Re: EIGRP and firewalls

From: Victor Kasacavage (victor.kasacavage@ins.com)
Date: Tue Jun 08 2004 - 15:08:22 GMT-3

• Next message: Brian McGahan: "RE: CCIE Wording"
• Previous message: MADMAN: "Re: EIGRP errors"
• Maybe in reply to: Joseph D. Phillips: "EIGRP and firewalls"
• Next in thread: Joseph D. Phillips: "FW: EIGRP and firewalls"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Right......its about knowing how the protocols work. EIGRP can not form a
neighbor relationship with another device that is not on the same
subnet....and most likely the firewall will block multicast traffic also,
but that is a secondary issue as it was mentioned that the firewall could
probably be configured to allow multicast through

As I said, you could build a tunnel through the firewall, but for the most
part in the real world this would violate a number of security practices
and why have the firewall then anyway.

RIP can be made to work in this environment with the neighbor command. RIP
doesn't really care who the update is coming from, but using the neighbor
command will modify the packet from a broadcast to a unicast thus allowing
it to pass through the firewall and be directed specifically to the other
router

BGP is pretty straightforward as it relies on TCP to communicate. As long
as the devices are reachable, BGP should work.

When you know what the problem is, why it is, and what your options
are......things are a little easier to deal with

BTW, One day I was brought into a meeting at a company who had their
primary contractor designing their network with EIGRP and Firewalls in a
setup similar to what I just laid out. After he was done giving his 30
minute presentation I was provided the opportunity to stand up and say that
this will never work because........so, 6 months later the contractor
admits that it won't work after trying endlessly in a lab to get it running
and decides to use BGP to cross the firewall

Theory does translate into reality sometimes :-)

HTH,
Victor

At 07:17 PM 6/8/2004 +0200, Daniel Sheedy wrote:

>Hi Joseph,
>
>I think the problem here is not exactly about the firewall. If you think
>about, the firewall is introducing another subnet. How do you peer two
>EIGRP neighbors if they arent on the same subnet? bit tricky... :)
>
>
>
>Dan
>
>
>
>----- Original Message -----
>From: "Joseph D. Phillips" <jphillips@ufcwdrugtrust.org>
>To: "Group Study (E-mail)" <ccielab@groupstudy.com>
>Sent: Tuesday, June 08, 2004 7:05 PM
>Subject: EIGRP and firewalls
>
>
> > I would guess that you can't form a neighborship between an EIGRP speaker
>with a public address and an EIGRP speaker behind a firewall whose address
>is in the private range, thanks to network address translation.
> >
> > I should think, however, that there are ways of configuring firewalls to
>allow the multicast hello traffic transit to the necessary interfaces. The
>firewall I use at work does routing as well.
> >
> >
> >
> > -----Original Message-----
> > From: Joe Chang [mailto:changjoe@earthlink.net]
> > Sent: Tuesday, June 08, 2004 09:54
> > To: Victor Kasacavage; Moreau, Franck; ccielab@groupstudy.com; 'Dan'
> > Subject: Re: My first but not last :( - Need your help.
> >
> >
> > I guess the question would be whether the firewall can alter the IP
> > information in EIGRP's RTP packets. Would a Cisco manufactured firewall be
> > able to do that?
> >
> > By the way, that's some great advice, thank you Victor.
> >
> > > RTR A ---- FIREWALL --- RTR B
> > >
> > > RTR A and RTR B use EIGRP. Make the routes in RTR A appear on RTR B
> > > routing table.
> > >
> > > Now, what is the problem being presented
> > > what are the possible options
> > > which is the best possible solution
> > >
> > > The problem is that EIGRP doesn't work through firewalls.....why? It is
> > > very important to understand the why part as this will let you know if
>you
> > > really understand how EIGRP works (I'll leave this one up to the group)
> >
> > _______________________________________________________________________
> > Please help support GroupStudy by purchasing your study materials from:
> > http://shop.groupstudy.com
> >
> > Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html
> >
> > _______________________________________________________________________
> > Please help support GroupStudy by purchasing your study materials from:
> > http://shop.groupstudy.com
> >
> > Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html
>
>_______________________________________________________________________
>Please help support GroupStudy by purchasing your study materials from:
>http://shop.groupstudy.com
>
>Subscription information may be found at:
>http://www.groupstudy.com/list/CCIELab.html

• Next message: Brian McGahan: "RE: CCIE Wording"
• Previous message: MADMAN: "Re: EIGRP errors"
• Maybe in reply to: Joseph D. Phillips: "EIGRP and firewalls"
• Next in thread: Joseph D. Phillips: "FW: EIGRP and firewalls"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Sat Jul 03 2004 - 19:40:35 GMT-3