RE: Design Challoenge - a bit off topic [7:195]
Ok - only solution we could come up with pending better customer information or a better design idea: Internet-edgerouter---firewallinside Recall that there are two internet connections terminating on the edge router. Policy routing on the edge router interface connecting to the firewall. inbound to the edge router ) Extended access-lists to identify an categorize the customer internet-bound traffic Policy routing implemented using a route-map which refers to the access-lists Howard's point was interesting - issue of redundancy being, perhaps, misunderstood. The RFI specifically mentioned failover if one or the other interfaces was down.. Here's where I am not sure even policy routing will assure failover. Packet matches a policy, if forwarded to the designated interface. That path is down - packet dropped? I'm pretty sure that's how it works. So no automatic failover in the design above. So - now what? Chuck -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Chuck Larrieu Sent: Tuesday, April 10, 2001 11:07 PM To: [EMAIL PROTECTED] Subject:Design Challoenge - a bit off topic [7:195] Howard's comment brings to mind a problem my Design Engineer raised when responding to a customer RFI. Howard's comment: . (Pause for usual mystification on why someone wants routing protocols to pass through a firewall, a fairly frequent question). The customer RFI stated requirement ( wording as best as I can remember ): Solution will entail two internet connections, a T1 and a DSL. Routing will be configured such that priority traffic will use the T1 connection, and ordinary internet browsing will use the DSL connction. Lindy and I were having a real good laugh about the vagueness of the requirement, when we decided to try to come up with a solution. We came up with a number of questions for the customer to elaborate upon, and a possible solution. Would anyone else care to use this as a test of design issues? If memory serves, the customer defined "priority" traffic as e-mail and connectivity to a certain external web site. So: 1) what are some of the questions the customer still needs to answer? 2) What are some possible solutions to this requirement? ( assume the T1 and the DSL terminate on the same router ) Chuck FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=348t=195 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Design Challoenge - a bit off topic [7:195]
How about this... Since the exit point is based on destination address, could you use floating static routes? For example... ip route 255.255.255.255 50 ip route 255.255.255.255 100 ip route 255.255.25.255 50 ip route 255.255.25.255 100 ip route 0.0.0.0 0.0.0.0 50 ip route 0.0.0.0 0.0.0.0 100 This would provide failover while also accomplishing the stated goal. The downside is that as the number of priority sites increased you'd have to add a new static route. If I misunderstood the original goal and we're are basing the exit point on internal source IP address then policy routing would definitely be the way to go. If you wanted to go completely overboard, you could run BGP on both links and set the WEIGHT attribute higher on the T-1 for the prefixes leading to the priority servers.That would also provide dynamic failover but I wouldn't consider it to be the best solution. Besides, it's probably difficult to get a provider to run BGP over DSL. John "Chuck Larrieu" 4/12/01 10:28:52 AM Ok - only solution we could come up with pending better customer information or a better design idea: Internet-edgerouter---firewallinside Recall that there are two internet connections terminating on the edge router. Policy routing on the edge router interface connecting to the firewall. inbound to the edge router ) Extended access-lists to identify an categorize the customer internet-bound traffic Policy routing implemented using a route-map which refers to the access-lists Howard's point was interesting - issue of redundancy being, perhaps, misunderstood. The RFI specifically mentioned failover if one or the other interfaces was down.. Here's where I am not sure even policy routing will assure failover. Packet matches a policy, if forwarded to the designated interface. That path is down - packet dropped? I'm pretty sure that's how it works. So no automatic failover in the design above. So - now what? Chuck -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Chuck Larrieu Sent: Tuesday, April 10, 2001 11:07 PM To: [EMAIL PROTECTED] Subject:Design Challoenge - a bit off topic [7:195] Howard's comment brings to mind a problem my Design Engineer raised when responding to a customer RFI. Howard's comment: . (Pause for usual mystification on why someone wants routing protocols to pass through a firewall, a fairly frequent question). The customer RFI stated requirement ( wording as best as I can remember ): Solution will entail two internet connections, a T1 and a DSL. Routing will be configured such that priority traffic will use the T1 connection, and ordinary internet browsing will use the DSL connction. Lindy and I were having a real good laugh about the vagueness of the requirement, when we decided to try to come up with a solution. We came up with a number of questions for the customer to elaborate upon, and a possible solution. Would anyone else care to use this as a test of design issues? If memory serves, the customer defined "priority" traffic as e-mail and connectivity to a certain external web site. So: 1) what are some of the questions the customer still needs to answer? 2) What are some possible solutions to this requirement? ( assume the T1 and the DSL terminate on the same router ) Chuck FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=352t=195 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Design Challoenge - a bit off topic [7:195]
Ok - only solution we could come up with pending better customer information or a better design idea: Internet-edgerouter---firewallinside Recall that there are two internet connections terminating on the edge router. Policy routing on the edge router interface connecting to the firewall. inbound to the edge router ) Extended access-lists to identify an categorize the customer internet-bound traffic Policy routing implemented using a route-map which refers to the access-lists Howard's point was interesting - issue of redundancy being, perhaps, misunderstood. The RFI specifically mentioned failover if one or the other interfaces was down.. I'm not clear about what you think I meant. Pause to resynchronize. I find it hard to imagine any useful and safe scenario where routing updates pass transparently THROUGH a firewall. That doesn't preclude, however, having dynamic routing on both sides of a firewall or set of firewalls. For example, if the servers on the inside of the firewalls were UNIX boxen that can understand RIP, the inside of the firewall could announce the default route in RIP, which would let the servers find the correct outgoing firewall. This doesn't mean that RIP would be your primary IGP, just that RIP is present on the perimeter network between the inside interface of the firewalls and the inside router. Another alternative would be VRRP on the firewalls. IRDP is probably too slow. You certainly could have BGP on the outside of the firewall, speaking to the Internet. Before there is too much hand-waving about asymmetrical routing, tell me again why that creates a major problem and how much effort it would take to reduce it (you can't get rid of it). Outgoing, from the inside to the outside, a client/server sends to a default gateway which is on one or the other firewall. The firewalls only need to know how to get to the DMZ, to which the external router(s) are connected. Incoming, a packet passes the firewall, and has the destination address of the client/server. Your IGP should take care of that. Here's where I am not sure even policy routing will assure failover. Packet matches a policy, if forwarded to the designated interface. That path is down - packet dropped? I'm pretty sure that's how it works. So no automatic failover in the design above. Well, there are things you could do that start involving layer 4 load balancers. But the question always has to be asked -- how important is "optimal utilization of lines" in contrast with the amount of complexity you need for it? Again and again, I see people spending more money on policy control, accounting, etc., than it would cost them (in resources and actual money) just to throw in more bandwidth and keep things simple. So - now what? Chuck -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Chuck Larrieu Sent: Tuesday, April 10, 2001 11:07 PM To:[EMAIL PROTECTED] Subject: Design Challoenge - a bit off topic [7:195] Howard's comment brings to mind a problem my Design Engineer raised when responding to a customer RFI. Howard's comment: . (Pause for usual mystification on why someone wants routing protocols to pass through a firewall, a fairly frequent question). The customer RFI stated requirement ( wording as best as I can remember ): Solution will entail two internet connections, a T1 and a DSL. Routing will be configured such that priority traffic will use the T1 connection, and ordinary internet browsing will use the DSL connction. Lindy and I were having a real good laugh about the vagueness of the requirement, when we decided to try to come up with a solution. We came up with a number of questions for the customer to elaborate upon, and a possible solution. Would anyone else care to use this as a test of design issues? If memory serves, the customer defined "priority" traffic as e-mail and connectivity to a certain external web site. So: 1) what are some of the questions the customer still needs to answer? 2) What are some possible solutions to this requirement? ( assume the T1 and the DSL terminate on the same router ) Chuck FAQ, list archives, and subscription info: Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=359t=195 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Design Challoenge - a bit off topic [7:195]
Thoughts inline below | Howard's comment brings to mind a problem my Design Engineer raised when | responding to a customer RFI. | | Howard's comment: . (Pause for usual mystification on why someone wants | routing protocols to pass through | a firewall, a fairly frequent question). | | The customer RFI stated requirement ( wording as best as I can remember ): | Solution will entail two internet connections, a T1 and a DSL. Routing will | be configured such that priority traffic will use the T1 connection, and | ordinary internet browsing will use the DSL connction. | | Lindy and I were having a real good laugh about the vagueness of the | requirement, when we decided to try to come up with a solution. We came up | with a number of questions for the customer to elaborate upon, and a | possible solution. Would anyone else care to use this as a test of design | issues? | | If memory serves, the customer defined "priority" traffic as e-mail and | connectivity to a certain external web site. | | So: | | 1) what are some of the questions the customer still needs to| answer? My first question to them would be "Do you really think that email and that one website alone justify a full T-1, while the rest of the internet traffic for you company goes upstream on a measly DSL circuit?" Question #2: Do you desire some sort of fault-tolerance? Should one circuit be able to take over in case of a failure on the other? If the T-1 fails and we move everything to the DSL circuit, do you care if we completely squash the rest of your traffic if necessary to prioritize the email and web traffic formerly on the T-1? Question #3: Do you really need a T-1? Could you get by with another DSL circuit or a fractional T-1? | | 2) What are some possible solutions to this requirement? | ( assume the T1 and the DSL terminate on the same router ) | Question #4: Are these circuits coming from the same or different providers? Do you have your own address space available? (silly question, let's assume not ) If the answer is "different providers" then IP address allocation and return-traffic paths become an issue. Let's say that Provider A (T-1) issues a /27 and Provider B issues a /28. If we NAT internal addresses to only provider A's addresses--even for traffic leaving toward Provider B--then all that return web traffic will come in on the T-1, which kinda violates the spirit of the requirements. [Actually, upon further reflection, this is an issue even if the circuits are from the same provider. With two connections to the internet, successfully manipulating traffic going both directions on both circuits can be tricky.] So then, how do you decide who to NAT to which addresses? One solution to that problem is to check out a Fatpipe Xtreme or a similar product by Radware that handles a lot of this for you. Pretty cool stuff, we'll be getting the Radware box in the near future for just this purpose. On another routing issue, it appears that there will be a very limited number of destinations for traffic on the T-1 so one very simple solution would be static routes pointing out the T-1 and a default route pointing to the DSL circuit. Policy routing might also come in handy, I think, but it might be a bigger hammer than is necessary. No need to complicate this if it doesn't need to be complicated. Is any of that the sort of thing you're looking for? You keep catching me late at night when I should be sleeping. I may not be thinking clearly enough to answer this. Regards, John ___ Send a cool gift with your E-Card http://www.bluemountain.com/giftcenter/ Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=197t=195 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]