[c-nsp] eigrp question
Pekka Savola
pekkas at netcore.fi
Thu Jan 6 05:10:33 EST 2005
On Thu, 6 Jan 2005, Gert Doering wrote:
> On Wed, Jan 05, 2005 at 11:31:54PM -0500, Jim McBurnett wrote:
>> WOW...
>> I will have time to lab test this tomorrow of Friday...
>> Well, maybe this could be done using lookbacks, and then sourceing the
>> traffic for E0
>
> Something one needs to be very careful about when doing EIGRP routing
> via a GRE (or IPSEC or whatever) tunnel through the firewall - this will
> mean that the actual packets will also flow through the tunnel, and that
> the firewall *will not be able to inspect these packets!!*. So you
> effectively circumvent the firewall - and if you do it, it's easier
> to just throw it away.
>
> BGP is a better approach to routing here, because with BGP you can open
> a TCP session through the firewall (for BGP) and the packets will still
> flow the normal way, and can be inspected.
I'd be pretty careful about BGP as well. You'll likely eliminate the
benefits of BGP because the the firewall will have to have static
routes corresponding to the BGP-advertised prefixes, or you'll end up
having a routing loop sooner or later because the firewall doesn't
have sufficient topology information....
--
Pekka Savola "You each name yourselves king, yet the
Netcore Oy kingdom bleeds."
Systems. Networks. Security. -- George R.R. Martin: A Clash of Kings
More information about the cisco-nsp
mailing list