[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [FW-1] VPN with OSPF for Failover
My bad, I confused it with MOSPF and the M did something in my head late at night. But you are correct, you can configure OSPF to work about the fact that frame relay is inherently non-broadcast. mvh, A "Vega, Juan R, SOBUS" <[email protected]> writes: > OSPF is multicast depending on what "network type" is configured. For > instance in a broadcast environment, OSPF peers will speak with the DR and > BDR on a special multicast 224.0.0.5. The same is true for Frame Relay > which is by default a non-broadcast network type and will use multicast. > This can easily be avoided though through OSPF network manipulation on the > Cisco routers. > > Juan Vega > > -----Original Message----- > From: Alexander Hoogerhuis [mailto:[email protected]] > Sent: Wednesday, October 31, 2001 8:51 PM > To: [email protected] > Subject: Re: [FW-1] VPN with OSPF for Failover > > > >From what you describe, and without not knowing his requirements for > security, I think you are going to have a major headache with getting > a favourable assement from an independent third party. > > You state little about the bandwidths involved, so I cannot tell you > wether it will hold up. The 7140's are a somewhat limited and dated > design (and my memory cannot tell me wther you get VPN-accellerators > for the 7140s?). > > And reading the reasoning presented by your customer with regards to > why FW-1 wont cut it is somewhat strange. OSPF is not multicast, and > will work quite well with FW-1 on at least Solaris and Linux. And why > IPSec should not handle multicast traffic is to me a mystery (and I > hold CCNP/CCDP and should have a clue). > > Since you are implementing hub and spoke for the frame bit, it will > not help to have a secondary location location hooked into the cenrtal > point, as you gain zero failover capability (i.e. if the pipe failes > into the central location you are hosed anyways). > > cheers, > Alexander > > "Cardona, Alberto" <[email protected]> writes: > > > What I want to do is for my friend's remote vpn sites (10) to fail over to > > his secondary VPN HUB. > > Here is his scenario. > > > > He just got acquired by another company. > > His current company relies on a Full blown IPsec VPN mesh with a backup > > ISDN. > > He is running Voice over IP thru his IPsec 3DES VPN. > > > > This new company relies on a LARGE Frame network that runs OSPF on > Cisco's. > > They now want to implement a VPN running OSPF because they use OSPF. > > They installed a frame link from his location (New York) to there > > headquarters (Detroit). > > Now they want to implements a secondary location (Houston) which has a > > internet connection and a frame connection > > back into the headquarters (Detroit). > > They want this secondary location (Houston) to be a backup incase his > > location (New York) fails for his remote sites. > > > > Someone within this new company mentioned that his current Nokia/Check > Point > > solution won't work with the > > failover design because IPsec can't handle multicast broadcast traffic (ex > > OSPF). > > They need to run OSPF for a failover design. > > > > Their solution is to REMOVE all of his Nokia/Check Point and implement a > > Cisco Router based VPN design. > > Cisco's 1750 for Remote sites and 7140 for each Hub. > > Each router both remote site and hub will have Cisco's firewall/IDS > package > > and encryption module > > The Cisco's VPN tunnels are going to be using GRE encapsulation for the > > OSPF. > > Incase of a failover to the Secondary HUB and OSPF will update the Frame > > network regarding the failover. > > IPsec 3DES for the data encryption. > > This new design is not going to be a MESH but a Hub and Spoke. > > > > His problem with this HUB and SPOKE design is this. > > > > 1). He is afraid because this design relies on a 1 tier security design. > > The Cisco's routers will be handling the VPN, Routing Protocols, > > Firewall, and IDS on each router. > > His current design is 2 tier level. > > Cisco for the Internet router and Nokia/Check Point for VPN/Firewall > > > > 2). He thinks his Voice over IP will fail between remote sites because > the > > MESH will be gone. > > > > 3). The performance an the Cisco. Would they be able to handle the load? > > Since they will be doing everything. (VPN, Routing, and IDS) > > > > Has anyone implemented this solution? > > > > > > > > AC > > > > > > > > -----Original Message----- > > From: Chris Arnold [mailto:[email protected]] > > Sent: Wednesday, October 24, 2001 10:12 PM > > To: 'Cardona, Alberto '; '[email protected] ' > > Subject: RE: [FW-1] VPN with OSPF > > > > > > That depends on what you mean by "running site to site IPsec VPNs and > using > > OSPF." Do you mean tunneling OSPF through an IPSec tunnel for some reason > > or using OSPF to route traffic to available VPN endpoints before going > > through a tunnel or on your edge routers once your VPN traffic has been > > encapsulated? > > > > Chris > > > > -----Original Message----- > > From: Cardona, Alberto > > To: [email protected] > > Sent: 10/24/01 4:16 PM > > Subject: [FW-1] VPN with OSPF > > > > Is anyone running site to site IPsec VPNs and using OSPF? > > If so did you have to implement GRE? > > > > > > Thanks > > > > > > AC > > > > =============================================== > > To unsubscribe from this mailing list, > > please see the instructions at > > http://www.checkpoint.com/services/mailing.html > > =============================================== > > > > =============================================== > > To unsubscribe from this mailing list, > > please see the instructions at > > http://www.checkpoint.com/services/mailing.html > > =============================================== > > -- > Alexander Hoogerhuis > FYI: perl -e 'print > $i=pack(c5,(41*2),sqrt(7056),(unpack(c,H)-2),oct(115),10);' > > =============================================== > To unsubscribe from this mailing list, > please see the instructions at > http://www.checkpoint.com/services/mailing.html > =============================================== > > =============================================== > To unsubscribe from this mailing list, > please see the instructions at > http://www.checkpoint.com/services/mailing.html > =============================================== -- Alexander Hoogerhuis FYI: perl -e 'print $i=pack(c5,(41*2),sqrt(7056),(unpack(c,H)-2),oct(115),10);' =============================================== To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ===============================================
|