Hi hritter,

The BGP option sounds nice.

But, I have a question about the eigrp method you suggested..

As much as I know, EIGRP hellos are sent out with a TTL of 2 which means it can't traverse another Layer3 IP capable device.

Is it tested and proved to work that EIGRP packet's TTL is increased when the neighbor command is used ?

Thanks in advance !

Arav

I have curious question. Why do you have a firewall between the two routers. Are you blocking one department from another department?

If I could understand the reason behind the network design, other alternatives could be suggested.

Thanks

Thanks everyone for the responses.

Using BGP will probably be our best bet. They are separated by a firewall because it is another company. We just need to control what traffic can go through. We use one of their servers for a special application. This is just one of those things that has been implemented before I got here.

I'd like to just throw on another ethernet interface on each router and I can control traffic through access lists.

In reality, that's probably what I'll end up doing. I asked after I had posted this originally, but it is now my choice to use the firewall. I don't think it is worth the extra configuration and trouble to have it there... especially since it doesn't speak EIGRP. The only thing I have to worry about is filtering packets. That means I'll have to sit down with a packet sniffer and the other company and establish what ports and protocols need to be allowed.

Thanks everyone for getting me on the right track. I'm still open to suggestions though.

A TTL of 2 is sufficient for packets to traverse the FW and get to the router on the other side..

TTL is equal to 2 for EIGRP packets whether you use a multicast (224.0.0.10) or unicast address.

But as I stated before, don't even think about it ;o)

I'll give you a very specific reason not to think about it... :-) You should never use an IGP to trade live routing information with a network outside your control. It doesn't matter if you have a firewall in the middle or not. Don't use EIGRP to trade routing information with a network outside your administrative control.

The place where we actually tell people to use EIGRP across a firewall is just to get a default route across, so you can tell liveness using the protocol you're already using. You could also advertise your public space out, for the same reason.

:-)

Russ.W

A TTL of 2 is sufficient for packets to traverse the FW and get to the router on the other side..

TTL is equal to 2 for EIGRP packets whether you use a multicast (224.0.0.10) or unicast address.

But as I stated before, don't even think about it ;o)

Thanks for the update to the scenario. My vote is static routes. I trust no one and would not want to have to rely on another company.

Static would be great but we have redundant paths to this other company. So we really have to portions of our network that look like this.

I don't think I can do auto failover without a routing protocol. Floating static routes really won't work because it doesn't know if a route is "bad" since it's routing it through another router.

Russ

There is a fairly new feature in IOS which may help you with this. It is called Object Tracking and can be used to determine whether remote objects (like remote IP addresses) are reachable. With Object Tracking you can tie a static route to the reachability of a remote address and as long as the address is reachable the static route is valid and if the address becomes unreachable the static route is withdrawn. This link has information that can help get you started:

http://www.cisco.com/en/US/products/sw/iosswrel/ps5413/products_feature_guide09186a00801d862d.html

HTH

Rick

Yes--as long as the pings will go through the firewall, and the icmp replies will come back, and you're willing to accept the timers you can get that way, etc. There's are ups and downs to each technique--using object tracking with pings, using EIGRP, using BGP, etc.

:-)

Russ.W