[nsp] OSPF x firewall

David Sinn dsinn at dsinn.com
Fri Dec 19 21:29:45 EST 2003 

Have you looked at using BGP?

Your firewall policy will be fairly simple as you just need to allow TCP
between the two router.  You get very easy to implement route-policy
acceptance, so that if someone mucks about with the routes on either side,
you can prevent it from affecting the other side.  If you are already
considering EIGRP, you still have to deal with route-redistribution, so net
you have little change relative to BGP.

Also, BGP is really designed to go between two different administrative
domains, so you are using the protocol for what it is intended for, instead
of trying to make a IGP work between (arguable) two domains...

And, please don't be put off by BGP since it is normally associated with
Internet routing tables (and the associated 120,000 routes there-in).  Using
BGP can be quite simple since you will not need to muck about with all of
the possible administrative tuning options....

David


On 12/19/03 4:15 PM, "Thales" <thalesrx at terra.com.br> wrote:

> First ,
> 
> Thanks a lot by yours advice. Our problem is to put a firewall between the
> core switch ( 6509 ) and a router that attends our clients ( 7513 ) . We
> need protect us against these traffic. Then the topology is:
> 
> our bulding---6509---- firewal---7513--- internal wan
> 
> There are many others routers in our lan. Because this i need a dynamic
> routing between 6509 and 7513 ( there are over 300 routes ). Now , after you
> have said, i am thinking use EIGRP between them. What about this idea ?
> should be a problem to announce theses routes through the firewall ?
> 
> Thanks in advance
> 
> Thales Azevedo
> Rio de Janeiro
> Brazil
> 
> 
> ---
> Outgoing mail is certified Virus Free.
> Checked by AVG anti-virus system (http://www.grisoft.com).
> Version: 6.0.520 / Virus Database: 318 - Release Date: 18/09/03
> 
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/

More information about the cisco-nsp mailing list