[nsp] OSPF x firewall
Gert Doering
gert at greenie.muc.de
Sat Dec 20 16:47:09 EST 2003
Hi,
On Fri, Dec 19, 2003 at 06:29:45PM -0800, David Sinn wrote:
> Have you looked at using BGP?
>
> Your firewall policy will be fairly simple as you just need to allow TCP
> between the two router. You get very easy to implement route-policy
> acceptance, so that if someone mucks about with the routes on either side,
> you can prevent it from affecting the other side. If you are already
> considering EIGRP, you still have to deal with route-redistribution, so net
> you have little change relative to BGP.
While this works for the exchange of routing data, it won't help
the actual data packets very much. The *firewall* needs to know as well
which networks are "inside" and which ones are "outside" (unless it's
some sort of transparent briding firewall), so the firewall needs to
participate in the dynamic routing - or the setup needs to be simplified
enough so that there is no need for dynamic routing anymore anyway.
gert
--
USENET is *not* the non-clickable part of WWW!
//www.muc.de/~gert/
Gert Doering - Munich, Germany gert at greenie.muc.de
fax: +49-89-35655025 gert at net.informatik.tu-muenchen.de
More information about the cisco-nsp
mailing list