Firewall Wizards mailing list archives
RE: Nokia firewall solution
From: John McDonald <Johnm () Networkguys com>
Date: Mon, 29 Mar 1999 08:38:34 -0800
You make it sound so simplistic, which it is, if you talking about setting a few of the 440's up in a simple environment like you gave is the net amp for. However, how would you go about setting up these little guys in a asymmetrical routing environment with two *different* isp's running DS3's and the boxes are connected on two different network's connected via fast Ethernet. The purpose is that if connection fails the 2nd nokia will start arping for the packets and failover will happen without dropped packets. This is accomplished quite well through BGP4, However this particular customer does not want to sue BGP4 due to its complexity. This is the difficult environment I was speaking of. John D. McDonald Phone: 510.713.8880 ext. 306 Fax: 510.713.3456 E-mail: JohnM () NetworkGuys com Web: www.NetworkGuys.com Secure Enterprise Connectivity Managed Security Managed Firewall Anti-Virus-Vandal Firewalls Security Audits VPN Digital Certificates Security Systems 24x7 Network Monitoring/Hacker intrusion -----Original Message----- From: Lart [mailto:lart () hacksec org] Sent: Saturday, March 27, 1999 6:34 AM To: firewall-wizards () nfr net Subject: Re: Nokia firewall solution eSafe Protect Gateway (tm) has scanned this mail for viruses, vandals and suspicious attachments and has found it to be CLEAN. On Thu, Mar 25, 1999 at 03:45:53PM -0800, John McDonald wrote: : You : cannot use them for High availability on your gateway without using : another router in front of them due to the fact that you can't use the : Nokia HA protocols on the Internet. Just because Nokia says you *can* use an IP400 as a router doesn't mean that you really should.... <g> : They work great behind a router(and what's the chance that your router : is going to go down?) also the VRRP is quite tricky to set up. VRRP is not hard to setup at all. You need to plan out your VRIDs, and set your firewall rules to allow the multicasts for VRRP. : Their : tend to be a tremendous amount of routing issues even in the most : simplistic environment due to the HA. (lost of HUBS). No more hubs/vlans than you'd already have. The link between the boxes is a crossover cable. : BTW. If you are planning on HEAVY traffic through this box you may : consider the Nokia IP650. MUCH FASTER. If IP440's can handle up to 98 Mbps (as they were tested), you could reliably expect full DS-3 speeds. Seriously though folks, lots of companies make mountains out of mole hills when it comes to setting up VRRP. In fact, here's a cookbook: You've got two IP440's. Let's call them 1 and 2. You've got a single quad ethernet in each box. Nokia's naming scheme for these cards is eth-s<slot>p<port>. So, the first port on the first card is eth-s1p1. +-------+ | I-Net | On each box, setup the interfaces | Router| as: | | +-------+ s1p1: external | s1p2: internal +---------+---------+ s1p3: crossover | | +-------+ +-------+ | | | | Box 1 VRIDs: | 1 |-----------| 2 | s1p1=111 | | | | s1p2=112 +-------+ +-------+ | | Box 2 VRIDs: +---------+---------- s1p1=211 | s1p2=212 +-------+ | Choke | | Router| | | +-------+ First, turn on OSPF on each box's eth-s1p3. Export interface routes and statics into OSPF external. Setup VRRP on each of the s1p1 and s1p2 interfaces so that it "backs up itself". After you've done that, it's safe to have the interfaces backup the partner interfaces. If you are running NAT, you have to consider the case where the external interface on the primary box fails. Traffic will enter box 1, and since VRRP has done it's stuff, and OSPF between the boxes has re-advertised the failed interface via box 2, the traffic will flow over the crossover cable into box 2. Since you're running NAT, when the traffic leaves box 1, the addresses will be translated (before they hit box 2). Your rules need to account for that case. If you're not running NAT, this case is irrelevant to you. If you've got a good networking staff, you can work out the logistics yourself. You may, or may not, however, have security specialists, so it may be beneficial to have someone in to help design your firewall rules..
Current thread:
- Nokia firewall solution Lee, Gary (Mar 25)
- <Possible follow-ups>
- Re: Nokia firewall solution Lart (Mar 26)
- RE: Nokia firewall solution John McDonald (Mar 26)
- Re: Nokia firewall solution Lart (Mar 28)
- RE: Nokia firewall solution John McDonald (Mar 29)