RE: EIGRP network design [7:21019]
my question was the design itself - why are there firewalls at all these branches if this is an internal network? firewalls generally would be placed at network edges? Is this a VPN solution? otherwise, if this is an issue of placing security zones throughout a corporate network, I would make each zone self contained, with static routes into the other zones. I'm not so sure I would want to be running routing protocols through a firewall, if for no other reason than that the routing updates could be sniffed, and would reveal more that should be revealed about network structure. Chuck -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Priscilla Oppenheimer Sent: Wednesday, September 26, 2001 10:08 AM To: [EMAIL PROTECTED] Subject: Re: EIGRP network design [7:21019] RIPv1 sends to 255.255.255.255. RIPv2 sends to 224.0.0.9. They both use UDP port 520. Both the source and dest ports are 520. Are you sure static routes wouldn't be the best bet, though? I haven't followed the entire discussion, so if that's off the wall, just ignore it. Priscilla At 09:09 AM 9/26/01, Carroll Kong wrote: Hm. If you are that worried about internal security, you should probably make an ACL that allows only the redistributing router's ip, deny all other udp port 520 reqs (for ripv1, or multicast 224.0.0.5? re-check what it uses). Also, you might need to write some no nat rules to avoid nat. That might be more work than statics. Yes, IPs are spoofable, and so are MAC addresses. If your internal security helps avoid this (easy to do), then an ACL for Rip updates should be fairly secure. At 04:41 AM 9/26/01 -0400, Patrick Donlon wrote: Yes the firewalls are all PIX. For the PIX can I set up the PIX to receive RIP routes redistributed from the EIGRP routers? If so this will save a lot of admin work, but will this be a security risk, ie. someone being able to inject routes into the PIX? regards Carroll Kong wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... What kind of firewalls? Pix? If so, try RIP v2 with redistribution into your routers. As for discontiguous networks, there are many ways around that, with a different cost associated of course. At 12:52 PM 9/25/01 -0400, Patrick Donlon wrote: Hi everyone I've got a project where I have to design and implement EIGRP in a small to medium sized network of about 50 to 70 routers. One of my main problems is what to do with routing updates at the firewalls at each site, should they be allowed to pass through the firewall or should statics be used either side of the firewalls. Another problem I can see is the routes on the firewalls, is there a way to avoid having to type all those route entries in them, the network has many discontiguous networks. And one last point is the redistribution to the BGP routers at the edge of the network I'm after some tips, experiences and URLs so I can read around the subject myself Regards Pat -Carroll Kong -Carroll Kong Priscilla Oppenheimer http://www.priscilla.com Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=21261t=21019 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: EIGRP network design [7:21019]
The firewalls are for the internet and the intranet. At the moment I thinking of using statics on the outside of internet firewall and possible using RIPv2 for the inside. For the intranet I'm considering using RIP on both sides, but statics haven't been ruled out for either firewall regards Chuck Larrieu wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... my question was the design itself - why are there firewalls at all these branches if this is an internal network? firewalls generally would be placed at network edges? Is this a VPN solution? otherwise, if this is an issue of placing security zones throughout a corporate network, I would make each zone self contained, with static routes into the other zones. I'm not so sure I would want to be running routing protocols through a firewall, if for no other reason than that the routing updates could be sniffed, and would reveal more that should be revealed about network structure. Chuck -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Priscilla Oppenheimer Sent: Wednesday, September 26, 2001 10:08 AM To: [EMAIL PROTECTED] Subject: Re: EIGRP network design [7:21019] RIPv1 sends to 255.255.255.255. RIPv2 sends to 224.0.0.9. They both use UDP port 520. Both the source and dest ports are 520. Are you sure static routes wouldn't be the best bet, though? I haven't followed the entire discussion, so if that's off the wall, just ignore it. Priscilla At 09:09 AM 9/26/01, Carroll Kong wrote: Hm. If you are that worried about internal security, you should probably make an ACL that allows only the redistributing router's ip, deny all other udp port 520 reqs (for ripv1, or multicast 224.0.0.5? re-check what it uses). Also, you might need to write some no nat rules to avoid nat. That might be more work than statics. Yes, IPs are spoofable, and so are MAC addresses. If your internal security helps avoid this (easy to do), then an ACL for Rip updates should be fairly secure. At 04:41 AM 9/26/01 -0400, Patrick Donlon wrote: Yes the firewalls are all PIX. For the PIX can I set up the PIX to receive RIP routes redistributed from the EIGRP routers? If so this will save a lot of admin work, but will this be a security risk, ie. someone being able to inject routes into the PIX? regards Carroll Kong wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... What kind of firewalls? Pix? If so, try RIP v2 with redistribution into your routers. As for discontiguous networks, there are many ways around that, with a different cost associated of course. At 12:52 PM 9/25/01 -0400, Patrick Donlon wrote: Hi everyone I've got a project where I have to design and implement EIGRP in a small to medium sized network of about 50 to 70 routers. One of my main problems is what to do with routing updates at the firewalls at each site, should they be allowed to pass through the firewall or should statics be used either side of the firewalls. Another problem I can see is the routes on the firewalls, is there a way to avoid having to type all those route entries in them, the network has many discontiguous networks. And one last point is the redistribution to the BGP routers at the edge of the network I'm after some tips, experiences and URLs so I can read around the subject myself Regards Pat -Carroll Kong -Carroll Kong Priscilla Oppenheimer http://www.priscilla.com Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=21269t=21019 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: EIGRP network design [7:21019]
Yes the firewalls are all PIX. For the PIX can I set up the PIX to receive RIP routes redistributed from the EIGRP routers? If so this will save a lot of admin work, but will this be a security risk, ie. someone being able to inject routes into the PIX? regards Carroll Kong wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... What kind of firewalls? Pix? If so, try RIP v2 with redistribution into your routers. As for discontiguous networks, there are many ways around that, with a different cost associated of course. At 12:52 PM 9/25/01 -0400, Patrick Donlon wrote: Hi everyone I've got a project where I have to design and implement EIGRP in a small to medium sized network of about 50 to 70 routers. One of my main problems is what to do with routing updates at the firewalls at each site, should they be allowed to pass through the firewall or should statics be used either side of the firewalls. Another problem I can see is the routes on the firewalls, is there a way to avoid having to type all those route entries in them, the network has many discontiguous networks. And one last point is the redistribution to the BGP routers at the edge of the network I'm after some tips, experiences and URLs so I can read around the subject myself Regards Pat -Carroll Kong Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=21114t=21019 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: EIGRP network design [7:21019]
RIPv1 sends to 255.255.255.255. RIPv2 sends to 224.0.0.9. They both use UDP port 520. Both the source and dest ports are 520. Are you sure static routes wouldn't be the best bet, though? I haven't followed the entire discussion, so if that's off the wall, just ignore it. Priscilla At 09:09 AM 9/26/01, Carroll Kong wrote: Hm. If you are that worried about internal security, you should probably make an ACL that allows only the redistributing router's ip, deny all other udp port 520 reqs (for ripv1, or multicast 224.0.0.5? re-check what it uses). Also, you might need to write some no nat rules to avoid nat. That might be more work than statics. Yes, IPs are spoofable, and so are MAC addresses. If your internal security helps avoid this (easy to do), then an ACL for Rip updates should be fairly secure. At 04:41 AM 9/26/01 -0400, Patrick Donlon wrote: Yes the firewalls are all PIX. For the PIX can I set up the PIX to receive RIP routes redistributed from the EIGRP routers? If so this will save a lot of admin work, but will this be a security risk, ie. someone being able to inject routes into the PIX? regards Carroll Kong wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... What kind of firewalls? Pix? If so, try RIP v2 with redistribution into your routers. As for discontiguous networks, there are many ways around that, with a different cost associated of course. At 12:52 PM 9/25/01 -0400, Patrick Donlon wrote: Hi everyone I've got a project where I have to design and implement EIGRP in a small to medium sized network of about 50 to 70 routers. One of my main problems is what to do with routing updates at the firewalls at each site, should they be allowed to pass through the firewall or should statics be used either side of the firewalls. Another problem I can see is the routes on the firewalls, is there a way to avoid having to type all those route entries in them, the network has many discontiguous networks. And one last point is the redistribution to the BGP routers at the edge of the network I'm after some tips, experiences and URLs so I can read around the subject myself Regards Pat -Carroll Kong -Carroll Kong Priscilla Oppenheimer http://www.priscilla.com Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=21180t=21019 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
EIGRP network design [7:21019]
Hi everyone I've got a project where I have to design and implement EIGRP in a small to medium sized network of about 50 to 70 routers. One of my main problems is what to do with routing updates at the firewalls at each site, should they be allowed to pass through the firewall or should statics be used either side of the firewalls. Another problem I can see is the routes on the firewalls, is there a way to avoid having to type all those route entries in them, the network has many discontiguous networks. And one last point is the redistribution to the BGP routers at the edge of the network I'm after some tips, experiences and URLs so I can read around the subject myself Regards Pat Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=21019t=21019 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: EIGRP network design [7:21019]
Patrick, I don't think you will have a choice of passing EIGRP through a firewall because I don't think you can do it. An eigrp packet uses multicast addressing and has no layer 3 address. I would think that a firewall would not pass this traffic. From: Patrick Donlon Reply-To: Patrick Donlon To: [EMAIL PROTECTED] Subject: EIGRP network design [7:21019] Date: Tue, 25 Sep 2001 12:52:28 -0400 Hi everyone I've got a project where I have to design and implement EIGRP in a small to medium sized network of about 50 to 70 routers. One of my main problems is what to do with routing updates at the firewalls at each site, should they be allowed to pass through the firewall or should statics be used either side of the firewalls. Another problem I can see is the routes on the firewalls, is there a way to avoid having to type all those route entries in them, the network has many discontiguous networks. And one last point is the redistribution to the BGP routers at the edge of the network I'm after some tips, experiences and URLs so I can read around the subject myself Regards Pat _ Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=21052t=21019 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: EIGRP network design [7:21019]
Patric, Jeff is right, I do not think that you can pass EIGRP packets though firewall. My suggestion is create a vpn tunnel and put in some static routes. Alex Jeff Smith wrote: Patrick, I don't think you will have a choice of passing EIGRP through a firewall because I don't think you can do it. An eigrp packet uses multicast addressing and has no layer 3 address. I would think that a firewall would not pass this traffic. From: Patrick Donlon Reply-To: Patrick Donlon To: [EMAIL PROTECTED] Subject: EIGRP network design [7:21019] Date: Tue, 25 Sep 2001 12:52:28 -0400 Hi everyone I've got a project where I have to design and implement EIGRP in a small to medium sized network of about 50 to 70 routers. One of my main problems is what to do with routing updates at the firewalls at each site, should they be allowed to pass through the firewall or should statics be used either side of the firewalls. Another problem I can see is the routes on the firewalls, is there a way to avoid having to type all those route entries in them, the network has many discontiguous networks. And one last point is the redistribution to the BGP routers at the edge of the network I'm after some tips, experiences and URLs so I can read around the subject myself Regards Pat _ Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp [GroupStudy.com removed an attachment of type text/x-vcard which had a name of khramov.vcf] Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=21071t=21019 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: EIGRP network design [7:21019]
What kind of firewalls? Pix? If so, try RIP v2 with redistribution into your routers. As for discontiguous networks, there are many ways around that, with a different cost associated of course. At 12:52 PM 9/25/01 -0400, Patrick Donlon wrote: Hi everyone I've got a project where I have to design and implement EIGRP in a small to medium sized network of about 50 to 70 routers. One of my main problems is what to do with routing updates at the firewalls at each site, should they be allowed to pass through the firewall or should statics be used either side of the firewalls. Another problem I can see is the routes on the firewalls, is there a way to avoid having to type all those route entries in them, the network has many discontiguous networks. And one last point is the redistribution to the BGP routers at the edge of the network I'm after some tips, experiences and URLs so I can read around the subject myself Regards Pat -Carroll Kong Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=21096t=21019 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]