my question was the design itself - why are there firewalls at all these branches if this is an internal network? firewalls generally would be placed at network edges? Is this a VPN solution?
otherwise, if this is an issue of placing security zones throughout a corporate network, I would make each zone self contained, with static routes into the other zones. I'm not so sure I would want to be running routing protocols through a firewall, if for no other reason than that the routing updates could be sniffed, and would reveal more that should be revealed about network structure. Chuck -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Priscilla Oppenheimer Sent: Wednesday, September 26, 2001 10:08 AM To: [EMAIL PROTECTED] Subject: Re: EIGRP network design [7:21019] RIPv1 sends to 255.255.255.255. RIPv2 sends to 224.0.0.9. They both use UDP port 520. Both the source and dest ports are 520. Are you sure static routes wouldn't be the best bet, though? I haven't followed the entire discussion, so if that's off the wall, just ignore it. Priscilla At 09:09 AM 9/26/01, Carroll Kong wrote: >Hm. If you are that worried about internal security, you should probably >make an ACL that allows only the redistributing router's ip, deny all other >udp port 520 reqs (for ripv1, or multicast 224.0.0.5? re-check what it >uses). Also, you might need to write some no nat rules to avoid nat. That >might be more work than statics. > >Yes, IPs are spoofable, and so are MAC addresses. If your internal >security helps avoid this (easy to do), then an ACL for Rip updates should >be fairly secure. > >At 04:41 AM 9/26/01 -0400, Patrick Donlon wrote: > >Yes the firewalls are all PIX. For the PIX can I set up the PIX to receive > >RIP routes redistributed from the EIGRP routers? If so this will save a lot > >of admin work, but will this be a security risk, ie. someone being able to > >inject routes into the PIX? > > > >regards > > > >""Carroll Kong"" wrote in message > >[EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > > > What kind of firewalls? Pix? If so, try RIP v2 with redistribution into > > > your routers. As for discontiguous networks, there are many ways around > > > that, with a different cost associated of course. > > > > > > At 12:52 PM 9/25/01 -0400, Patrick Donlon wrote: > > > >Hi everyone > > > > > > > >I've got a project where I have to design and implement EIGRP in a small > >to > > > >medium sized network of about 50 to 70 routers. One of my main problems > >is > > > >what to do with routing updates at the firewalls at each site, should > >they > > > >be allowed to pass through the firewall or should statics be used either > > > >side of the firewalls. Another problem I can see is the routes on the > > > >firewalls, is there a way to avoid having to type all those route >entries > >in > > > >them, the network has many discontiguous networks. And one last point is > >the > > > >redistribution to the BGP routers at the edge of the network I'm after > >some > > > >tips, experiences and URLs so I can read around the subject myself > > > > > > > >Regards Pat > > > -Carroll Kong >-Carroll Kong ________________________ Priscilla Oppenheimer http://www.priscilla.com Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=21261&t=21019 -------------------------------------------------- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]