Hi,
On Thu, Jan 06, 2005 at 12:10:33PM +0200, Pekka Savola wrote:
BGP is a better approach to routing here, because with BGP you can open
a TCP session through the firewall (for BGP) and the packets will still
flow the normal way, and can be inspected.
I'd be pretty careful about BGP as well. You'll likely eliminate the
benefits of BGP because the the firewall will have to have static
routes corresponding to the BGP-advertised prefixes, or you'll end up
having a routing loop sooner or later because the firewall doesn't
have sufficient topology information....
Yes, sure. This is only going to work in specific scenarios, like
Router <inside> -- firewall -- Router <outside> -- Internet
and Router "<inside>" needs to know if "Internet" is broken, to use
some backup path via other <inside> routers and firewalls.
In that case, the firewall would have a default route to "outside", and
static routes for all internal networks, and BGP is only there to signal
"line outage".
Of course if you do anything more fancy, chances for a routing loop
are fairly high (like in any case of doing something dynamic routing
wasn't directly intended for, without really understanding all details).
gert
17 messages in net.nether.puck.cisco-nsp[c-nsp] eigrp question
