Currently our network uses all static routes and we've gotten so big the overhead has become a real pain. We've decided to implement a dynamic routing protocol. First question: Can EIGRP exchange routes across a firewall? We have a firewall sitting between our LAN and our WAN. We want to be able to make a route change on the LAN core and have it propogate across the fw to the WAN Core.
Other Question: I know you can re-distribute EIGRP routes onto BGP, but can you go the other way? Like if we receive a BGP route from one of our connections, will it re-distribute those routes back to EIGRP?
Thanks in advance!
Q1 Answer: All Routing Protocols can work through the Firewall, provided the conditions are met, and the condtions would be:
1. Firewall allows the respective Protocols/Ports or IP Numbers through it.
2. (Less preferred) Firewall itself participates in the Routing.
Q2 Answer: Sure on Cisco, the Redistribution can always work in any ways, however one should be extra cautious whenever you redistribut to any protocol.
If its just a summarized route there is nothing to worry, otherwise it can create a havoc in the network.
If you give us more specific details about the situation, we would love to answer in the details.
Hope this Helps,
Please rate if it helps.
The reason I ask about #1 is I thought for two routers to exchange routing information that had to be directly connected (or at least be on the same subnet). But, if the LAN core is connected to Eth0 of the fw and the WAN is on eth1, will it still work?
Yes, It will still work. As Suggested by Wilson you have to allow respective Protocols/Ports or IP Numbers through it. I remember I had set up a Lab where EIGRP was allowed to run across a FWSM in cat6500 chassis.
Depending on how you plan to proceed, The firewall may only participate in routing if you use a standards based routing protocol.
(See the Pix config guide)
Consider using network statements instead of redistribution into BGP. Its a bit safer.
I would use network statements internally, but our WAN core receives routes via BGP from a handful of customers. I'd need to redistribute those routes back internal to EIGRP and vice versa :).
Are you an ISP? Are you getting the full BGP routes? It is never suggested to redistribute BGP full routes into an IGP as it can bring down the whole IGP network into a halt.If you have a router which has a low CPU and memory running this will die on you.
Here is a sample config to run BGP across a firewall:
We are not an ISP. We have a leased line to our sister company. They advertise their routes via BGP into one of our WAN routers. We want to use EIGRP between all of our WAN routers as well as our LAN Core. There is a fw between the WAN and LAN. We then want to re-advertise those EIGRP routes via BGP out the WAN router that has the P2P connection to our sister company as well as their BGP routes re-advertised via EIGRP back into our WAN. Am I confusing anyone yet? :)
If we pretend that you didn't have your firewall in the network it is pretty straight forward to pass the networks between BGP and EIGRP.
If all your BGP routes are EBGP and you are only doing this redistribution from bgp to eigrp and eigrp to bgp in one router per location you should be able to just configure redistribtion in both protocols and it will work.
If you have IBGP routes you will have to use a bgp option to redistribute internal but you can get routing loops doing this. You also have to worry about routing loops if you have multiple routers at each location doing this.
Now your bigger problem is the firewall.
Unless your firewall is acting as a bridge you will not be able to pass EIGRP though the firewall. Your only option is to run GRE tunnels from your outside route to your inside router and pass all your traffic and EIGRP through the tunnel. Your firewall rules will have to be changed to look inside the tunnels.
With some fancy configuration you could run BGP through the firewall and just use static routes in the firewall.
Depending on who makes your firewall many support OSPF and BGP but I don't think there are any that can do EIGRP.
We won't be running BGP internally. BGP is only on 1 router (the going with the P2P connection to our sister company). Therefore BGP is not what needs to go across the fw. I need EIGRP between the LAN Core router and the WAN core router. BGP is between one WAN router at our physical location and our sister company.
That is what I suspected. Your only option is to put a tunnel between the lan core and the wan core if you want to run EIGRP between these routers. You can then just do the your redistributions on the WAN router that is running both BGP and EIGRP.
Tunnels can cause you all kinds of issues with MTU, router load and firewall configuration so you have to be careful when you first set this up.
Are you saying that EIGRP cannot be run across the firewall only because of the 'different mismatching subnets' or is there any other reason like TTL value too ?
EIGRP does not use TCP it uses multicast/unicast to talk to its neighbors. The only way I've seen anyone run this though a firewall was when the firewall was running layer 2. BGP is one of the few protocols that does not require its neighbor to be on the same layer 2 broadcast domain.