Search

	display results
words begin exact words any words part

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [FW-1] VPN with OSPF for Failover

To: [email protected]
Subject: Re: [FW-1] VPN with OSPF for Failover
From: Alexander Hoogerhuis <[email protected]>
Date: Thu, 1 Nov 2001 08:23:03 +0100
In-reply-to: <[email protected]>
References: <[email protected]>
Reply-to: Mailing list for discussion of Firewall-1 <[email protected]>
Sender: Mailing list for discussion of Firewall-1 <[email protected]>
User-agent: Gnus/5.0808 (Gnus v5.8.8) Emacs/20.7

My bad, I confused it with MOSPF and the M did something in my head
late at night. But you are correct, you can configure OSPF to work
about the fact that frame relay is inherently non-broadcast.

mvh,
A

"Vega, Juan R, SOBUS" <[email protected]> writes:

> OSPF is multicast depending on what "network type" is configured.  For
> instance in a broadcast environment, OSPF peers will speak with the DR and
> BDR on a special multicast 224.0.0.5.  The same is true for Frame Relay
> which is by default a non-broadcast network type and will use multicast.
> This can easily be avoided though through OSPF network manipulation on the
> Cisco routers.
>
> Juan Vega
>
> -----Original Message-----
> From: Alexander Hoogerhuis [mailto:[email protected]]
> Sent: Wednesday, October 31, 2001 8:51 PM
> To: [email protected]
> Subject: Re: [FW-1] VPN with OSPF for Failover
>
>
> >From what you describe, and without not knowing his requirements for
> security, I think you are going to have a major headache with getting
> a favourable assement from an independent third party.
>
> You state little about the bandwidths involved, so I cannot tell you
> wether it will hold up. The 7140's are a somewhat limited and dated
> design (and my memory cannot tell me wther you get VPN-accellerators
> for the 7140s?).
>
> And reading the reasoning presented by your customer with regards to
> why FW-1 wont cut it is somewhat strange. OSPF is not multicast, and
> will work quite well with FW-1 on at least Solaris and Linux. And why
> IPSec should not handle multicast traffic is to me a mystery (and I
> hold CCNP/CCDP and should have a clue).
>
> Since you are implementing hub and spoke for the frame bit, it will
> not help to have a secondary location location hooked into the cenrtal
> point, as you gain zero failover capability (i.e. if the pipe failes
> into the central location you are hosed anyways).
>
> cheers,
> Alexander
>
> "Cardona, Alberto" <[email protected]> writes:
>
> > What I want to do is for my friend's remote vpn sites (10) to fail over to
> > his secondary VPN HUB.
> > Here is his scenario.
> >
> > He just got acquired by another company.
> > His current company relies on a Full blown IPsec VPN mesh with a backup
> > ISDN.
> > He is running Voice over IP thru his IPsec 3DES VPN.
> >
> > This new company relies on a LARGE Frame network that runs OSPF on
> Cisco's.
> > They now want to implement a VPN running OSPF because they use OSPF.
> > They installed a frame link from his location (New York) to there
> > headquarters (Detroit).
> > Now they want to implements a secondary location (Houston) which has a
> > internet connection and a frame connection
> > back into the headquarters (Detroit).
> > They want this secondary location (Houston) to be a backup incase his
> > location (New York) fails for his remote sites.
> >
> > Someone within this new company mentioned that his current Nokia/Check
> Point
> > solution won't work with the
> > failover design because IPsec can't handle multicast broadcast traffic (ex
> > OSPF).
> > They need to run OSPF for a failover design.
> >
> > Their solution is to REMOVE all of his Nokia/Check Point and implement a
> > Cisco Router based VPN design.
> > Cisco's 1750 for Remote sites and 7140 for each Hub.
> > Each router both remote site and hub will have Cisco's firewall/IDS
> package
> > and encryption module
> > The Cisco's VPN tunnels are going to be using GRE encapsulation for the
> > OSPF.
> > Incase of a failover to the Secondary HUB and OSPF will update the Frame
> > network regarding the failover.
> > IPsec 3DES for the data encryption.
> > This new design is not going to be a MESH but a Hub and Spoke.
> >
> > His problem with this HUB and SPOKE design is this.
> >
> > 1).  He is afraid because this design relies on a 1 tier security design.
> >      The Cisco's routers will be handling the VPN, Routing Protocols,
> > Firewall, and IDS on each router.
> >      His current design is 2 tier level.
> >      Cisco for the Internet router and Nokia/Check Point for VPN/Firewall
> >
> > 2).  He thinks his Voice over IP will fail between remote sites because
> the
> > MESH will be gone.
> >
> > 3).  The performance an the Cisco.  Would they be able to handle the load?
> >      Since they will be doing everything. (VPN, Routing, and IDS)
> >
> > Has anyone implemented this solution?
> >
> >
> >
> > AC
> >
> >
> >
> > -----Original Message-----
> > From: Chris Arnold [mailto:[email protected]]
> > Sent: Wednesday, October 24, 2001 10:12 PM
> > To: 'Cardona, Alberto '; '[email protected] '
> > Subject: RE: [FW-1] VPN with OSPF
> >
> >
> > That depends on what you mean by "running site to site IPsec VPNs and
> using
> > OSPF."  Do you mean tunneling OSPF through an IPSec tunnel for some reason
> > or using OSPF to route traffic to available VPN endpoints before going
> > through a tunnel or on your edge routers once your VPN traffic has been
> > encapsulated?
> >
> > Chris
> >
> > -----Original Message-----
> > From: Cardona, Alberto
> > To: [email protected]
> > Sent: 10/24/01 4:16 PM
> > Subject: [FW-1] VPN with OSPF
> >
> > Is anyone running site to site IPsec VPNs and using OSPF?
> > If so did you have to implement GRE?
> >
> >
> > Thanks
> >
> >
> > AC
> >
> > ===============================================
> > To unsubscribe from this mailing list,
> > please see the instructions at
> > http://www.checkpoint.com/services/mailing.html
> > ===============================================
> >
> > ===============================================
> > To unsubscribe from this mailing list,
> > please see the instructions at
> > http://www.checkpoint.com/services/mailing.html
> > ===============================================
>
> --
> Alexander Hoogerhuis
> FYI: perl -e 'print
> $i=pack(c5,(41*2),sqrt(7056),(unpack(c,H)-2),oct(115),10);'
>
> ===============================================
> To unsubscribe from this mailing list,
> please see the instructions at
> http://www.checkpoint.com/services/mailing.html
> ===============================================
>
> ===============================================
> To unsubscribe from this mailing list,
> please see the instructions at
> http://www.checkpoint.com/services/mailing.html
> ===============================================

--
Alexander Hoogerhuis
FYI: perl -e 'print $i=pack(c5,(41*2),sqrt(7056),(unpack(c,H)-2),oct(115),10);'

===============================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
===============================================

Prev by Date: Re: [FW-1] Nokia and log manipulation
Next by Date: Re: [FW-1] Automatic Saving of Log Files
Previous by thread: [FW-1] NAT on PDS2100
Next by thread: Re: [FW-1] Automatic Saving of Log Files
Index(es):
- Date
- Thread