[c-nsp] eigrp question
Gert Doering
gert at greenie.muc.de
Thu Jan 6 05:25:03 EST 2005
Hi,
On Thu, Jan 06, 2005 at 12:10:33PM +0200, Pekka Savola wrote:
> > BGP is a better approach to routing here, because with BGP you can open
> > a TCP session through the firewall (for BGP) and the packets will still
> > flow the normal way, and can be inspected.
>
> I'd be pretty careful about BGP as well. You'll likely eliminate the
> benefits of BGP because the the firewall will have to have static
> routes corresponding to the BGP-advertised prefixes, or you'll end up
> having a routing loop sooner or later because the firewall doesn't
> have sufficient topology information....
Yes, sure. This is only going to work in specific scenarios, like
Router <inside> -- firewall -- Router <outside> -- Internet
and Router "<inside>" needs to know if "Internet" is broken, to use
some backup path via other <inside> routers and firewalls.
In that case, the firewall would have a default route to "outside", and
static routes for all internal networks, and BGP is only there to signal
"line outage".
Of course if you do anything more fancy, chances for a routing loop
are fairly high (like in any case of doing something dynamic routing
wasn't directly intended for, without really understanding all details).
gert
--
USENET is *not* the non-clickable part of WWW!
//www.muc.de/~gert/
Gert Doering - Munich, Germany gert at greenie.muc.de
fax: +49-89-35655025 gert at net.informatik.tu-muenchen.de
More information about the cisco-nsp
mailing list