RE: [fw-wiz] OSPF on Firewall
From: Sloane, David (DSloane_at_vfa.com)
Date: 12/17/03
- Previous message: Wes Noonan: "RE: [fw-wiz] OSPF on Firewall"
- Maybe in reply to: Shimon Silberschlag: "[fw-wiz] OSPF on Firewall"
- Next in thread: Carroll, Shawn: "RE: [fw-wiz] OSPF on Firewall"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: "Shimon Silberschlag" <shimons@bll.co.il>, <firewall-wizards@honor.icsalabs.com> Date: Wed, 17 Dec 2003 16:47:26 -0500
Shimon,
OSPF shouldn't require a direct links between routers to pass routing
table information.
Being a dynamic routing protocol, I'm assuming you want to pass OSPF
traffic in both directions.
While traversing two logical network segments won't happen by default,
you can inform each router of the other router's presence. If they're
Cisco routers, you can use the "neighbor" command within OSPF
configuration to do inform each router of the other's IP address and
assign a routing cost.
See
http://www.cisco.com/en/US/products/sw/iosswrel/ps1831/products_command_
reference_chapter09186a00800b3f35.html#22612
From the firewall perspective, you would need to allow OSPF traffic to
and from each router address. I can't see how it would get any more
complex than that.
Of course, this might not be an *ideal* OSPF implementation because
you'll have a slightly-less-precise OSPF failure message when a link
goes down. Did the Router1-to-Firewall or Router2-to-Firewall link
fail? You won't know, but that doesn't seem like a big loss to me. If
the firewall fails, both routers will know that the other is unreachable
and they'll react accordingly.
There may be other reasons not to pass OSPF traffic across a firewall.
If the two networks connected by the routers no longer "trust" each
other (necessitating a firewall), then it may not be wise to pass
routing tables back and forth...
Good luck.
-David
-----Original Message-----
From: firewall-wizards-admin@honor.icsalabs.com
[mailto:firewall-wizards-admin@honor.icsalabs.com] On Behalf Of Shimon
Silberschlag
Sent: December 17, 2003 3:02 AM
To: firewall-wizards@honor.icsalabs.com
Subject: [fw-wiz] OSPF on Firewall
Lets say that I have two routers (on an internal network) that talk OSPF
between them.
Now I have to insert a firewall in-between the two routers.
I am led to believe (by the Communications people I work with) that
there is no other option but to install OSPF on the firewall, which
doesn't make me feel easy about the solution.
Is it true that there is no other way around this problem?
TIA,
Shimon Silberschlag
+972-3-9351572
+972-51-207130
_______________________________________________
firewall-wizards mailing list firewall-wizards@honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
_______________________________________________
firewall-wizards mailing list
firewall-wizards@honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
- Previous message: Wes Noonan: "RE: [fw-wiz] OSPF on Firewall"
- Maybe in reply to: Shimon Silberschlag: "[fw-wiz] OSPF on Firewall"
- Next in thread: Carroll, Shawn: "RE: [fw-wiz] OSPF on Firewall"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
