[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [FW-1] Ramifications of running RIP on FW-1 box
One of our firewall interfaces connects to a particular private data feed. This feed actually comes in through two routers and two different point-to-point connections -- one is considered 'primary' and the other 'secondary' We wanted to simply add static routes on our IP440's (IPSO 3.4.2, FW-1 4.1 NG FP1, VRRP), and prioritize them so that the 'primary' link would be the link chosen first. However, it appears that the IPSO handles route priority differently than we would expect -- the only time that a lower-priority route gets used is if a physical interface ON THE FIREWALL fails. So, if you've got two routes that are going out the same interface, the second route will never be used. The provider is running RIP, and from what I can tell (so far), they are advertising the routes appropriately. I enabled RIP on the 'backup' firewall, and it dutifully learned the routes. Obviously, running a routing protocol on a firewall is a pretty scary thing. Our other option would be to front-end our firewalls with two border routers, and have them run HSRP on the firewall side and RIP on the external side. Although perhaps a better solution, from what I've learned so far about RIP support on the IPSO platform, I can limit RIP to 1) a specific interface, and 2) learn only specific routes through that interface. The worst thing that I can see in this scenario is somehow somebody polluting the RIP packets, and we'd lose connectivity to this one particular feed. Anyone have any opinions or experience? --------------------------------------------------- David Grabowski Mizuho Securities USA##################################################################################### CONFIDENTIAL: This e-mail, including its contents and attachments, if any, are confidential. It is neither an offer to buy or sell, nor a solicitation of an offer to buy or sell, any securities or any related financial instruments mentioned in it. If you are not the named recipient please notify the sender and immediately delete it. You may not disseminate, distribute, or forward this e-mail message or disclose its contents to anybody else. Unless otherwise indicated, copyright and any other intellectual property rights in its contents are the sole property of Mizuho Securities USA Inc. E-mail transmission cannot be guaranteed to be secure or error-free. The sender therefore does not accept liability for any errors or omissions in the contents of this message which arise as a result of e-mail transmission. If verification is required please request a hard-copy version. Although we routinely screen for viruses, addressees should check this e-mail and any attachments for viruses. We make no representation or warranty as to the absence of viruses in this e-mail or any attachments. Please note that to ensure regulatory compliance and for the protection of our customers and business, we may monitor and read e-mails sent to and from our server(s). ##################################################################################### ================================================= To set vacation, Out Of Office, or away messages, send an email to [email protected] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [email protected] =================================================
|