+ Reply to Thread
Results 1 to 10 of 10
  1. Senior Member darkerosxx's Avatar
    Join Date
    Dec 2007
    Posts
    1,336
    #1

    Default Routing Protocols on Firewalls from a Design Standpoint

    What routing protocols, if any, do you feel it's okay to use on firewalls, from a design standpoint?

    With the extra load it's going to put on firewalls, which do you feel it's okay to use, if any?
    Reply With Quote Quote  

  2. SS -->
  3. Senior Member
    Join Date
    Mar 2007
    Posts
    958

    Certifications
    MCSE, MCP+I, MCP, A+, CCNA certified, Cisco Networking Academy Semester 4 graduate
    #2

    Default Re: Routing Protocols on Firewalls from a Design Standpoint

    Quote Originally Posted by darkerosxx
    What routing protocols, if any, do you feel it's okay to use on firewalls, from a design standpoint?

    With the extra load it's going to put on firewalls, which do you feel it's okay to use, if any?
    darkerosxx,

    It depends. Are you talking about IOS firewalls on routers/L3Switches or routers/L3Switches in conjunction with a firewall device?
    Reply With Quote Quote  

  4. Senior Member
    Join Date
    Dec 2006
    Location
    Ontario
    Posts
    1,092
    #3
    Quite often I see just static and default routes on FWs. I think you have to take security into consideration as well when talking about this subject (as in, the device advertising its networks).

    Also depends on the placement. Usually FW traffic is either in one end and out the other, or vice versa. No point in really trying to figure out where to send something when there is only 1 direction left to send it.
    Reply With Quote Quote  

  5. Went to the dark side.... Moderator networker050184's Avatar
    Join Date
    Jul 2007
    Posts
    11,679

    Certifications
    CCNA, CCNP, CCIP, JNCIA-JUNOS, JNCIS-SP, JNCIP-SP, MCA200
    #4
    Quote Originally Posted by GT-Rob
    Also depends on the placement. Usually FW traffic is either in one end and out the other, or vice versa. No point in really trying to figure out where to send something when there is only 1 direction left to send it.
    Agreed. I haven't seen a situation that has warranted routing protocols on a dedicated firewall when a few static routes will do.

    I say leave the routing to the router and the security to the firewall. The less overhead and unnecessary services running the faster each box will be able to do its primary function.
    An expert is a man who has made all the mistakes which can be made.
    Reply With Quote Quote  

  6. Village Idiot dtlokee's Avatar
    Join Date
    Mar 2007
    Location
    NJ
    Posts
    2,389

    Certifications
    CCIE #19991 R+S, CCNA, CCNP, CCIP, CCVP, CCSP, CCSI, MCSE NT4.0, 2000, 2003, + Messaging and Security, MCDBA, MCSD, MCAD
    #5
    IT really can vary, if the firewall is at the edge of your network then it's pretty easy to use static routing, but when it's in the middle of the network that is a different story.

    Other considerations include failover designs (VPN backup to a WAN link), and when firewalls are used to load balance incomming RA VPN sessions and you're using RRI. In these cases it will typically be necessary to use dynamic routing protocols.
    Reply With Quote Quote  

  7. Senior Member darkerosxx's Avatar
    Join Date
    Dec 2007
    Posts
    1,336
    #6
    So my next question is if you're using dynamic routing protocols everywhere else, should you use them on firewalls?

    I've read about the security issues, but I'm wondering about efficiency, really.
    Reply With Quote Quote  

  8. Senior Member
    Join Date
    Dec 2006
    Location
    Ontario
    Posts
    1,092
    #7
    You can mix static and dynamic routing protocols no problem. Again, its going to depend where the FW is placed, but I 'usually' only ever see static routes on dedicated FWs.
    Reply With Quote Quote  

  9. Senior Member
    Join Date
    Apr 2005
    Posts
    901

    Certifications
    CCDE #20170037, CCNP/DP and quite a few more from various vendors.....
    #8
    static routes are usually deployed on perimiter firewalls and public facing devices such as VPN concentrators in my experience.

    Static routes configured on the firewall to route traffic to the core LAN switch. The LAN core switch would run a dynamic routing protocol such as OSPF etc between corporate LAN/WAN VLANs (i.e. server VLAN, voice VLAN, WAN VLAN etc) & networks configured on the LAN core switch.

    Remember you would also need static routes configured on the core LAN switch to route traffic back to the networks which hang off the firewall i.e. internet gateway, DMZs etc.
    Reply With Quote Quote  

  10. Village Idiot dtlokee's Avatar
    Join Date
    Mar 2007
    Location
    NJ
    Posts
    2,389

    Certifications
    CCIE #19991 R+S, CCNA, CCNP, CCIP, CCVP, CCSP, CCSI, MCSE NT4.0, 2000, 2003, + Messaging and Security, MCDBA, MCSD, MCAD
    #9
    If you are using NAT on the firewall then it becomes the edge of the routing domain and doesn't need you to configure dynamic routing accross it, static routes should be fine. Should you use a dynamic routing protocol on the firewall? Most likely not but in cases where there are multiple internet connections it may be used to provide an alternate path to another firewall if one should fail. This could be a BGP configuration (not from the ASA), dynamic routing, or dynamic routing combined with floating static routes.
    Reply With Quote Quote  

  11. Senior Member darkerosxx's Avatar
    Join Date
    Dec 2007
    Posts
    1,336
    #10
    Thanks for the help, guys.

    We were discussing this at work and the two questions came up about using OSPF on an edge firewall: the performance/efficiency issue and the security issue.

    We use OSPF everywhere else and the claim was that's the reason it should be on the firewall, because we want to have as few static routes as possible. My claim was that from an efficiency standpoint, the CCDA design material I've been studying seems to claim it could cause performance issues and that's not really the way you want to build your infrastructure. You don't want to put extra services on boxes that don't require it and in places where it's not required, especially not because it looks nice. I'm pulling that from the general theory, so it may be wrong/right. I'm not really sure, as I haven't seen it in practice.
    Reply With Quote Quote  

+ Reply to Thread

Social Networking & Bookmarks