Re: [c-nsp] Campus Network - Deployment mode of Perimeter Firewalls
What is the difference? Does not the "campus network" provide a service? -- Be decisive. Make a decision, right or wrong. The road of life is paved with flat squirrels who could not make a decision. >-Original Message- >From: cisco-nsp On Behalf Of Nick >Hilliard >Sent: Tuesday, 11 August, 2020 03:34 >To: Yham >Cc: cisco-nsp@puck.nether.net NSP >Subject: Re: [c-nsp] Campus Network - Deployment mode of Perimeter >Firewalls > >Yham wrote on 11/08/2020 04:33: >> Thanks for your comments. I kinda agree with you on avoid using >> transparent mode however not clear why you wouldn't want your >> north-south traffic pass through perimeter security devices (FWs). how >> would you protect your network from outside if you don't have firewalls >> in the traffic path? I have seen some enterprises use by-pass switches >> to go around the firewalls in case of an unexpected failure from where >> firewalls can't recover. > >I missed that this was a campus network, and assumed it was a service >provider. > >Yeah, politically credible reasons for wanting some or all parts of a >campus behind firewalls of whatever form. It's a completely terrible >idea if you're a service provider though. > >Nick > >___ >cisco-nsp mailing list cisco-nsp@puck.nether.net >https://puck.nether.net/mailman/listinfo/cisco-nsp >archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Campus Network - Deployment mode of Perimeter Firewalls
Not to mention the obvious observation that a firewall designed to "fail open" must not have anything of any importance behind it, so it (the firewall) merely exists for "checkbox compliance" with the checklists of incompetent arseholes and clueless retards, and not because it serves (or is intended to serve) any useful purpose. -- Be decisive. Make a decision, right or wrong. The road of life is paved with flat squirrels who could not make a decision. >-Original Message- >From: cisco-nsp On Behalf Of Gert >Doering >Sent: Tuesday, 11 August, 2020 01:18 >To: Yham >Cc: cisco-nsp@puck.nether.net NSP >Subject: Re: [c-nsp] Campus Network - Deployment mode of Perimeter >Firewalls > >Hi, > >On Mon, Aug 10, 2020 at 11:33:06PM -0400, Yham wrote: >> Thanks for your comments. I kinda agree with you on avoid using >transparent >> mode however not clear why you wouldn't want your north-south traffic >pass >> through perimeter security devices (FWs). how would you protect your >> network from outside if you don't have firewalls in the traffic path? I >> have seen some enterprises use by-pass switches to go around the >firewalls >> in case of an unexpected failure from where firewalls can't recover. > >What is the point of a firewall in front of a web server? > >The web server should not have any services running besides "web", and >these have to be available from the outside. > >Adding a firewall means "you put a device in front of it that can handle >less load and costs more" - but where's the security gain? > >gert > >-- >"If was one thing all people took for granted, was conviction that if you > feed honest figures into a computer, honest figures come out. Never >doubted > it myself till I met a computer with a sense of humor." > Robert A. Heinlein, The Moon is a Harsh >Mistress > >Gert Doering - Munich, Germany >g...@greenie.muc.de ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] BGP Maximum Prefix limit on Edge routers
Absolutely. Make sure to add enough overhead, 25%, so you do not keep getting warning messages in the logs. These are the defaults for XR To prevent a peer from flooding BGP with advertisements, a limit is placed on the number of prefixes that are accepted from a peer for each supported address family. The default limits can be overridden through configuration of the maximum-prefix limit command for the peer for the appropriate address family. The following default limits are used if the user does not configure the maximum number of prefixes for the address family:IPv4 Unicast: 1048576IPv4 Labeled-unicast: 131072IPv4 Tunnel: 1048576IPv6 Unicast: 524288IPv6 Labeled-unicast: 131072IPv4 Multicast: 131072IPv6 Multicast: 131072IPv4 MVPN: 2097152VPNv4 Unicast: 2097152IPv4 MDT: 131072VPNv6 Unicast: 1048576L2VPN EVPN: 2097152 On Tue, Aug 11, 2020 at 9:20 AM Curtis Piehler wrote: > Yes this is a common practice to follow for extra security measures. In > the off chance a provider starts flooding your network with more than what > is required it will safe guard your network. You can set a slightly higher > warning threshold. Usually more prevalent in MPLS environments as there > are more memory constraints on carrying Internet routes in multiple VRFs > could be detrimental to memory. Unlikely it would happen but always need > to think of better ways to safe guard your network. For as long as humans > are in existence there will always be room for error. > > On Tue, Aug 11, 2020, 9:09 AM Yham wrote: > > > Hello Gentlemen, > > > > I wanted to ask if this is common practice to apply Maximum prefix limit > on > > BGP neighborship with Internet providers from where you are getting the > > entire routing table. I know its consider a best practice but want to > know > > if its also common. > > If yes, what would be the max limit of routes? Google search tells me > that > > the size of the routing table today is approx 800K prefixes > > > > Thanks > > ___ > > cisco-nsp mailing list cisco-nsp@puck.nether.net > > https://puck.nether.net/mailman/listinfo/cisco-nsp > > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > > ___ > cisco-nsp mailing list cisco-nsp@puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] BGP Maximum Prefix limit on Edge routers
Yes this is a common practice to follow for extra security measures. In the off chance a provider starts flooding your network with more than what is required it will safe guard your network. You can set a slightly higher warning threshold. Usually more prevalent in MPLS environments as there are more memory constraints on carrying Internet routes in multiple VRFs could be detrimental to memory. Unlikely it would happen but always need to think of better ways to safe guard your network. For as long as humans are in existence there will always be room for error. On Tue, Aug 11, 2020, 9:09 AM Yham wrote: > Hello Gentlemen, > > I wanted to ask if this is common practice to apply Maximum prefix limit on > BGP neighborship with Internet providers from where you are getting the > entire routing table. I know its consider a best practice but want to know > if its also common. > If yes, what would be the max limit of routes? Google search tells me that > the size of the routing table today is approx 800K prefixes > > Thanks > ___ > cisco-nsp mailing list cisco-nsp@puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] BGP Maximum Prefix limit on Edge routers
Hello Gentlemen, I wanted to ask if this is common practice to apply Maximum prefix limit on BGP neighborship with Internet providers from where you are getting the entire routing table. I know its consider a best practice but want to know if its also common. If yes, what would be the max limit of routes? Google search tells me that the size of the routing table today is approx 800K prefixes Thanks ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Campus Network - Deployment mode of Perimeter Firewalls
Yham wrote on 11/08/2020 04:33: Thanks for your comments. I kinda agree with you on avoid using transparent mode however not clear why you wouldn't want your north-south traffic pass through perimeter security devices (FWs). how would you protect your network from outside if you don't have firewalls in the traffic path? I have seen some enterprises use by-pass switches to go around the firewalls in case of an unexpected failure from where firewalls can't recover. I missed that this was a campus network, and assumed it was a service provider. Yeah, politically credible reasons for wanting some or all parts of a campus behind firewalls of whatever form. It's a completely terrible idea if you're a service provider though. Nick ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Campus Network - Deployment mode of Perimeter Firewalls
Hi, On Mon, Aug 10, 2020 at 11:33:06PM -0400, Yham wrote: > Thanks for your comments. I kinda agree with you on avoid using transparent > mode however not clear why you wouldn't want your north-south traffic pass > through perimeter security devices (FWs). how would you protect your > network from outside if you don't have firewalls in the traffic path? I > have seen some enterprises use by-pass switches to go around the firewalls > in case of an unexpected failure from where firewalls can't recover. What is the point of a firewall in front of a web server? The web server should not have any services running besides "web", and these have to be available from the outside. Adding a firewall means "you put a device in front of it that can handle less load and costs more" - but where's the security gain? gert -- "If was one thing all people took for granted, was conviction that if you feed honest figures into a computer, honest figures come out. Never doubted it myself till I met a computer with a sense of humor." Robert A. Heinlein, The Moon is a Harsh Mistress Gert Doering - Munich, Germany g...@greenie.muc.de signature.asc Description: PGP signature ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/