[c-nsp] 6500 VSS for campus L3 core?
Andrew Miehs
andrew at 2sheds.de
Thu Feb 14 09:41:20 EST 2013
I guess the word "trust" was probably a poor choice in the case of BGP.
Its more a case of which do you believe has a buggier implementation - the
firewall vendor with BGP/ routing protocol or Cisco with VSS. Which is more
likely to break?
I had an issue last week with one vendor where OSPF between a firewall, and
a switch broke, causing the firewall to loose some specific routes for a
short amount of time. As it still had its default that it was learning from
another neighbour, it now forwarded the "lost" network traffic out the
default route. Unfortunately, this UDP traffic was now in the firewalls
forwarding table, and didn't time out because the traffic never stopped
being sent (DHCP replies back towards an SVI). When the specific route
re-appeared, the firewall continued to send the traffic via the default
route as the "flow" had not expired.
I have seen another setup where you use a router for your "fusion"/intervrf
router and the run layer 2 firewalls on that link.
This however has the disadvantage that all your traffic needs to flow
through 2 firewalls (or twice through the one firewall)...
On Fri, Feb 15, 2013 at 1:26 AM, Gert Doering <gert at greenie.muc.de> wrote:
> Hi,
>
> On Thu, Feb 14, 2013 at 09:49:50PM +1100, Andrew Miehs wrote:
> > And that leads to the next question - Which do you trust more, your
> > firewall vendors BGP implementation or VSS?
>
> The whole point of BGP-to-the-next-device is that you do not have to
> *trust* it. You filter what you accept...
>
> (And getting the "announce the right bits plus keepalive" stuff in BGP
> right is not that hard, even some firewall vendors can get it done)
>
> gert
> --
> USENET is *not* the non-clickable part of WWW!
> //
> www.muc.de/~gert/
> Gert Doering - Munich, Germany
> gert at greenie.muc.de
> fax: +49-89-35655025
> gert at net.informatik.tu-muenchen.de
>
More information about the cisco-nsp
mailing list