Re: Redudant routing issue

Craig Rees · ‎06-24-2005

I have the following network setup

remote--PVC1--R1in--PIX1--R1out--Provider

--PVC2--R2in--PIX2--R2out--

Between the remote and r1&r2in I am running EIGRP 10. Between r1&r2out and provider I am running EIGRP 100.

I am looking to have full redudancy between the remote router up to r1&r2out routers.

What is the best way to do this without causing Asymmetrical routing?

johansens · ‎06-25-2005

If you don't have any L2-adjacancy on the PIX1 and PIX2 firewalls (ie they are running separately, not faulttolerant), you will need to do one of two things:

1) Run GRE tunnels between the R1xxx routers and likewise between the R2xxx routers for running a routing-protocol (f.ex. the EIGRP's) over the PIX'es (and then all the traffic)

2) Run a routing-protocol on the PIX'es (RIP or OSPF) and redistribute between this and the EIGRP processes.

I guess alternative 1 is not wanted as then the PIX'es would not be needed anymore for this traffic.

vcjones · ‎06-28-2005

Your ASCII diagram did not survive formatting, so correct me if I am suggesting a solution to the wrong problem. I'm assuming "remote" has one PVC to R1in and one PVC to R2in, while R1out and R2out connect to "Provider."

Your challenge is to detect when communications are lost going through PIX1 and when communications are lost going through PIX2 (keep in mind that "through PIX1" includes failure of PVC1, R1in, PIX1, R1out, and the link from R1out to provider). Any solution which does not track all the way from remote to provider will be subject to failure.

So far, you have EIGRP 10 covering remote to the "in" routers and EIGRP 100 covering "out" to provider. What you're missing is coverage from r1in to r1out and from r2in to r2out. Providing this coverage is not difficult, but if done wrong can have a significant impact on security. After all, if the in's could trust the out's, you wouldn't need the PIXes.

Some people will probably suggest a GRE tunnel to support routing between the in and out routers through the PIXes. This is easy to set up, but is only acceptable from a security viewpoint if both sides of the PIX are trustworthy. It also assumes that NAT is not being used on the PIX.

If you can't fully trust both sides, you can use BGP through the PIXes to control floating static routes which in turn are redistributed into the local EIGRPs.

This approach is significantly more complex, but allows complete control over what is trusted and prevents disruption of the routing tables across the PIX, even if one of the routers is "owned" by a hacker. The worst that can be done is that the failure of the route will not be recognized. By isolating the routing information, there is no path for a hacker to inject bogus routes into the routing tables on the other side of the firewall.

> I am looking to have full redudancy between the

> remote router up to r1&r2out routers.

There is a white paper on my web site which shows how to set up BGP through firewalls for complete redundancy with no single point of failure. (Don't forget that any hubs or switches used to connect routers and PIXes must also be able to fail without loss of communications).

> What is the best way to do this without causing

> Asymmetrical routing?

If you want "load balancing" as well as "robust redundancy" the configuration gets more complex--you'll probably find that policy routing (implemented to fail over as required, be careful you don't break that in the process) is the easiest approach. The trick is to find a characteristic of the communications which can be used to classify the flows into two relatively equal subsets. You'll also need to evaluate whether your application can survive failover from one PIX to the other.

Good luck and have fun!

Vincent C Jones

www.networkingunlimited.com