17 messages in net.nether.puck.cisco-nsp[c-nsp] eigrp question
FromSent OnAttachments
Kern, TomJan 5, 2005 12:16 pm 
Kern, TomJan 5, 2005 12:29 pm 
Kern, TomJan 5, 2005 1:00 pm 
Rodney DunnJan 5, 2005 1:34 pm 
Kern, TomJan 5, 2005 1:36 pm 
Jim McBurnettJan 5, 2005 2:14 pm 
Kern, TomJan 5, 2005 3:56 pm 
Rodney DunnJan 5, 2005 4:41 pm 
Jim McBurnettJan 5, 2005 4:50 pm 
Kern, TomJan 5, 2005 4:56 pm 
Marty AdkinsJan 5, 2005 5:19 pm 
Jim McBurnettJan 5, 2005 11:29 pm 
Gert DoeringJan 6, 2005 4:14 am 
Pekka SavolaJan 6, 2005 5:10 am 
Randy BushJan 6, 2005 8:54 am 
Gert DoeringJan 6, 2005 9:35 am 
Randy BushJan 6, 2005 9:45 am 
Actions with this message:
Paste this link in email or IM:
Paste this link in email or IM:
Atom feed for this thread
Paste this URL into your reader:
Subject:[c-nsp] eigrp questionActions...
From:Gert Doering (ge@greenie.muc.de)
Date:Jan 6, 2005 4:14:15 am
List:net.nether.puck.cisco-nsp

Hi,

On Wed, Jan 05, 2005 at 11:31:54PM -0500, Jim McBurnett wrote:

WOW... I will have time to lab test this tomorrow of Friday... Well, maybe this could be done using lookbacks, and then sourceing the traffic for E0

Something one needs to be very careful about when doing EIGRP routing via a GRE (or IPSEC or whatever) tunnel through the firewall - this will mean that the actual packets will also flow through the tunnel, and that the firewall *will not be able to inspect these packets!!*. So you effectively circumvent the firewall - and if you do it, it's easier to just throw it away.

BGP is a better approach to routing here, because with BGP you can open a TCP session through the firewall (for BGP) and the packets will still flow the normal way, and can be inspected.

gert

-- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany ge@greenie.muc.de fax: +49-89-35655025 ge@net.informatik.tu-muenchen.de