From: nem chua (nemthuduc@gmail.com)
Date: Tue Mar 27 2007 - 16:08:39 ART
we have to since we need to provide dynamic failover accross our internal
networks at different locations for these different dmz outside the
firewalls
client A--------dmz------firewallA--------internal
network-----------firewall B---------dmz -------client A
On 3/27/07, maureen schaar <maureen.schaar@gmail.com> wrote:
>
> Assuming running a dynamic protocol through the firewall fits into
> your security policies....
>
> On 3/27/07, nem chua <nemthuduc@gmail.com> wrote:
> > so it looks like ibgp or EBGP is the only way to get these routes from
> > behind the firewall to pass routes into the internal network. I just
> like
> > to keep the internal network simple with one protocol, but looks like I
> > don't have a choice.
> >
> > Thank you all for your response.
> >
> >
> >
> > On 3/27/07, maureen schaar <maureen.schaar@gmail.com> wrote:
> > > Sorry, will not work with ospf. Check the other post. You would have
> > > to make both routes believe they are on the same subnet. Not a very
> > > nice configuration with ospf.
> > >
> > >
> > > On 3/27/07, nem chua <nemthuduc@gmail.com> wrote:
> > > > Hi, thank you all for your reply. You're absolutely right about
> IBGP
> > > > neighbor does not have to be directly connected. Assuming OSPF is
> the
> > > > protocol using a neighbor statement and ospf nonbroadcast network
> will
> > allow
> > > > OSPF to send unicast messages to the neighbor one hop away and
> establish
> > > > adjacency across the layer 3 firewall? That would be perfect.
> > > >
> > > >
> > > > On 3/27/07, maureen schaar <maureen.schaar@gmail.com> wrote:
> > > > > With ibgp there is no need for multihop. You can already peer with
> > > > > ibgp on for example the loopbacks without any special config
> (besides
> > > > > setting the update-source). Just needs an underlying igp route!
> > > > >
> > > > > For the other protocols, if not using a tunnel, you would have to
> find
> > > > > a way to establish an adjacency without broadcasting/multicasting.
> So
> > > > > that would mean:
> > > > >
> > > > > RIP: passive-interface default + neighbor x.x.x.x
> > > > > OSPF: ip ospf network-type nonbroadcast + neighbor x.x.x.x
> > > > > EIGRP: neighbor x.x.x.x <outgoing intf>
> > > > >
> > > > > Maureen
> > > > >
> > > > > On 3/27/07, nem chua < nemthuduc@gmail.com> wrote:
> > > > > > Hi all, I have a unique scenario where we need to establish a
> > dynamic
> > > > > > routing protocol over layer 3 firewalls. With EBGP we can do
> > multihop
> > > > to
> > > > > > skip the firewall, but with other protocols such os ospf, eigrp,
> > rip, is
> > > > > > there any option to establish a neighbor without using GRE to
> tunnel
> > > > over
> > > > > > the firewall? Assume in all cases the firewall cannot
> participate
> > in
> > > > any
> > > > > > routing protocol.
> > > > > >
> > > > > > Is there a way to do multihop with ibgp? Is there a hop count
> limit
> > to
> > > > > > multihop?
> > > > > >
> > > > > > THanks much.
> > > > > >
> > > > > >
> > > >
> > _______________________________________________________________________
> > > > > > Subscription information may be found at:
> > > > > > http://www.groupstudy.com/list/CCIELab.html
This archive was generated by hypermail 2.1.4 : Sun Apr 01 2007 - 06:35:53 ART