Physical Layer

The Backhoe Checkmate: Why Dual Homing is a Scheduled Outage

Hervé Hildenbrand

4 min read
The Backhoe Checkmate: Why Dual Homing is a Scheduled Outage

We need to talk about the most dangerous comfort blanket in enterprise IT: Dual Homing.

If you spend enough time in this industry, you will eventually file a Root Cause Analysis for a total blackout on a "fully redundant" backbone. We do not talk about these incidents publicly. We blame a vendor, fire the scapegoat engineer, file the paperwork, and move on.

But the architecture lie remains.

You buy a primary circuit from Provider A and a secondary from Provider B. Your routing table shows two distinct BGP adjacencies. You assume 99.999% uptime.

In modern, mission-critical Datacenter Interconnects, relying on exactly two physical paths is negligent.

Here is why the 1+1 protection model is a delusion, and why Tri-Homing is the new minimum viable standard for your links.

🧮 The Mathematics of the Double Cut

Traditional network engineering relies on a fatally flawed assumption: that two geographically separated fiber paths possess independent failure probabilities.

They do not.

Fiber infrastructure is almost always buried in the same physical conduits - a pattern the telecoms industry calls Shared Risk Link Groups (SRLGs).

When a backhoe cuts the main trunk, every single strand dies instantly. Data from the FCC Network Outage Reporting System shows 12 to 15% of outages in Tier 1 Corridors involve concurrent fiber issues. In urban areas, construction density acts as a multiplier - the probability of a second cut skyrockets during the repair window of the first.

👻 The Silent Reroute

Let's assume you did the work. You mapped the exact physical coordinates of your carrier infrastructure. You verified perfect divergence on Day 1.

The problem? Physical fiber networks are dynamic.

Carriers constantly perform span consolidation and "network grooming" during maintenance windows. During an emergency relocation, field technicians prioritize rapid restoration over strict diversity mappings. They will frequently shuffle your diverse links onto a new, high-capacity backbone to save OpEx.

Your two diverse circuits are now secretly sharing the same conduit.

Software-Defined Networking controllers often have no visibility into this physical rewiring until the next contractor starts digging.

⚖️ The Quorum Mandate (Surviving the Split-Brain)

Hyperscalers and High-Frequency Trading (HFT) firms already know dual-homing is structurally insufficient. There is a silent majority of anonymous enterprise engineers who have suffered catastrophic multi-path outages and learned this the hard way. (I have been there. I have the scars. It is exactly why I am sharing this).

We universally mandate Tri-Homing. Why? Because of the database layer.

Modern cloud databases rely on a simple concept to survive: majority rule (Quorum).

In a traditional two-datacenter design, both sites must communicate to agree on the state of the data. If your dual-homed fiber gets severed by a single backhoe, the sites are isolated. This creates a catastrophic "Split-Brain" scenario.

To protect data consistency and prevent irreversible corruption, neither site can claim the majority. The databases freeze. The entire system halts. You are completely offline, even though your servers are running perfectly.

To survive, the network must provide a third, un-killable path to act as a tiebreaker lifeline.

💡 The Hardware Fallacy

To be absolutely clear: I am not advocating for Tri-Homing your physical routers.

N+1 hardware redundancy (two devices) is still perfectly sufficient. Your network gear sits inside a sanitized, climate-controlled, UPS-backed datacenter fortress, isolated from the physical hazards of the outside world.

When redundant hardware does crash simultaneously, it is almost always caused by a protocol contagion (like a malformed BGP update, a routing loop, or a fatal OS bug). Adding a third box running the exact same OS won't save you - it will just instantly die the same death.

Do not over-engineer the silicon inside the fortress while under-engineering the glass buried in the dirt.

🔺 The Tri-Homing Audit: Escaping the Dirt

Stop buying fiber blind. Use this framework to verify your survival:

1️⃣ Demand KMZ Files: Never accept logical diagrams. Force carriers to provide geospatial mapping of their physical fiber routes and re-audit them annually to catch Silent Reroutes.

2️⃣ Audit Intersect Points: Identify every physical manhole and bridge attachment where Provider A and Provider B cross paths.

3️⃣ The Lifeline Mandate (When the Dirt Runs Out): Finding a third, completely non-overlapping fiber path is often a geographical and commercial impossibility. But you still must provide a third path to prevent a split-brain catastrophe.

When you can't buy more glass, engineer a lifeline using an entirely different physical medium or logical transport:

  • Route a tunnel over the public Internet via your Transit provider, leveraging IPsec or WireGuard.
  • Leverage your dedicated Out-of-Band (OOB) network - not a "false OOB" that secretly rides over your primary in-band fiber circuits.
  • Look to the sky with a LEO Satellite terminal like Starlink or LTE.

This third path doesn't need to carry 100G storage replication payloads. It is a low-bandwidth lifeline designed strictly for control-plane survival and preserving database quorum state.

A backhoe can destroy a trench in seconds, but it cannot cut the sky.

Trust is a liability. Geospatial verification and multi-medium redundancy are the only guarantees. Stop betting your AS on two strands of glass.

Read more