On Mon, 4 Feb 2002 [EMAIL PROTECTED] wrote: > We need to detect wether: > - the link between our firewill and external router is down;
Firewall won't be able to ARP the router- this is a layer 2 problem. > - the link between our external router and the external network is down; Router won't be able to ARP its upstream- again a layer 2 problem. > - the external interface of the firewall is down; Firewall won't be able to send/receive packets. > - external router failures. Traffic won't flow. None of these are truly well-solved by BGP. > At this moment we are only connected to one external network, in the future > this could be 2 or more networks. Redundancy is required, loadsharing would > be nice, but not required. > > ___External___ > R Network R > | | > | | > R R > | | > FW FW > | | > R R > |___Internal___| > Network > > We are talking BGP on both the internal and external network. We have our > own dedicated AS. > > My own statement is that I do not want to exchange routing information > through the firewall. My opinion is that both networks must run > independently, the internal network must not be poisoned with external > routing information. I am looking for a way to "detach"/"separate" the > external and internal BGP process. BGP offers lots of filtering mechanisms. You can also seperate into different eBGP/iBGP peer groups and choose what advertisements you accept from where. You can statically route through the firewall- which maintains perfect routing seperation- that's what I've always done. If you're unsure as to how to seperate things with BGP and you want to seperate things into e/iBGP zones, I highly recommend "Internet Routing Architectures"- it's a Cisco book, fairly expensive, but well worth it for anyone who works with BGP or wants to design networks that use BGP. It contains lots of useful information that will help you decide how to set up peer groups. The inside routers simply must know how to get out, you can equal-cost the routes, you can also mesh the routers and firewalls on two interconnected switches if you want. The same can be done on the outside. If you don't have multiple paths out, then BGP doesn't make a lot of sense (lots of overhead for a single path.) HTH, Paul ----------------------------------------------------------------------------- Paul D. Robertson "My statements in this message are personal opinions [EMAIL PROTECTED] which may have no basis whatsoever in fact." _______________________________________________ Firewalls mailing list [EMAIL PROTECTED] http://lists.gnac.net/mailman/listinfo/firewalls
