Say I have the following machines and network:

- Computer A is on Class C 10.10.10.0

- Computer B is on Class C 10.10.20.0

- The two networks are joined by two routers, for fault tolerance.
Router 1 might use 10.10.10.1 and 10.10.20.1 for its interfaces, and Router
2 might use 10.10.10.2 and 10.10.20.2 for its interfaces.

- Computer A and Computer B are Windows 2000 or 2003 computers that each are
configured to use the two routers with equal metrics. Computer A would be
configured with equal metric routes to 10.10.10.1 and 10.10.10.2. Computer
B would be configured with equal metric routes to 10.10.20.1 and 10.10.20.2.

Given the above configuration, is there any way to lock a TCP connection
between Computer A and Computer B to a single router? In other words, is
there any way to have the receiving end of a TCP connection use the same
router for the return traffic that was used to send to that computer? I
don't want fragments of connections going through different network paths.
I'm hoping that either by default Microsoft is routing the return path to
the return traffic to the same router used to send, or that alternately this
behavior can be configured.

--
Will

I'm pretty sure the Windows box will always use it's configured default
gateway. The routers should be setup in a redundant fashion such as HSRP or
GLBP. It does not make sense to have two separate routers doing the same
function (providing gateway services), they should be configured as a
redundant pair. That keeps all the administration off the servers (ie
multiple routes). The return path should be through the same gateway device,
but I'm making an assumption on your network. If you need a 'hard' answer
you need to post more info.


"Will" <westes-(E-Mail Removed)> wrote in message
news:muednTfP1p3glYfYnZ2dnUVZ_t-(E-Mail Removed)...
> Say I have the following machines and network:
>
> - Computer A is on Class C 10.10.10.0
>
> - Computer B is on Class C 10.10.20.0
>
> - The two networks are joined by two routers, for fault tolerance.
> Router 1 might use 10.10.10.1 and 10.10.20.1 for its interfaces, and
> Router
> 2 might use 10.10.10.2 and 10.10.20.2 for its interfaces.
>
> - Computer A and Computer B are Windows 2000 or 2003 computers that each
> are
> configured to use the two routers with equal metrics. Computer A would
> be
> configured with equal metric routes to 10.10.10.1 and 10.10.10.2.
> Computer
> B would be configured with equal metric routes to 10.10.20.1 and
> 10.10.20.2.
>
> Given the above configuration, is there any way to lock a TCP connection
> between Computer A and Computer B to a single router? In other words,
> is
> there any way to have the receiving end of a TCP connection use the same
> router for the return traffic that was used to send to that computer? I
> don't want fragments of connections going through different network paths.
> I'm hoping that either by default Microsoft is routing the return path to
> the return traffic to the same router used to send, or that alternately
> this
> behavior can be configured.
>
> --
> Will
>
>

"NetEng" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> I'm pretty sure the Windows box will always use it's configured default
> gateway. The routers should be setup in a redundant fashion such as HSRP
or
> GLBP. It does not make sense to have two separate routers doing the same
> function (providing gateway services), they should be configured as a
> redundant pair. That keeps all the administration off the servers (ie
> multiple routes). The return path should be through the same gateway
device,
> but I'm making an assumption on your network. If you need a 'hard' answer
> you need to post more info.

I understand the advantages of having the routers share one IP. But just
for the sake of knowledge, what is the Windows server algorithm for which of
two *equal-metric* routers it will use to return data?

One possible algorithm would be for Windows to completely ignore which
router sent the data, and just arbitrarily bind to one outgoing router and
use it (it might be the one that sent the data and it might not). The
other algorithm would be to use the lowest metric router but to then give
preference among equal-metric routers to issues like which router did the
packets arrive through.

--
Will

If there are two gateways with equal metrics, the system will just
select one at random and use it. It will not even try the second one unless
the first selected one fails.

"Will" <westes-(E-Mail Removed)> wrote in message
news:(E-Mail Removed) ...
> "NetEng" <(E-Mail Removed)> wrote in message
> news:(E-Mail Removed)...
>> I'm pretty sure the Windows box will always use it's configured default
>> gateway. The routers should be setup in a redundant fashion such as HSRP
> or
>> GLBP. It does not make sense to have two separate routers doing the same
>> function (providing gateway services), they should be configured as a
>> redundant pair. That keeps all the administration off the servers (ie
>> multiple routes). The return path should be through the same gateway
> device,
>> but I'm making an assumption on your network. If you need a 'hard' answer
>> you need to post more info.
>
> I understand the advantages of having the routers share one IP. But just
> for the sake of knowledge, what is the Windows server algorithm for which
> of
> two *equal-metric* routers it will use to return data?
>
> One possible algorithm would be for Windows to completely ignore which
> router sent the data, and just arbitrarily bind to one outgoing router and
> use it (it might be the one that sent the data and it might not). The
> other algorithm would be to use the lowest metric router but to then give
> preference among equal-metric routers to issues like which router did the
> packets arrive through.
>
> --
> Will
>
>

If your looking for redundancy and load balancing, it's best to use teamed
NIC's and not multiple routes with equal costs.

"Bill Grant" <not.available@online> wrote in message
news:(E-Mail Removed)...
> If there are two gateways with equal metrics, the system will just
> select one at random and use it. It will not even try the second one
> unless the first selected one fails.
>
> "Will" <westes-(E-Mail Removed)> wrote in message
> news:(E-Mail Removed) ...
>> "NetEng" <(E-Mail Removed)> wrote in message
>> news:(E-Mail Removed)...
>>> I'm pretty sure the Windows box will always use it's configured default
>>> gateway. The routers should be setup in a redundant fashion such as HSRP
>> or
>>> GLBP. It does not make sense to have two separate routers doing the same
>>> function (providing gateway services), they should be configured as a
>>> redundant pair. That keeps all the administration off the servers (ie
>>> multiple routes). The return path should be through the same gateway
>> device,
>>> but I'm making an assumption on your network. If you need a 'hard'
>>> answer
>>> you need to post more info.
>>
>> I understand the advantages of having the routers share one IP. But
>> just
>> for the sake of knowledge, what is the Windows server algorithm for which
>> of
>> two *equal-metric* routers it will use to return data?
>>
>> One possible algorithm would be for Windows to completely ignore which
>> router sent the data, and just arbitrarily bind to one outgoing router
>> and
>> use it (it might be the one that sent the data and it might not). The
>> other algorithm would be to use the lowest metric router but to then give
>> preference among equal-metric routers to issues like which router did the
>> packets arrive through.
>>
>> --
>> Will
>>
>>
>
>

"NetEng" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> If your looking for redundancy and load balancing, it's best to use teamed
> NIC's and not multiple routes with equal costs.

I don't have a load problem. I just want fault tolerance, so that when a
router goes down people can still connect to the Internet.

It looks like the easiest solution would be to have two routers on different
IPs, but specify different metrics for each router, and make sure both sides
of the router agree on the relative metrics of those two routers, so that
each side locks onto the same routers. The benefit of that solution is it
requires less expensive version of Windows on the router, and is easier to
set up. The negative of that if the system goes down, users might get
disconnected connections for some kinds of operations, and ongoing
maintenance to two routers is more of a hassle. Then when the primary
router comes back up users might disconnect again. Disconnection failures
would be for these cases:

1) UDP traffic, since apparently Windows will only switch over routers for
TCP traffic

2) Almost any kind of traffic for an *existing* TCP connection if the
routers are actually firewalls as well. The re-routed TCP traffic would
be seen by the other firewall as TCP fragments and would not only get
rejected but might even raise some alarms.

Probably not very nice for the user.

If we go with two boxes sharing one IP by NLP, that means spending more on
Windows, spending more on the firewall (Enterprise version), hassling with
configuration of hot standby or load balancing configurations, etc. But I
guess it would give a better user experience when the failures do happen.

Not a very pretty set of choices for a small company, frankly.

95% of all failures in our environment would be simply system maintenance
activities during the workday.

--
Will

I would suggest the exact opposite of what you are thinking. Multiple
gateways is the worst way to design a network. Have your routers run
HSRP/GLBP and let them do the work they were designed for. Your UDP
connections would not get disconnected because it's a connectionless
protocol. TCP will be disconnected unless you run HSRP/GLBP or a firewall
with stateful failover. Have a consultant help you or hit the books for a
few months and revisit your design.

"Will" <westes-(E-Mail Removed)> wrote in message
news:(E-Mail Removed) ...
> "NetEng" <(E-Mail Removed)> wrote in message
> news:(E-Mail Removed)...
>> If your looking for redundancy and load balancing, it's best to use
>> teamed
>> NIC's and not multiple routes with equal costs.
>
> I don't have a load problem. I just want fault tolerance, so that when a
> router goes down people can still connect to the Internet.
>
> It looks like the easiest solution would be to have two routers on
> different
> IPs, but specify different metrics for each router, and make sure both
> sides
> of the router agree on the relative metrics of those two routers, so that
> each side locks onto the same routers. The benefit of that solution is
> it
> requires less expensive version of Windows on the router, and is easier to
> set up. The negative of that if the system goes down, users might get
> disconnected connections for some kinds of operations, and ongoing
> maintenance to two routers is more of a hassle. Then when the primary
> router comes back up users might disconnect again. Disconnection
> failures
> would be for these cases:
>
> 1) UDP traffic, since apparently Windows will only switch over routers for
> TCP traffic
>
> 2) Almost any kind of traffic for an *existing* TCP connection if the
> routers are actually firewalls as well. The re-routed TCP traffic
> would
> be seen by the other firewall as TCP fragments and would not only get
> rejected but might even raise some alarms.
>
> Probably not very nice for the user.
>
> If we go with two boxes sharing one IP by NLP, that means spending more on
> Windows, spending more on the firewall (Enterprise version), hassling with
> configuration of hot standby or load balancing configurations, etc. But
> I
> guess it would give a better user experience when the failures do happen.
>
> Not a very pretty set of choices for a small company, frankly.
>
> 95% of all failures in our environment would be simply system maintenance
> activities during the workday.
>
> --
> Will
>
>
>

"Will" <westes-(E-Mail Removed)> wrote in message
news:(E-Mail Removed) ...
> I don't have a load problem. I just want fault tolerance, so that when a
> router goes down people can still connect to the Internet.

This is the best you will ever get with this:

Q128978 - Dead Gateway Detection in TCP/IP for Windows NT
http://support.microsoft.com/support.../Q128/9/78.ASP

Q171564 - TCP/IP Dead Gateway Detection Algorithm Updated for Windows NT
http://support.microsoft.com/support.../Q171/5/64.ASP

You should listen to what they are saying.

--
Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com

"NetEng" <(E-Mail Removed)> wrote in message
news:%(E-Mail Removed)...
> I would suggest the exact opposite of what you are thinking. Multiple
> gateways is the worst way to design a network. Have your routers run
> HSRP/GLBP and let them do the work they were designed for. Your UDP
> connections would not get disconnected because it's a connectionless
> protocol. TCP will be disconnected unless you run HSRP/GLBP or a firewall
> with stateful failover. Have a consultant help you or hit the books for a
> few months and revisit your design.

I think you misread the message you were responding to. I did not say that
the use of two routers on one subnet was the best design. I was simply
trying to spell out what I saw as advantages and disadvantages of using
multiple routers versus hot standby or load balancing on a shared IP.

While I understand and agree that a hot standby design using the appropriate
protocols and software/hardware is the most feature rich design, I also
understand that it costs a lot. Sometimes you choose to buy something
that is old, ugly, and slightly disfunctional because it is what you can
afford, and because the alternative if you do nothing is even uglier and
more disfunctional. Engineering is about making intelligent cost-benefit
decisions that include a budget, not about the pursuit of perfection at any
cost.

--
Will

Ok. Well, those articles do describe the way it works, and it will work. As
long as you understand that it "is what it is", then that is fine.

I think you can run RIP and maybe one or two other routing protocols on a
PC. I'm not sure if there is a possible solution in that or not but it
could be something to consider. Maybe someone more familiar with that can
comment on it.

--
Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com



"Will" <westes-(E-Mail Removed)> wrote in message
news:(E-Mail Removed) ...
>
> "NetEng" <(E-Mail Removed)> wrote in message
> news:%(E-Mail Removed)...
>> I would suggest the exact opposite of what you are thinking. Multiple
>> gateways is the worst way to design a network. Have your routers run
>> HSRP/GLBP and let them do the work they were designed for. Your UDP
>> connections would not get disconnected because it's a connectionless
>> protocol. TCP will be disconnected unless you run HSRP/GLBP or a firewall
>> with stateful failover. Have a consultant help you or hit the books for a
>> few months and revisit your design.
>
> I think you misread the message you were responding to. I did not say
> that
> the use of two routers on one subnet was the best design. I was simply
> trying to spell out what I saw as advantages and disadvantages of using
> multiple routers versus hot standby or load balancing on a shared IP.
>
> While I understand and agree that a hot standby design using the
> appropriate
> protocols and software/hardware is the most feature rich design, I also
> understand that it costs a lot. Sometimes you choose to buy something
> that is old, ugly, and slightly disfunctional because it is what you can
> afford, and because the alternative if you do nothing is even uglier and
> more disfunctional. Engineering is about making intelligent
> cost-benefit
> decisions that include a budget, not about the pursuit of perfection at
> any
> cost.
>
> --
> Will
>
>