shannong Sun, 06/22/2003 - 06:59
User Badges:
  • Silver, 250 points or more

First, I'd have to ask why you want your external router and internal router to exchange information. That is not a good idea from a security standpoint.


RIP will probably not work for your needs because the Pix does not advertise routes it receives or its own interfaces. It will only receive advertisements and advertise a default route.


Pix 6.3+ supports OSPF, so you can use this to exchange information from inside to outside. All three routers would need to run OSPF: Pix, Inside router, and Outside router.


Also, you can open up TCP/179 coming inside and run BGP between the inside router and outside router. This is advantageous in that the Pix does not actually need to participate in the process. However, it may not solve what you're trying to accomplish.


-S

jrhofman Sun, 06/22/2003 - 07:23
User Badges:

My goal would be to get a default route sent to my internet router via bgp and then propogate that into out internal network. I know that BGP was an option but there are polictical reasons for not being able to run both EIGRP and BGP in our Core 6500's. I thought the internet router might makes a good demarcation point for EGP/IGP.


Right know we have static routes pointing to the internet router (via the firewall). I need this route to go away if the internet connection goes down so that we can take a different route to the internet (via another remote site in our Intranet). Sounds like BGP to our core might be the only option.


Any insites would be helpful..


Thanks.....





shannong Mon, 06/23/2003 - 09:32
User Badges:
  • Silver, 250 points or more

Normally, you want your firewall to be the "demarc" of all internal information and routing protocols and not the Internet connected router.


My preference for this scenario would be to use BGP.


Is the network block being accessed from this Internet router the same as network block that is being accessed from the alternate Internet router(s)? Or do the Internet routers provide access to different public network blocks?


This might be possible by using RIP between the Internet router and the Pix, and then RIP again between the Pix and the 6500s. However, I'm not sure if the Pix handles the default route advertisement the same as a router.


The question to be answered is: Will the Pix continue to advertise the default route inside to the 6500s even if it loses the default route from the Internet router. On a router, this behavior would be configured using "default-information originate always". As you probably know, RIP on the Pix doesn't behave "normal" and I haven't used RIP on a Pix in this manner.


If the Pix does not advertise the default route "always", then you can accomplish this configuration by running RIP on the Pix. You wouldn't even need BGP on the external router, though you still can. The default route on the external router can point to the interface (assuming its not mutli-access) or use the "default-network" command, or run BGP. Then RIP would be used on the Internet router to advertise a default route to the Pix. The Pix would advertise a default route to the 6500s. WHen the interface goes down on the Internet router, the default route would be lost on the Internet router. The Pix would lose the default route from the Internet router. And assuming the first statement of this paragraph, the Pix would no longer advertise the route to the 6500s. Voila! Failover to the alternate internal route.


Actions

This Discussion