The firewalls are for the internet and the intranet. At the moment I thinking of using statics on the outside of internet firewall and possible using RIPv2 for the inside. For the intranet I'm considering using RIP on both sides, but statics haven't been ruled out for either firewall
regards ""Chuck Larrieu"" wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > my question was the design itself - why are there firewalls at all these > branches if this is an internal network? firewalls generally would be placed > at network edges? Is this a VPN solution? > > otherwise, if this is an issue of placing security zones throughout a > corporate network, I would make each zone self contained, with static routes > into the other zones. I'm not so sure I would want to be running routing > protocols through a firewall, if for no other reason than that the routing > updates could be sniffed, and would reveal more that should be revealed > about network structure. > > Chuck > > -----Original Message----- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of > Priscilla Oppenheimer > Sent: Wednesday, September 26, 2001 10:08 AM > To: [EMAIL PROTECTED] > Subject: Re: EIGRP network design [7:21019] > > > RIPv1 sends to 255.255.255.255. RIPv2 sends to 224.0.0.9. They both use UDP > port 520. Both the source and dest ports are 520. > > Are you sure static routes wouldn't be the best bet, though? I haven't > followed the entire discussion, so if that's off the wall, just ignore it. > > Priscilla > > > At 09:09 AM 9/26/01, Carroll Kong wrote: > >Hm. If you are that worried about internal security, you should probably > >make an ACL that allows only the redistributing router's ip, deny all other > >udp port 520 reqs (for ripv1, or multicast 224.0.0.5? re-check what it > >uses). Also, you might need to write some no nat rules to avoid nat. That > >might be more work than statics. > > > >Yes, IPs are spoofable, and so are MAC addresses. If your internal > >security helps avoid this (easy to do), then an ACL for Rip updates should > >be fairly secure. > > > >At 04:41 AM 9/26/01 -0400, Patrick Donlon wrote: > > >Yes the firewalls are all PIX. For the PIX can I set up the PIX to > receive > > >RIP routes redistributed from the EIGRP routers? If so this will save a > lot > > >of admin work, but will this be a security risk, ie. someone being able > to > > >inject routes into the PIX? > > > > > >regards > > > > > >""Carroll Kong"" wrote in message > > >[EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > > > > What kind of firewalls? Pix? If so, try RIP v2 with redistribution > into > > > > your routers. As for discontiguous networks, there are many ways > around > > > > that, with a different cost associated of course. > > > > > > > > At 12:52 PM 9/25/01 -0400, Patrick Donlon wrote: > > > > >Hi everyone > > > > > > > > > >I've got a project where I have to design and implement EIGRP in a > small > > >to > > > > >medium sized network of about 50 to 70 routers. One of my main > problems > > >is > > > > >what to do with routing updates at the firewalls at each site, should > > >they > > > > >be allowed to pass through the firewall or should statics be used > either > > > > >side of the firewalls. Another problem I can see is the routes on the > > > > >firewalls, is there a way to avoid having to type all those route > >entries > > >in > > > > >them, the network has many discontiguous networks. And one last point > is > > >the > > > > >redistribution to the BGP routers at the edge of the network I'm > after > > >some > > > > >tips, experiences and URLs so I can read around the subject myself > > > > > > > > > >Regards Pat > > > > -Carroll Kong > >-Carroll Kong > ________________________ > > Priscilla Oppenheimer > http://www.priscilla.com Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=21269&t=21019 -------------------------------------------------- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
