Re: BGP OSPF question

From: nem chua (nemthuduc@gmail.com)
Date: Tue Mar 27 2007 - 21:47:42 ART

• Next message: iyux2000@gmail.com: "Multicast Troubleshooting (can't understand)"
• Previous message: Michael Zuo: "are these two QoS confiugration the same thing?"
• Maybe in reply to: nem chua: "BGP OSPF question"
• Next in thread: Biggs, Jeff\(M/IRM/TSI:SRA\): "RE: BGP OSPF question"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Thanks for all your responses.

The goal is to make the internal and dmz network communicate via one single
protocol such as ospf over the firewall. Our firewall admin don't like to
turn on ospf on their firewall, the only thing left to do is to talk bgp
over the firewall to allow that communication, so I think bgp is the choice:

 internal router -------ibgp --------firewall --------ibgp-------dmz
routers------ebgp---------dmz clients

On 3/27/07, shiran guez <shiranp3@gmail.com> wrote:
>
> I wonder if you only have one router on internal and one on external why
> do you need to use IGP and BGP?
>
> one internal wil have only one route and external router unless you are
> connected to 2 provider you have no use of BGP and even if you where
> connected to 2 providers you can do with out BGP.
>
> Ok, for the argument sake if you want to enable IGP on the internal and
> BGP on the external you need to decide what to do with the Firewall
>
> why not put the Do such schem
>
> Network --> Firewall --> Internal Router --> External Router
>
> or
>
> IGP on both Internal and Firewall either RIP/OSPF and External BGP
>
>
> Shiran
> On 3/27/07, Stephen Lee <slee@packet360.com> wrote:
> >
> > Why not run OSPF on the Firewall? Most firewalls support it.
> >
> > Thanks,
> > Steve
> >
> > Stephen S. Lee
> > Senior Systems Engineer
> > slee@packet360.com
> > PACKET360, INC.
> > 100 East Shore Drive
> > Glen Allen, VA 23059 USA
> >
> > Direct 804.545.4705
> > Main 804.545.4700
> > Toll Free 877.998.3600
> > Fax 804.545.4759
> >
> >
> >
> > -----Original Message-----
> > From: nobody@groupstudy.com [mailto:nobody@groupstudy.com ] On Behalf Of
> > nem chua
> > Sent: Tuesday, March 27, 2007 2:47 PM
> > To: maureen schaar
> > Cc: Cisco certification
> > Subject: Re: BGP OSPF question
> >
> > so it looks like ibgp or EBGP is the only way to get these routes from
> > behind the firewall to pass routes into the internal network. I just
> > like
> > to keep the internal network simple with one protocol, but looks like I
> > don't have a choice.
> >
> > Thank you all for your response.
> >
> >
> > On 3/27/07, maureen schaar <maureen.schaar@gmail.com> wrote:
> > >
> > > Sorry, will not work with ospf. Check the other post. You would have
> > > to make both routes believe they are on the same subnet. Not a very
> > > nice configuration with ospf.
> > >
> > >
> > > On 3/27/07, nem chua <nemthuduc@gmail.com> wrote:
> > > > Hi, thank you all for your reply. You're absolutely right about
> > IBGP
> > > > neighbor does not have to be directly connected. Assuming OSPF is
> > the
> > > > protocol using a neighbor statement and ospf nonbroadcast network
> > will
> > > allow
> > > > OSPF to send unicast messages to the neighbor one hop away and
> > establish
> > > > adjacency across the layer 3 firewall? That would be perfect.
> > > >
> > > >
> > > > On 3/27/07, maureen schaar <maureen.schaar@gmail.com > wrote:
> > > > > With ibgp there is no need for multihop. You can already peer with
> > > > > ibgp on for example the loopbacks without any special config
> > (besides
> > > > > setting the update-source). Just needs an underlying igp route!
> > > > >
> > > > > For the other protocols, if not using a tunnel, you would have to
> > find
> > > > > a way to establish an adjacency without broadcasting/multicasting.
> > So
> > > > > that would mean:
> > > > >
> > > > > RIP: passive-interface default + neighbor x.x.x.x
> > > > > OSPF: ip ospf network-type nonbroadcast + neighbor x.x.x.x
> > > > > EIGRP: neighbor x.x.x.x <outgoing intf>
> > > > >
> > > > > Maureen
> > > > >
> > > > > On 3/27/07, nem chua < nemthuduc@gmail.com> wrote:
> > > > > > Hi all, I have a unique scenario where we need to establish a
> > > dynamic
> > > > > > routing protocol over layer 3 firewalls. With EBGP we can do
> > > multihop
> > > > to
> > > > > > skip the firewall, but with other protocols such os ospf, eigrp,
> >
> > > rip, is
> > > > > > there any option to establish a neighbor without using GRE to
> > tunnel
> > > > over
> > > > > > the firewall? Assume in all cases the firewall cannot
> > participate
> > > in
> > > > any
> > > > > > routing protocol.
> > > > > >
> > > > > > Is there a way to do multihop with ibgp? Is there a hop count
> > limit
> > > to
> > > > > > multihop?
> > > > > >
> > > > > > THanks much.
> > > > > >
> > > > > >
> > > >
> > _______________________________________________________________________
> > > > > > Subscription information may be found at:
> > > > > > http://www.groupstudy.com/list/CCIELab.html
> >
> > _______________________________________________________________________
> > Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html
> >
> > _______________________________________________________________________
> > Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html
> >
>
>
>
> --
> Shiran Guez
> MCSE CCNP NCE1
> http://cciep3.blogspot.com

• Next message: iyux2000@gmail.com: "Multicast Troubleshooting (can't understand)"
• Previous message: Michael Zuo: "are these two QoS confiugration the same thing?"
• Maybe in reply to: nem chua: "BGP OSPF question"
• Next in thread: Biggs, Jeff\(M/IRM/TSI:SRA\): "RE: BGP OSPF question"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Sun Apr 01 2007 - 06:35:53 ART