Firewall Wizards mailing list archives
Re: Nokia firewall solution
From: Lart <lart () hacksec org>
Date: Sat, 27 Mar 1999 09:34:12 -0500
On Thu, Mar 25, 1999 at 03:45:53PM -0800, John McDonald wrote: : You : cannot use them for High availability on your gateway without using : another router in front of them due to the fact that you can't use the : Nokia HA protocols on the Internet. Just because Nokia says you *can* use an IP400 as a router doesn't mean that you really should.... <g> : They work great behind a router(and what's the chance that your router : is going to go down?) also the VRRP is quite tricky to set up. VRRP is not hard to setup at all. You need to plan out your VRIDs, and set your firewall rules to allow the multicasts for VRRP. : Their : tend to be a tremendous amount of routing issues even in the most : simplistic environment due to the HA. (lost of HUBS). No more hubs/vlans than you'd already have. The link between the boxes is a crossover cable. : BTW. If you are planning on HEAVY traffic through this box you may : consider the Nokia IP650. MUCH FASTER. If IP440's can handle up to 98 Mbps (as they were tested), you could reliably expect full DS-3 speeds. Seriously though folks, lots of companies make mountains out of mole hills when it comes to setting up VRRP. In fact, here's a cookbook: You've got two IP440's. Let's call them 1 and 2. You've got a single quad ethernet in each box. Nokia's naming scheme for these cards is eth-s<slot>p<port>. So, the first port on the first card is eth-s1p1. +-------+ | I-Net | On each box, setup the interfaces | Router| as: | | +-------+ s1p1: external | s1p2: internal +---------+---------+ s1p3: crossover | | +-------+ +-------+ | | | | Box 1 VRIDs: | 1 |-----------| 2 | s1p1=111 | | | | s1p2=112 +-------+ +-------+ | | Box 2 VRIDs: +---------+---------- s1p1=211 | s1p2=212 +-------+ | Choke | | Router| | | +-------+ First, turn on OSPF on each box's eth-s1p3. Export interface routes and statics into OSPF external. Setup VRRP on each of the s1p1 and s1p2 interfaces so that it "backs up itself". After you've done that, it's safe to have the interfaces backup the partner interfaces. If you are running NAT, you have to consider the case where the external interface on the primary box fails. Traffic will enter box 1, and since VRRP has done it's stuff, and OSPF between the boxes has re-advertised the failed interface via box 2, the traffic will flow over the crossover cable into box 2. Since you're running NAT, when the traffic leaves box 1, the addresses will be translated (before they hit box 2). Your rules need to account for that case. If you're not running NAT, this case is irrelevant to you. If you've got a good networking staff, you can work out the logistics yourself. You may, or may not, however, have security specialists, so it may be beneficial to have someone in to help design your firewall rules..
Current thread:
- Nokia firewall solution Lee, Gary (Mar 25)
- <Possible follow-ups>
- Re: Nokia firewall solution Lart (Mar 26)
- RE: Nokia firewall solution John McDonald (Mar 26)
- Re: Nokia firewall solution Lart (Mar 28)
- RE: Nokia firewall solution John McDonald (Mar 29)