>Ok - only solution we could come up with pending better customer information
>or a better design idea:
>
>Internet-----edgerouter-------firewall--------inside
>
>Recall that there are two internet connections terminating on the edge
>router.
>
>Policy routing on the edge router interface connecting to the firewall.
> inbound to the edge router )
>
>Extended access-lists to identify an categorize the customer internet-bound
>traffic
>
>Policy routing implemented using a route-map which refers to the
>access-lists
>
>Howard's point was interesting - issue of redundancy being, perhaps,
>misunderstood. The RFI specifically mentioned failover if one or the other
>interfaces was down..
I'm not clear about what you think I meant. Pause to resynchronize.
I find it hard to imagine any useful and safe scenario where routing
updates pass transparently THROUGH a firewall. That doesn't
preclude, however, having dynamic routing on both sides of a firewall
or set of firewalls.
For example, if the servers on the inside of the firewalls were UNIX
boxen that can understand RIP, the inside of the firewall could
announce the default route in RIP, which would let the servers find
the correct outgoing firewall. This doesn't mean that RIP would be
your primary IGP, just that RIP is present on the perimeter network
between the inside interface of the firewalls and the inside router.
Another alternative would be VRRP on the firewalls. IRDP is probably
too slow.
You certainly could have BGP on the outside of the firewall, speaking
to the Internet.
Before there is too much hand-waving about asymmetrical routing, tell
me again why that creates a major problem and how much effort it
would take to reduce it (you can't get rid of it).
Outgoing, from the inside to the outside, a client/server sends to a
default gateway which is on one or the other firewall. The firewalls
only need to know how to get to the DMZ, to which the external
router(s) are connected.
Incoming, a packet passes the firewall, and has the destination
address of the client/server. Your IGP should take care of that.
>
>Here's where I am not sure even policy routing will assure failover. Packet
>matches a policy, if forwarded to the designated interface. That path is
>down - packet dropped? I'm pretty sure that's how it works. So no automatic
>failover in the design above.
Well, there are things you could do that start involving layer 4 load
balancers. But the question always has to be asked -- how important
is "optimal utilization of lines" in contrast with the amount of
complexity you need for it? Again and again, I see people spending
more money on policy control, accounting, etc., than it would cost
them (in resources and actual money) just to throw in more bandwidth
and keep things simple.
>
>So - now what?
>
>Chuck
>
>-----Original Message-----
>From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of
>Chuck Larrieu
>Sent: Tuesday, April 10, 2001 11:07 PM
>To: [EMAIL PROTECTED]
>Subject: Design Challoenge - a bit off topic [7:195]
>
>Howard's comment brings to mind a problem my Design Engineer raised when
>responding to a customer RFI.
>
>Howard's comment: . (Pause for usual mystification on why someone wants
>routing protocols to pass through
>a firewall, a fairly frequent question).
>
>The customer RFI stated requirement ( wording as best as I can remember ):
>Solution will entail two internet connections, a T1 and a DSL. Routing will
>be configured such that priority traffic will use the T1 connection, and
>ordinary internet browsing will use the DSL connction.
>
>Lindy and I were having a real good laugh about the vagueness of the
>requirement, when we decided to try to come up with a solution. We came up
>with a number of questions for the customer to elaborate upon, and a
>possible solution. Would anyone else care to use this as a test of design
>issues?
>
>If memory serves, the customer defined "priority" traffic as e-mail and
>connectivity to a certain external web site.
>
>So:
>
>1) what are some of the questions the customer still needs to answer?
>
>2) What are some possible solutions to this requirement?
>( assume the T1 and the DSL terminate on the same router )
>
>Chuck
>FAQ, list archives, and subscription info:
Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=359&t=195
--------------------------------------------------
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
