Multiple Gateway Problem


Think back to the last time you configured a Windows workstation network card for TCP/IP. You went to the Control Panel, clicked on the Network icon, added TCP/IP to your NIC, selected TCP/IP --> Name of your NIC, and clicked on Properties. You then did one of two things. Either you selected "Obtain an IP address automatically" (if you use DHCP), or you selected "Specify an IP address". In the latter case, you manually configured, at a minimum, an IP address and a subnet mask. You may also have configured a gateway IP address.

What exactly is the significance of the gateway? When you configure a gateway address, your Windows machine adds a default route statement to your machine's route table. The route table statement instructs your Windows computer to send any data packet that is destined for a different IP subnet to the default gateway address. The default gateway is actually an IP router that will route the data packet to the correct destination subnet.

The above configuration works nicely as long as there is only one gateway on your LAN. But suppose your LAN has multiple routers connecting to different remote locations. Consider a scenario where your user workstations must access some network resources via one gateway and other network resources via the other gateway. The figure below shows PC's on a LAN that has two different gateway routers. One router (Router #1) connects to the Internet and the other (Router #2) connects to other corporate locations via a Wide-Area Network (WAN).

In a situation like the one shown above, how do user workstations know which gateway to send data packets that are destined to other subnets? What happens if the packets are sent to the wrong gateway, and is this really a problem? The answer is that it depends...

There are at least four possible alternatives for dealing with this situation. The first is to do nothing. If you do nothing, the router that is configured as the gateway will forward your users' data packets to the appropriate router (provided that all of your routers are configured to exchange route table information). The gateway router will then send ICMP "Redirect" packets to the Windows workstations informing them that the packets they sent have been redirected. The Windows workstations will then add host-specific entries to their route tables that will cause future packets to those specific hosts to be sent to the right gateway. This option may be acceptable if the LAN is small and the number of ICMP "Redirects" is not excessive. If there is a high volume of packets being redirected, there can be a severe impact on performance.

The second option is to add route table entries to each workstation and server on your LAN pointing to the different gateway routers. The new route table entries should specify the destination IP subnet(s) that are reachable via each router. This allows a workstation or server to send data packets directly to the appropriate gateway router, based on the destination IP subnet. This option solves the performance problem and may be an acceptable solution if there is a very small number of workstations and servers on the LAN.

The third option is to configure the gateway address of each workstation the same as the IP address of the workstation itself. The result of this is that a workstation will issue an "ARP" any time it wants to send a packet to another host on the same subnet OR to a host on a different subnet. If a gateway router has a route to that destination (and it is configured for Proxy ARP), it will respond with the MAC address for its' own interface. The workstation will then forward the packet to that gateway router. Note that this option is not very efficient and tends to increase the amount of ARP broadcast traffic and can place an increased load on your gateway routers.

A fourth option is to segment your LAN using a layer-three LAN switch. This allows you to divide your large LAN into several smaller LAN segments, each with its own IP subnet. Your multiple gateway routers can be placed on a separate subnet from your servers and end users so that there is once again, only one gateway (the layer-three switch VLAN interface) for all end users. The cost of high-speed layer-three LAN switches has come down significantly in the last few years, so this solution is now arguably the best solution to the multiple-gateway problem.

Give FLG Networking Services a call if you would like to explore a layer-three switching solution or other design options for your LAN.