[c-nsp] eigrp question
Gert Doering
gert at greenie.muc.de
Thu Jan 6 04:14:22 EST 2005
Hi,
On Wed, Jan 05, 2005 at 11:31:54PM -0500, Jim McBurnett wrote:
> WOW...
> I will have time to lab test this tomorrow of Friday...
> Well, maybe this could be done using lookbacks, and then sourceing the
> traffic for E0
Something one needs to be very careful about when doing EIGRP routing
via a GRE (or IPSEC or whatever) tunnel through the firewall - this will
mean that the actual packets will also flow through the tunnel, and that
the firewall *will not be able to inspect these packets!!*. So you
effectively circumvent the firewall - and if you do it, it's easier
to just throw it away.
BGP is a better approach to routing here, because with BGP you can open
a TCP session through the firewall (for BGP) and the packets will still
flow the normal way, and can be inspected.
gert
--
USENET is *not* the non-clickable part of WWW!
//www.muc.de/~gert/
Gert Doering - Munich, Germany gert at greenie.muc.de
fax: +49-89-35655025 gert at net.informatik.tu-muenchen.de
More information about the cisco-nsp
mailing list