[c-nsp] IPv6 routing vs IPv4 Nating

Scott Voll svoll.voip at gmail.com
Tue Aug 23 10:53:19 EDT 2016 

Gert and Lee,  your picking up what I'm putting down.

two geographically dispersed exit points with multiple internal dispersed
sites each with a /48.  my over all is a /44.  So from a BGP stand point
I'm announcing half my sites out one exit site and the other half out the
other.  with iBGP announcing out the other.  since the firewalls are not
sync'd in any way, and since I'm only leaking BGP default routes to the
firewalls that are leaking them internally, I end up with two default
routes internally to my routing protocol.  This way if I loss a ISP /
Router / Firewall all my internal traffic goes out the one that is still up.

The problem like Lee and Gert points out is you must have the traffic
return to the same Firewall (stateful) to get the traffic back into the
network

Lee, I like the idea for putting a proxy at each exit point, but I'm using
a Cloud proxy solution (bound by contract).

I was thinking if I leaked all the IPv6 networks internally that would get
the traffic going the correct direction, but there is still a possibility
of asymmetric routing on the internet.

For this reason, NAT sure does help, but I don't want to NAT IPv6 but do
need a solution, to provide redundancy.

An other ideas?

TIA

Scott


On Tue, Aug 23, 2016 at 5:21 AM, Gert Doering <gert at greenie.muc.de> wrote:

> Hi,
>
> On Mon, Aug 22, 2016 at 10:54:04PM +0100, Tom Hill wrote:
> > On 22/08/16 22:34, Gert Doering wrote:
> > > Not if you NAT the IPv4 - the NAT part enforces symmetry.
> > >
> > > Not that I'm a big fan of NAT, but it has its uses :-)
> >
> > FHRPs aren't just for 'inside' interfaces. You do have to be sure to
> > adjust the priorities of 'inside' and 'outside' interfaces together to
> > maintain your symmetry, but that's not difficult. FHRP also takes care
> > of ARP delays during failover.
>
> So how do you FHRP one firewall(cluster) in the US with one
> firewall(cluster)
> in Europe, ensuring symmetric traffic?
>
> > Assuming there's state synchronisation in all cases, of course.
>
> Think larger networks :-)
>
> In the "I have two firewalls that are connected to the same inside and
> outside LANs" case, everything is mostly trivial.
>
> gert
> --
> USENET is *not* the non-clickable part of WWW!
>                                                            //
> www.muc.de/~gert/
> Gert Doering - Munich, Germany
> gert at greenie.muc.de
> fax: +49-89-35655025                        gert at net.informatik.tu-
> muenchen.de
>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>

More information about the cisco-nsp mailing list