From: Biggs, Jeff\(M/IRM/TSI:SRA\) (JBiggs@usaid.gov)
Date: Wed Mar 28 2007 - 09:18:49 ART
If you are trying to inject a an alternate default route (in our case)
that will fail over automatically to a different path should the path
outside the firewall fail.
JB
-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
shiran guez
Sent: Tuesday, March 27, 2007 4:29 PM
To: Stephen Lee
Cc: nem chua; maureen schaar; Cisco certification
Subject: Re: BGP OSPF question
I wonder if you only have one router on internal and one on external why
do
you need to use IGP and BGP?
one internal wil have only one route and external router unless you are
connected to 2 provider you have no use of BGP and even if you where
connected to 2 providers you can do with out BGP.
Ok, for the argument sake if you want to enable IGP on the internal and
BGP
on the external you need to decide what to do with the Firewall
why not put the Do such schem
Network --> Firewall --> Internal Router --> External Router
or
IGP on both Internal and Firewall either RIP/OSPF and External BGP
Shiran
On 3/27/07, Stephen Lee <slee@packet360.com> wrote:
>
> Why not run OSPF on the Firewall? Most firewalls support it.
>
> Thanks,
> Steve
>
> Stephen S. Lee
> Senior Systems Engineer
> slee@packet360.com
> PACKET360, INC.
> 100 East Shore Drive
> Glen Allen, VA 23059 USA
>
> Direct 804.545.4705
> Main 804.545.4700
> Toll Free 877.998.3600
> Fax 804.545.4759
>
>
>
> -----Original Message-----
> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf
Of
> nem chua
> Sent: Tuesday, March 27, 2007 2:47 PM
> To: maureen schaar
> Cc: Cisco certification
> Subject: Re: BGP OSPF question
>
> so it looks like ibgp or EBGP is the only way to get these routes from
> behind the firewall to pass routes into the internal network. I just
> like
> to keep the internal network simple with one protocol, but looks like
I
> don't have a choice.
>
> Thank you all for your response.
>
>
> On 3/27/07, maureen schaar <maureen.schaar@gmail.com> wrote:
> >
> > Sorry, will not work with ospf. Check the other post. You would have
> > to make both routes believe they are on the same subnet. Not a very
> > nice configuration with ospf.
> >
> >
> > On 3/27/07, nem chua <nemthuduc@gmail.com> wrote:
> > > Hi, thank you all for your reply. You're absolutely right about
> IBGP
> > > neighbor does not have to be directly connected. Assuming OSPF is
> the
> > > protocol using a neighbor statement and ospf nonbroadcast network
> will
> > allow
> > > OSPF to send unicast messages to the neighbor one hop away and
> establish
> > > adjacency across the layer 3 firewall? That would be perfect.
> > >
> > >
> > > On 3/27/07, maureen schaar <maureen.schaar@gmail.com> wrote:
> > > > With ibgp there is no need for multihop. You can already peer
with
> > > > ibgp on for example the loopbacks without any special config
> (besides
> > > > setting the update-source). Just needs an underlying igp route!
> > > >
> > > > For the other protocols, if not using a tunnel, you would have
to
> find
> > > > a way to establish an adjacency without
broadcasting/multicasting.
> So
> > > > that would mean:
> > > >
> > > > RIP: passive-interface default + neighbor x.x.x.x
> > > > OSPF: ip ospf network-type nonbroadcast + neighbor x.x.x.x
> > > > EIGRP: neighbor x.x.x.x <outgoing intf>
> > > >
> > > > Maureen
> > > >
> > > > On 3/27/07, nem chua < nemthuduc@gmail.com> wrote:
> > > > > Hi all, I have a unique scenario where we need to establish a
> > dynamic
> > > > > routing protocol over layer 3 firewalls. With EBGP we can do
> > multihop
> > > to
> > > > > skip the firewall, but with other protocols such os ospf,
eigrp,
> > rip, is
> > > > > there any option to establish a neighbor without using GRE to
> tunnel
> > > over
> > > > > the firewall? Assume in all cases the firewall cannot
> participate
> > in
> > > any
> > > > > routing protocol.
> > > > >
> > > > > Is there a way to do multihop with ibgp? Is there a hop count
> limit
> > to
> > > > > multihop?
> > > > >
> > > > > THanks much.
> > > > >
> > > > >
> > >
>
This archive was generated by hypermail 2.1.4 : Sun Apr 01 2007 - 06:35:53 ART