RE: Nokia firewall solution

[John McDonald <Johnm () Networkguys com>]

You make it sound so simplistic, which it is, if you talking about
setting a few of the 440's up in a simple environment like you gave is
the net amp for. However, how would you go about setting up these little
guys in a asymmetrical routing environment with two *different* isp's
running DS3's and the boxes are connected on two different network's
connected via fast Ethernet. The purpose is that if connection fails the
2nd nokia will start arping for the packets and failover will happen
without dropped packets. This is accomplished quite well through BGP4,
However this particular customer does not want to sue BGP4 due to its
complexity. 

This is the difficult environment  I was speaking of. 


John D. McDonald 

Phone: 510.713.8880 ext. 306 
Fax:      510.713.3456 
E-mail: JohnM () NetworkGuys com
Web:    www.NetworkGuys.com

Secure Enterprise Connectivity
Managed Security        Managed Firewall
Anti-Virus-Vandal       Firewalls
Security Audits VPN
Digital Certificates    Security Systems
24x7 Network Monitoring/Hacker intrusion


                -----Original Message-----
                From:   Lart [mailto:lart () hacksec org]
                Sent:   Saturday, March 27, 1999 6:34 AM
                To:     firewall-wizards () nfr net
                Subject:        Re: Nokia firewall solution

                eSafe Protect Gateway (tm) has scanned this mail for
viruses, vandals and 
                suspicious attachments and has found it to be CLEAN.
                On Thu, Mar 25, 1999 at 03:45:53PM -0800, John McDonald
wrote:
                : You
                : cannot use them for High availability on your gateway
without using
                : another router in front of them due to the fact that
you can't use the
                : Nokia HA protocols on the Internet. 

                Just because Nokia says you *can* use an IP400 as a
router doesn't mean
                that you really should.... <g>

                : They work great behind a router(and what's the chance
that your router
                : is going to go down?) also the VRRP is quite tricky to
set up. 

                VRRP is not hard to setup at all.  You need to plan out
your VRIDs,
                and set your firewall rules to allow the multicasts for
VRRP.

                : Their
                : tend to be a tremendous amount of routing issues even
in the most
                : simplistic environment due to the HA. (lost of HUBS). 

                No more hubs/vlans than you'd already have.  The link
between the boxes
                is a crossover cable.

                : BTW. If you are planning on HEAVY traffic through this
box you may
                : consider the Nokia IP650. MUCH FASTER.

                If IP440's can handle up to 98 Mbps (as they were
tested), you could
                reliably expect full DS-3 speeds.

                Seriously though folks, lots of companies make mountains
out of mole
                hills when it comes to setting up VRRP.  In fact, here's
a cookbook:

                You've got two IP440's.  Let's call them 1 and 2.
You've got a single
                quad ethernet in each box.  Nokia's naming scheme for
these cards is
                eth-s<slot>p<port>.  So, the first port on the first
card is eth-s1p1.



                            +-------+
                            | I-Net |                On each box, setup
the interfaces
                            | Router|                as:
                            |       |
                            +-------+                s1p1: external
                                |                    s1p2: internal
                      +---------+---------+          s1p3: crossover
                      |                   |
                  +-------+           +-------+
                  |       |           |       |      Box 1 VRIDs:
                  |   1   |-----------|   2   |      s1p1=111
                  |       |           |       |      s1p2=112
                  +-------+           +-------+      
                      |                   |          Box 2 VRIDs:
                      +---------+----------          s1p1=211
                                |                    s1p2=212
                            +-------+
                            | Choke |
                            | Router|
                            |       |
                            +-------+

                First, turn on OSPF on each box's eth-s1p3.  Export
interface routes and
                statics into OSPF external.  Setup VRRP on each of the
s1p1 and s1p2 
                interfaces so that it "backs up itself".  After you've
done that, it's
                safe to have the interfaces backup the partner
interfaces.

                If you are running NAT, you have to consider the case
where the external
                interface on the primary box fails.  Traffic will enter
box 1, and since
                VRRP has done it's stuff, and OSPF between the boxes has
re-advertised
                the failed interface via box 2, the traffic will flow
over the crossover
                cable into box 2.  Since you're running NAT, when the
traffic leaves
                box 1, the addresses will be translated (before they hit
box 2).  Your
                rules need to account for that case.  If you're not
running NAT, this
                case is irrelevant to you.

                If you've got a good networking staff, you can work out
the logistics
                yourself.  You may, or may not, however, have security
specialists, so
                it may be beneficial to have someone in to help design
your firewall 
                rules..