a bit off topic
heys, just passed the ccda exam today (ccna prior). looking to get some hands-on experience on a contract, part-time basis. any thoughts on how/where to start (dc area)? thanks. _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Design Challoenge - a bit off topic [7:195]
Howard's comment brings to mind a problem my Design Engineer raised when responding to a customer RFI. Howard's comment: . (Pause for usual mystification on why someone wants routing protocols to pass through a firewall, a fairly frequent question). The customer RFI stated requirement ( wording as best as I can remember ): Solution will entail two internet connections, a T1 and a DSL. Routing will be configured such that priority traffic will use the T1 connection, and ordinary internet browsing will use the DSL connction. Lindy and I were having a real good laugh about the vagueness of the requirement, when we decided to try to come up with a solution. We came up with a number of questions for the customer to elaborate upon, and a possible solution. Would anyone else care to use this as a test of design issues? If memory serves, the customer defined "priority" traffic as e-mail and connectivity to a certain external web site. So: 1) what are some of the questions the customer still needs to answer? 2) What are some possible solutions to this requirement? ( assume the T1 and the DSL terminate on the same router ) Chuck Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=195&t=195 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Design Challoenge - a bit off topic [7:195]
Thoughts inline below | Howard's comment brings to mind a problem my Design Engineer raised when | responding to a customer RFI. | | Howard's comment: . (Pause for usual mystification on why someone wants | routing protocols to pass through | a firewall, a fairly frequent question). | | The customer RFI stated requirement ( wording as best as I can remember ): | Solution will entail two internet connections, a T1 and a DSL. Routing will | be configured such that priority traffic will use the T1 connection, and | ordinary internet browsing will use the DSL connction. | | Lindy and I were having a real good laugh about the vagueness of the | requirement, when we decided to try to come up with a solution. We came up | with a number of questions for the customer to elaborate upon, and a | possible solution. Would anyone else care to use this as a test of design | issues? | | If memory serves, the customer defined "priority" traffic as e-mail and | connectivity to a certain external web site. | | So: | | 1) what are some of the questions the customer still needs to| answer? My first question to them would be "Do you really think that email and that one website alone justify a full T-1, while the rest of the internet traffic for you company goes upstream on a measly DSL circuit?" Question #2: Do you desire some sort of fault-tolerance? Should one circuit be able to take over in case of a failure on the other? If the T-1 fails and we move everything to the DSL circuit, do you care if we completely squash the rest of your traffic if necessary to prioritize the email and web traffic formerly on the T-1? Question #3: Do you really need a T-1? Could you get by with another DSL circuit or a fractional T-1? | | 2) What are some possible solutions to this requirement? | ( assume the T1 and the DSL terminate on the same router ) | Question #4: Are these circuits coming from the same or different providers? Do you have your own address space available? (silly question, let's assume not ) If the answer is "different providers" then IP address allocation and return-traffic paths become an issue. Let's say that Provider A (T-1) issues a /27 and Provider B issues a /28. If we NAT internal addresses to only provider A's addresses--even for traffic leaving toward Provider B--then all that return web traffic will come in on the T-1, which kinda violates the spirit of the requirements. [Actually, upon further reflection, this is an issue even if the circuits are from the same provider. With two connections to the internet, successfully manipulating traffic going both directions on both circuits can be tricky.] So then, how do you decide who to NAT to which addresses? One solution to that problem is to check out a Fatpipe Xtreme or a similar product by Radware that handles a lot of this for you. Pretty cool stuff, we'll be getting the Radware box in the near future for just this purpose. On another routing issue, it appears that there will be a very limited number of destinations for traffic on the T-1 so one very simple solution would be static routes pointing out the T-1 and a default route pointing to the DSL circuit. Policy routing might also come in handy, I think, but it might be a bigger hammer than is necessary. No need to complicate this if it doesn't need to be complicated. Is any of that the sort of thing you're looking for? You keep catching me late at night when I should be sleeping. I may not be thinking clearly enough to answer this. Regards, John ___ Send a cool gift with your E-Card http://www.bluemountain.com/giftcenter/ Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=197&t=195 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Design Challenge - a bit off topic [7:195]
Some interesting questions me personally no-one has talked about restrictions of any sort ( a-la firewall)..so lets say there isn`t just use 1 of 16 different custom queues ...not really an effective tool fir this job but hey.Design solutions it is ... I also don`t like the idea about this T1/DSL link stuff...i always advise customers to have the same."if you want to have a SEEMLESS service don`t skimp ..all things should be equal". obviously it wont be totally seamless as you will have a lot of info going across 1 instead of 2 links...but it`s closer than DSL . Questions for the customer?? would you like ME to design your network or would you like to do it yourself..being as i have years of experience and you have none... JUST SLIGHTLY MORE POLITELY... then i would convince the customer that my way was best and had loads of advantages and his way would lead to lots of scratching chins and "ohhh i wouldn't`t have done it that way...Boss" by support engineers from whichever company he gets to support him as i won`t be going anywhere near his network if he can`t be bothered to listen AGAIN just more politely HTH steve P.S that is no joke i have had to TELL customers that before ...they just won`t listen.and i do still have my job >From: "John Neiberger" >Reply-To: "John Neiberger" >To: [EMAIL PROTECTED] >Subject: Re: Design Challoenge - a bit off topic [7:195] >Date: Wed, 11 Apr 2001 02:45:45 -0400 > >Thoughts inline below > >| Howard's comment brings to mind a problem my Design Engineer raised when >| responding to a customer RFI. >| >| Howard's comment: . (Pause for usual mystification on why someone wants >| routing protocols to pass through >| a firewall, a fairly frequent question). >| >| The customer RFI stated requirement ( wording as best as I can remember >): >| Solution will entail two internet connections, a T1 and a DSL. Routing >will >| be configured such that priority traffic will use the T1 connection, and >| ordinary internet browsing will use the DSL connction. >| >| Lindy and I were having a real good laugh about the vagueness of the >| requirement, when we decided to try to come up with a solution. We came >up >| with a number of questions for the customer to elaborate upon, and a >| possible solution. Would anyone else care to use this as a test of >design >| issues? >| >| If memory serves, the customer defined "priority" traffic as e-mail and >| connectivity to a certain external web site. >| >| So: >| >| 1) what are some of the questions the customer still needs to| >answer? > >My first question to them would be "Do you really think that email and that >one website alone justify a full T-1, while the rest of the internet >traffic >for you company goes upstream on a measly DSL circuit?" > >Question #2: Do you desire some sort of fault-tolerance? Should one >circuit be able to take over in case of a failure on the other? If the T-1 >fails and we move everything to the DSL circuit, do you care if we >completely squash the rest of your traffic if necessary to prioritize the >email and web traffic formerly on the T-1? > >Question #3: Do you really need a T-1? Could you get by with another DSL >circuit or a fractional T-1? > >| >| 2) What are some possible solutions to this requirement? >| ( assume the T1 and the DSL terminate on the same router ) >| > >Question #4: Are these circuits coming from the same or different >providers? Do you have your own address space available? (silly question, >let's assume not ) If the answer is "different providers" then IP >address allocation and return-traffic paths become an issue. Let's say >that >Provider A (T-1) issues a /27 and Provider B issues a /28. If we NAT >internal addresses to only provider A's addresses--even for traffic leaving >toward Provider B--then all that return web traffic will come in on the >T-1, >which kinda violates the spirit of the requirements. > >[Actually, upon further reflection, this is an issue even if the circuits >are from the same provider. With two connections to the internet, >successfully manipulating traffic going both directions on both circuits >can >be tricky.] > >So then, how do you decide who to NAT to which addresses? > >One solution to that problem is to check out a Fatpipe Xtreme or a similar >product by Radware that handles a lot of this for you. Pretty cool stuff, >we'll be getting the Radware box in the near future for just this purpose. > >On another routing issue, it appears that there will be a very limited >number of destinations fo
Re: Design Challenge - a bit off topic [7:195]
>Some interesting questions > >me personally > >no-one has talked about restrictions of any sort ( a-la firewall)..so lets >say there isn`t just use 1 of 16 different custom queues ...not really >an effective tool fir this job but hey.Design solutions it is ... > >I also don`t like the idea about this T1/DSL link stuff...i always advise >customers to have the same."if you want to have a SEEMLESS service don`t >skimp ..all things should be equal". >obviously it wont be totally seamless as you will have a lot of info going >across 1 instead of 2 links...but it`s closer than DSL Seamless can be good or bad. Seamless may make things simpler to understand, which is good. Seamless also reduces the number of implementations -- which means you may be creating a somewhat abstract single point of failure -- a bug in the implementation of one common or software component. At the exchange points, for example, there is a conscious effort to run the route server software on different servers and operating systems--say a Sparc and an Alpha. A T1 and DSL, unfortunately, are likely to use the same local loop, although they will be more diverse once they hit the CO. Much more attractive, from a fault tolerance standpoint, would be T1 and cable, or T1 and fixed wireless. Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=239&t=195 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Design Challenge - a bit off topic [7:195]
My DE and I were practically rolling on the floor with this one. Rule number one: the customer is always right. Rule number two: when the customer's head is where the sun don't shine, refer to rule number one. ;-> I agree with much of your assessment. Problem I have is that I work for a telco, and sometimes what we in the data side are given is the result of a telco account manager trying to meet T1 and DSL quota by making these kinds of suggestions. Gullible customers then latch on to what has been presented as a good idea. This RFI had all the markings of a telco-based solution. I do have a question for you, based on something you stated below: Recognizing that you have two outbound interfaces - T1 and DSL, how will custom queuing deliver the required packets to the appropriate interface? Chuck -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Stephen Skinner Sent: Wednesday, April 11, 2001 2:55 AM To: [EMAIL PROTECTED] Subject:Re: Design Challenge - a bit off topic [7:195] Some interesting questions me personally no-one has talked about restrictions of any sort ( a-la firewall)..so lets say there isn`t just use 1 of 16 different custom queues ...not really an effective tool fir this job but hey.Design solutions it is ... I also don`t like the idea about this T1/DSL link stuff...i always advise customers to have the same."if you want to have a SEEMLESS service don`t skimp ..all things should be equal". obviously it wont be totally seamless as you will have a lot of info going across 1 instead of 2 links...but it`s closer than DSL . Questions for the customer?? would you like ME to design your network or would you like to do it yourself..being as i have years of experience and you have none... JUST SLIGHTLY MORE POLITELY... then i would convince the customer that my way was best and had loads of advantages and his way would lead to lots of scratching chins and "ohhh i wouldn't`t have done it that way...Boss" by support engineers from whichever company he gets to support him as i won`t be going anywhere near his network if he can`t be bothered to listen AGAIN just more politely HTH steve P.S that is no joke i have had to TELL customers that before ...they just won`t listen.and i do still have my job >From: "John Neiberger" >Reply-To: "John Neiberger" >To: [EMAIL PROTECTED] >Subject: Re: Design Challoenge - a bit off topic [7:195] >Date: Wed, 11 Apr 2001 02:45:45 -0400 > >Thoughts inline below > >| Howard's comment brings to mind a problem my Design Engineer raised when >| responding to a customer RFI. >| >| Howard's comment: . (Pause for usual mystification on why someone wants >| routing protocols to pass through >| a firewall, a fairly frequent question). >| >| The customer RFI stated requirement ( wording as best as I can remember >): >| Solution will entail two internet connections, a T1 and a DSL. Routing >will >| be configured such that priority traffic will use the T1 connection, and >| ordinary internet browsing will use the DSL connction. >| >| Lindy and I were having a real good laugh about the vagueness of the >| requirement, when we decided to try to come up with a solution. We came >up >| with a number of questions for the customer to elaborate upon, and a >| possible solution. Would anyone else care to use this as a test of >design >| issues? >| >| If memory serves, the customer defined "priority" traffic as e-mail and >| connectivity to a certain external web site. >| >| So: >| >| 1) what are some of the questions the customer still needs to| >answer? > >My first question to them would be "Do you really think that email and that >one website alone justify a full T-1, while the rest of the internet >traffic >for you company goes upstream on a measly DSL circuit?" > >Question #2: Do you desire some sort of fault-tolerance? Should one >circuit be able to take over in case of a failure on the other? If the T-1 >fails and we move everything to the DSL circuit, do you care if we >completely squash the rest of your traffic if necessary to prioritize the >email and web traffic formerly on the T-1? > >Question #3: Do you really need a T-1? Could you get by with another DSL >circuit or a fractional T-1? > >| >| 2) What are some possible solutions to this requirement? >| ( assume the T1 and the DSL terminate on the same router ) >| > >Question #4: Are these circuits coming from the same or different >providers? Do you have your own address space available? (silly question, >let's assume not ) If the answer is "different providers" then IP >address allocatio
RE: Design Challenge - a bit off topic [7:195]
OK. i`m still studying so i may well be WAY-OFF the mark here ...but John says >| Solution will entail two internet connections, a T1 and a DSL. Routing > >will > >| be configured such that priority traffic will use the T1 connection, >and > >| ordinary internet browsing will use the DSL connction. ? you would need to define "priority traffic" and then assign a high prioirty queue then assign that to an interface.assign the rest of the traffic to another queue on the other (DSL) interface.. you know i think that`s the solution but i am begginging to doubt myself...i swear i am missing something very basic and will be laughed at but hey.. i can always change my e-mail address... best regards steve >From: "Chuck Larrieu" >Reply-To: "Chuck Larrieu" >To: [EMAIL PROTECTED] >Subject: RE: Design Challenge - a bit off topic [7:195] >Date: Wed, 11 Apr 2001 19:06:13 -0400 > >My DE and I were practically rolling on the floor with this one. > >Rule number one: the customer is always right. > >Rule number two: when the customer's head is where the sun don't shine, >refer to rule number one. ;-> > >I agree with much of your assessment. Problem I have is that I work for a >telco, and sometimes what we in the data side are given is the result of a >telco account manager trying to meet T1 and DSL quota by making these kinds >of suggestions. Gullible customers then latch on to what has been presented >as a good idea. This RFI had all the markings of a telco-based solution. > >I do have a question for you, based on something you stated below: > >Recognizing that you have two outbound interfaces - T1 and DSL, how will >custom queuing deliver the required packets to the appropriate interface? > >Chuck > >-Original Message- >From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of >Stephen Skinner >Sent: Wednesday, April 11, 2001 2:55 AM >To:[EMAIL PROTECTED] >Subject: Re: Design Challenge - a bit off topic [7:195] > >Some interesting questions > >me personally > >no-one has talked about restrictions of any sort ( a-la firewall)..so lets >say there isn`t just use 1 of 16 different custom queues ...not really >an effective tool fir this job but hey.Design solutions it is ... > >I also don`t like the idea about this T1/DSL link stuff...i always advise >customers to have the same."if you want to have a SEEMLESS service >don`t >skimp ..all things should be equal". >obviously it wont be totally seamless as you will have a lot of info going >across 1 instead of 2 links...but it`s closer than DSL >. > >Questions for the customer?? > >would you like ME to design your network or would you like to do it >yourself..being as i have years of experience and you have none... > >JUST SLIGHTLY MORE POLITELY... > >then i would convince the customer that my way was best and had loads of >advantages and his way would lead to lots of scratching chins and "ohhh i >wouldn't`t have done it that way...Boss" by support engineers from >whichever >company he gets to support him as i won`t be going anywhere near his >network >if he can`t be bothered to listen > >AGAIN just more politely > >HTH > >steve > >P.S that is no joke i have had to TELL customers that before ...they >just won`t listen.and i do still have my job > > > > >From: "John Neiberger" > >Reply-To: "John Neiberger" > >To: [EMAIL PROTECTED] > >Subject: Re: Design Challoenge - a bit off topic [7:195] > >Date: Wed, 11 Apr 2001 02:45:45 -0400 > > > >Thoughts inline below > > > >| Howard's comment brings to mind a problem my Design Engineer raised >when > >| responding to a customer RFI. > >| > >| Howard's comment: . (Pause for usual mystification on why someone >wants > >| routing protocols to pass through > >| a firewall, a fairly frequent question). > >| > >| The customer RFI stated requirement ( wording as best as I can >remember > >): > >| Solution will entail two internet connections, a T1 and a DSL. Routing > >will > >| be configured such that priority traffic will use the T1 connection, >and > >| ordinary internet browsing will use the DSL connction. > >| > >| Lindy and I were having a real good laugh about the vagueness of the > >| requirement, when we decided to try to come up with a solution. We >came > >up > >| with a number of questions for the customer to elaborate upon, and a > >| possible solution. Would anyone
RE: Design Challenge - a bit off topic [7:195]
What's missing is that queueing in this context is only relevant on a per-interface basis. For instance, if you turn on custom queueing on an interface, all the 16 queues belong to that interface. It would not be possible--nor would it make sense--to split up those queues between interfaces. Queueing only comes into play when a single interface becomes congested and it allows the prioritization of certain traffic at the expense of other traffic. That wouldn't be the case here. In the original post, "priority traffic" simply referred to the importance of that traffic relative to other traffic, it was not a reference to queueing. They want the higher priority traffic to take the T-1 and have the rest of the slobs checking stocks or looking up scores on www.espn.com to go out the DSL line. I hope that was fairly clear. I'm a little foggy this morning. John >>> "Stephen Skinner" 4/12/01 4:33:06 AM >>> OK. i`m still studying so i may well be WAY-OFF the mark here ...but John says >| Solution will entail two internet connections, a T1 and a DSL. Routing > >will > >| be configured such that priority traffic will use the T1 connection, >and > >| ordinary internet browsing will use the DSL connction. ? you would need to define "priority traffic" and then assign a high prioirty queue then assign that to an interface.assign the rest of the traffic to another queue on the other (DSL) interface.. you know i think that`s the solution but i am begginging to doubt myself...i swear i am missing something very basic and will be laughed at but hey.. i can always change my e-mail address... best regards steve >From: "Chuck Larrieu" >Reply-To: "Chuck Larrieu" >To: [EMAIL PROTECTED] >Subject: RE: Design Challenge - a bit off topic [7:195] >Date: Wed, 11 Apr 2001 19:06:13 -0400 > >My DE and I were practically rolling on the floor with this one. > >Rule number one: the customer is always right. > >Rule number two: when the customer's head is where the sun don't shine, >refer to rule number one. ;-> > >I agree with much of your assessment. Problem I have is that I work for a >telco, and sometimes what we in the data side are given is the result of a >telco account manager trying to meet T1 and DSL quota by making these kinds >of suggestions. Gullible customers then latch on to what has been presented >as a good idea. This RFI had all the markings of a telco-based solution. > >I do have a question for you, based on something you stated below: > >Recognizing that you have two outbound interfaces - T1 and DSL, how will >custom queuing deliver the required packets to the appropriate interface? > >Chuck > >-Original Message----- >From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of >Stephen Skinner >Sent: Wednesday, April 11, 2001 2:55 AM >To:[EMAIL PROTECTED] >Subject: Re: Design Challenge - a bit off topic [7:195] > >Some interesting questions > >me personally > >no-one has talked about restrictions of any sort ( a-la firewall)..so lets >say there isn`t just use 1 of 16 different custom queues ...not really >an effective tool fir this job but hey.Design solutions it is ... > >I also don`t like the idea about this T1/DSL link stuff...i always advise >customers to have the same."if you want to have a SEEMLESS service >don`t >skimp ..all things should be equal". >obviously it wont be totally seamless as you will have a lot of info going >across 1 instead of 2 links...but it`s closer than DSL >. > >Questions for the customer?? > >would you like ME to design your network or would you like to do it >yourself..being as i have years of experience and you have none... > >JUST SLIGHTLY MORE POLITELY... > >then i would convince the customer that my way was best and had loads of >advantages and his way would lead to lots of scratching chins and "ohhh i >wouldn't`t have done it that way...Boss" by support engineers from >whichever >company he gets to support him as i won`t be going anywhere near his >network >if he can`t be bothered to listen > >AGAIN just more politely > >HTH > >steve > >P.S that is no joke i have had to TELL customers that before ...they >just won`t listen.and i do still have my job > > > > >From: "John Neiberger" > >Reply-To: "John Neiberger" > >To: [EMAIL PROTECTED] > >Subject: Re: Design Challoenge - a bit off topic [7:195] > >Date: Wed, 11 Apr 2001 02:45:45 -0400 > > > >Thoughts inline below > > > >| Howard's comment brings to mind a proble
RE: Design Challoenge - a bit off topic [7:195]
Ok - only solution we could come up with pending better customer information or a better design idea: Internet-edgerouter---firewallinside Recall that there are two internet connections terminating on the edge router. Policy routing on the edge router interface connecting to the firewall. inbound to the edge router ) Extended access-lists to identify an categorize the customer internet-bound traffic Policy routing implemented using a route-map which refers to the access-lists Howard's point was interesting - issue of redundancy being, perhaps, misunderstood. The RFI specifically mentioned failover if one or the other interfaces was down.. Here's where I am not sure even policy routing will assure failover. Packet matches a policy, if forwarded to the designated interface. That path is down - packet dropped? I'm pretty sure that's how it works. So no automatic failover in the design above. So - now what? Chuck -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Chuck Larrieu Sent: Tuesday, April 10, 2001 11:07 PM To: [EMAIL PROTECTED] Subject:Design Challoenge - a bit off topic [7:195] Howard's comment brings to mind a problem my Design Engineer raised when responding to a customer RFI. Howard's comment: . (Pause for usual mystification on why someone wants routing protocols to pass through a firewall, a fairly frequent question). The customer RFI stated requirement ( wording as best as I can remember ): Solution will entail two internet connections, a T1 and a DSL. Routing will be configured such that priority traffic will use the T1 connection, and ordinary internet browsing will use the DSL connction. Lindy and I were having a real good laugh about the vagueness of the requirement, when we decided to try to come up with a solution. We came up with a number of questions for the customer to elaborate upon, and a possible solution. Would anyone else care to use this as a test of design issues? If memory serves, the customer defined "priority" traffic as e-mail and connectivity to a certain external web site. So: 1) what are some of the questions the customer still needs to answer? 2) What are some possible solutions to this requirement? ( assume the T1 and the DSL terminate on the same router ) Chuck FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=348&t=195 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Design Challoenge - a bit off topic [7:195]
How about this... Since the exit point is based on destination address, could you use floating static routes? For example... ip route 255.255.255.255 50 ip route 255.255.255.255 100 ip route 255.255.25.255 50 ip route 255.255.25.255 100 ip route 0.0.0.0 0.0.0.0 50 ip route 0.0.0.0 0.0.0.0 100 This would provide failover while also accomplishing the stated goal. The downside is that as the number of priority sites increased you'd have to add a new static route. If I misunderstood the original goal and we're are basing the exit point on internal source IP address then policy routing would definitely be the way to go. If you wanted to go completely overboard, you could run BGP on both links and set the WEIGHT attribute higher on the T-1 for the prefixes leading to the priority servers.That would also provide dynamic failover but I wouldn't consider it to be the best solution. Besides, it's probably difficult to get a provider to run BGP over DSL. John >>> "Chuck Larrieu" 4/12/01 10:28:52 AM >>> Ok - only solution we could come up with pending better customer information or a better design idea: Internet-edgerouter---firewallinside Recall that there are two internet connections terminating on the edge router. Policy routing on the edge router interface connecting to the firewall. inbound to the edge router ) Extended access-lists to identify an categorize the customer internet-bound traffic Policy routing implemented using a route-map which refers to the access-lists Howard's point was interesting - issue of redundancy being, perhaps, misunderstood. The RFI specifically mentioned failover if one or the other interfaces was down.. Here's where I am not sure even policy routing will assure failover. Packet matches a policy, if forwarded to the designated interface. That path is down - packet dropped? I'm pretty sure that's how it works. So no automatic failover in the design above. So - now what? Chuck -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Chuck Larrieu Sent: Tuesday, April 10, 2001 11:07 PM To: [EMAIL PROTECTED] Subject:Design Challoenge - a bit off topic [7:195] Howard's comment brings to mind a problem my Design Engineer raised when responding to a customer RFI. Howard's comment: . (Pause for usual mystification on why someone wants routing protocols to pass through a firewall, a fairly frequent question). The customer RFI stated requirement ( wording as best as I can remember ): Solution will entail two internet connections, a T1 and a DSL. Routing will be configured such that priority traffic will use the T1 connection, and ordinary internet browsing will use the DSL connction. Lindy and I were having a real good laugh about the vagueness of the requirement, when we decided to try to come up with a solution. We came up with a number of questions for the customer to elaborate upon, and a possible solution. Would anyone else care to use this as a test of design issues? If memory serves, the customer defined "priority" traffic as e-mail and connectivity to a certain external web site. So: 1) what are some of the questions the customer still needs to answer? 2) What are some possible solutions to this requirement? ( assume the T1 and the DSL terminate on the same router ) Chuck FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=352&t=195 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Design Challoenge - a bit off topic [7:195]
>Ok - only solution we could come up with pending better customer information >or a better design idea: > >Internet-edgerouter---firewallinside > >Recall that there are two internet connections terminating on the edge >router. > >Policy routing on the edge router interface connecting to the firewall. > inbound to the edge router ) > >Extended access-lists to identify an categorize the customer internet-bound >traffic > >Policy routing implemented using a route-map which refers to the >access-lists > >Howard's point was interesting - issue of redundancy being, perhaps, >misunderstood. The RFI specifically mentioned failover if one or the other >interfaces was down.. I'm not clear about what you think I meant. Pause to resynchronize. I find it hard to imagine any useful and safe scenario where routing updates pass transparently THROUGH a firewall. That doesn't preclude, however, having dynamic routing on both sides of a firewall or set of firewalls. For example, if the servers on the inside of the firewalls were UNIX boxen that can understand RIP, the inside of the firewall could announce the default route in RIP, which would let the servers find the correct outgoing firewall. This doesn't mean that RIP would be your primary IGP, just that RIP is present on the perimeter network between the inside interface of the firewalls and the inside router. Another alternative would be VRRP on the firewalls. IRDP is probably too slow. You certainly could have BGP on the outside of the firewall, speaking to the Internet. Before there is too much hand-waving about asymmetrical routing, tell me again why that creates a major problem and how much effort it would take to reduce it (you can't get rid of it). Outgoing, from the inside to the outside, a client/server sends to a default gateway which is on one or the other firewall. The firewalls only need to know how to get to the DMZ, to which the external router(s) are connected. Incoming, a packet passes the firewall, and has the destination address of the client/server. Your IGP should take care of that. > >Here's where I am not sure even policy routing will assure failover. Packet >matches a policy, if forwarded to the designated interface. That path is >down - packet dropped? I'm pretty sure that's how it works. So no automatic >failover in the design above. Well, there are things you could do that start involving layer 4 load balancers. But the question always has to be asked -- how important is "optimal utilization of lines" in contrast with the amount of complexity you need for it? Again and again, I see people spending more money on policy control, accounting, etc., than it would cost them (in resources and actual money) just to throw in more bandwidth and keep things simple. > >So - now what? > >Chuck > >-Original Message- >From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of >Chuck Larrieu >Sent: Tuesday, April 10, 2001 11:07 PM >To:[EMAIL PROTECTED] >Subject: Design Challoenge - a bit off topic [7:195] > >Howard's comment brings to mind a problem my Design Engineer raised when >responding to a customer RFI. > >Howard's comment: . (Pause for usual mystification on why someone wants >routing protocols to pass through >a firewall, a fairly frequent question). > >The customer RFI stated requirement ( wording as best as I can remember ): >Solution will entail two internet connections, a T1 and a DSL. Routing will >be configured such that priority traffic will use the T1 connection, and >ordinary internet browsing will use the DSL connction. > >Lindy and I were having a real good laugh about the vagueness of the >requirement, when we decided to try to come up with a solution. We came up >with a number of questions for the customer to elaborate upon, and a >possible solution. Would anyone else care to use this as a test of design >issues? > >If memory serves, the customer defined "priority" traffic as e-mail and >connectivity to a certain external web site. > >So: > >1) what are some of the questions the customer still needs to answer? > >2) What are some possible solutions to this requirement? >( assume the T1 and the DSL terminate on the same router ) > >Chuck >FAQ, list archives, and subscription info: Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=359&t=195 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]