Um, hey..
I have some basic routing questions I would love to get some feedback on..
If you routing gurus out there could indulge me for a moment or three -- My
real question is the best way to set up a wan ptp for my particular
situation, but it begs another question about whether to bring the ptp
behind a fw or not, which I'll ask first, but since I think I know the
answer to that one I'm most curious about the second WAN ptp config
question -- but anyway hopefully some of ya will bear with me here.. I
didn't mean to write quite this much..
I'm having to bring up a WAN t1 PtP between our colo in SF, which will also
be our primary route out to the internet, and our office in berkeley.
Terminating both ends of the WAN are Cisco2620's running IOS 12.1(9). Our sf
colo is giving us a /25, which is actually more than we can use since all
our production/qa/dev/corp domains are internal ips (10.x.x.x and
192.168.x.x's) behind previously set up rh linux firewall/router boxes, one
each (actually we're adding vrrp&fw clustering, but logically speaking..) in
both our sf and berkeley locations. The fw in SF handles our production
nat'd network (we're basically an ASP), and the fw in Berkeley sits in front
of the other private networks (corporate/qa/dev).
The reason there's a firewall in each location at present (instead of just
one at the colo in front of all the internal networks, which is what I
currently hope to have soon) is that up till this month the Berkeley
location used a seperate T1 uplink/provider, which we're switching off to
use our PtP to our SF colo instead, in order to save us some cash. So up
till this month, the Berkeley-linux-fw and Berkeley-cisco2620 in front of it
was in a different address space, uplinking to Global Crossing of all
providers (in case you missed it they filed for bankruptcy a while ago,
which is another reason we're moving off 'em..). Anyway I dont want to get
TOO bogged down in the nitty gritty details but, we set up a VPN to (GRE)
tunnel a route between the SF fw/private prod.network and the
Berkeley-fw/other private networks across the 'net. And this is almost
tertiary to the questions I'm gonna lay on you but, just to make things a
wee bit more complex we have a redundant backup (a seperate ADSL router) in
our berkeley location, which we use for a berkeley-centric backup route.
Basically what I'm seeking your collective sagely advice about is two
things..and advice about the 1st Im not quite as curious about as the 2nd
thing:
----------------
* First question - (security vs. less points of failure?), Should we
A) place the SF-Berkeley PtP on a new interface behind the linux FW/router
at the SF colo thats currently protecting our private nat'd production
network
- OR -
B) put the SF-cisco2620-end of the PtP out in the open on one of legal IP's
in a subnet together with the SF-linux-fw, have it use our colo's gw, at the
same time carve up the allotted /25 into small subnets for SF and Berkeley,
and PtP between the external SF network and the 2620 in front of the
existing Berkeley-fw protecting & routing the other private networks.
SECURITY concerns:
Yeah well, I'm firstly wondering how vulnerable the 2620's are sitting out
in the open. Our berkeley-based 2620 which we currently use through Global
X. has held up fine so far with no fw in front of it -- indeed, as it's got
the only serial/csu-dsu/t1 card etc, there wasn't a lot of choice. So far
its been up and as far as I can tell un-hacked for that past year or so. On
the other hand, there's only telnet terminal access to these cisco's and
traffic is sniffable. So that I err on the side of security, My first
thought is if I can, to put everything I can behind a firewall - option A).
So does anyone know, are leaving these 2620's out on the net a gaping
security hole or, not really a big deal?
ROUTES/reliablity concerns:
The downside to option A) is that putting the PtP behind a fw will introduce
an avoidable point of failure -- ie if the fw goes down, the ptp goes down.
The next possible issue is opt.A) would introduce another hop to the route
out. However, since we're basically a voice asp, bandwidth is not real big
concern for us and that extra cost wouldn't mean much in practical terms.
----------------------------------------------------
** Second question - (unnumbered vs. numbered WAN config), Should we
A) Use an unnumbered-ip ptp WAN config betwen the SF-2620 and the
Berkeley-2620, which would likely introduce a route between discontiguous
classless subnets,
- OR -
B) Use a numbered-ip ptp WAN addressing scheme?
- And if we use a numbered scheme, should we use private subnets for the WAN
interfaces, or do we need to use a legal subnet? I can use a private subnet
(ie 192.168.x.x) right
- OR -
C) Some other way I haven't thought of that's much better? :P
OPTION A:
For this second question, the deal with Opt.A) appears to be that you can
save IP addr. space by using the unnumbered-ip setup. At first I thought
this would save us a hopHowever the cost must be the same (since the # of
interfaces stays the same, right?) so unless you're really concerned with
saving IP addresses and must use real IP address space for the WAN ip's,
which I don't think I have to do, there doesnt seem to be a lot of inherent
value in using the unnumbered WAN scheme. Also I get the feeling I should
avoid joining discontiguous classless subnets, since some routing protocols
(RIP) have probs dealing with it, and thats what the unnummbered scheme
appears to do.. Nonetheless, I was wondering if anyone knew of a good reason
to use it, or if it would be better to use it for any reason..
OPTION B:
This seems to be the way to go -- but I'm also thinking I can use a private
addr.space for the WAN subnet, or is it better to use a legal/contiguous
micro-subnet if I can? If I use the private addr. space, I don't have to
chop up my public subnet more than I have to.
Anyway I'm gonna rip off some rudimentary ascii art to try to illustrate
what I mean in case this all sounds like gobbeldy-gook:
----------------------
'legal' ip scope: 1.1.1.0/25 (er, using fake IP's in the example, obviously)
subnet for SF: 1.1.1.0/27
subnet for PtP: 192.168.1.0/30
subnet for Berkeley: 1.1.1.99/27
2nd Question, Opt. A (unnumbered WAN IPs)
----------------------
subnet for SF: 1.1.1.0/27
subnet for PtP: 192.168.1.0/30
subnet for Berkeley: 1.1.1.99/27
====Ethernet===================== 1.1.1.0/27 ===
| LAN IP: 1.1.1.1/27 (255.255.255.224)
+-------+--------+
| S.F. 2620 |
+-------+--------+
| WAN IP: 1.1.1.1/32 (255.255.255.255) |
PTP WAN | |
| WAN IP: 1.1.1.100/32 (255.255.255.255)
+-------+--------+
| Berkeley 2620 |
+-------+--------+
| LAN IP: 1.1.1.100 (255.255.255.224)
====ETHERNET===================== 1.1.1.99/27 ===
| LAN IP: 1.1.1.101 (255.255.255.224)
+-------+--------+
| Berkeley FW |
+-------+--------+
| GW to Private Ethernets: 10.0.0.0/20, 192.168.5.0/24 etc
====ETHERNETS====================================
2nd Question, Option B (numbered WAN) using private ip'S:
----------------------
subnet for SF: 1.1.1.0/27
subnet for PtP: 192.168.1.0/30
subnet for Berkeley: 1.1.1.99/27
====Ethernet===================== 1.1.1.0/27 ===
| LAN IP: 1.1.1.1 (255.255.255.224)
+-------+--------+
| S.F. 2620 |
+-------+--------+
| WAN IP: 192.168.1.1/30 (255.255.255.252) |
PTP WAN | |
| WAN IP: 192.168.1.2/30 (255.255.255.252)
+-------+--------+
| Berkeley 2620 |
+-------+--------+
| LAN IP: 1.1.1.100 (255.255.255.224)
====ETHERNET===================== 1.1.1.99/27 ===
| LAN IP: 1.1.1.101 (255.255.255.224)
+-------+--------+
| Berkeley FW |
+-------+--------+
| GW to berkeley Private Ethernets: 10.0.0.0/20, 192.168.5.0/24 etc
====ETHERNETS====================================
2nd Question, Option B but using real wan ip'S:
----------------------
subnet for SF: 1.1.1.0/27
subnet for PtP: 1.1.1.95/30
subnet for Berkeley: 1.1.1.99/27
====Ethernet===================== 1.1.1.0/27 ===
| LAN IP: 1.1.1.1 (255.255.255.224)
+-------+--------+
| S.F. 2620 |
+-------+--------+
| WAN IP: 1.1.1.96/30 (255.255.255.252) |
PTP WAN | |
| WAN IP: 1.1.1.97/30 (255.255.255.252)
+-------+--------+
| Berkeley 2620 |
+-------+--------+
| LAN IP: 1.1.1.100 (255.255.255.224)
====ETHERNET===================== 1.1.1.99/27 ===
| LAN IP: 1.1.1.101 (255.255.255.224)
+-------+--------+
| Berkeley FW |
+-------+--------+
| GW to berkeley Private Ethernets: 10.0.0.0/20, 192.168.5.0/24 etc
====ETHERNETS====================================
----
And I guess my last question would be, should I use eigrp, ospf or RIP to
route b/t the wan link? Im not really planning on using RIP, I could use it,
but it seems like I should get away from that where/when I can..the linux
rtrs can only route rip at the moment, so, Im somewhat limited, but..
sorry for the maximum verbiage, I didn't mean to take giant crap on this
list (really!) still any and all advice will be cherished.. If I had even
one sane sysad I could talk to at work, I swear I wouldn't be bothern'
y'all.
thanx agin, and now its off to sleepytime for me then
-d
_______________________________________________
Bits mailing list
[EMAIL PROTECTED]
http://www.sugoi.org/mailman/listinfo/bits
