|
Posted by Vincent C Jones on June 30, 2005, 1:42 pm
If you were Registered and logged in, you could reply and use other advanced thread options >Vincent C Jones wrote:
>>
>>>Question, Which would be easier, setup static routes in the PIX and
>>>router behind the PIX or setup GRE tunnel and use eigrp to establish
>>>routes and just insert the DO NOT NAT on the pix?
>>>
>>>
>>>
>>>PC
>>
>> |
>> RouterA
>>
>>>|
>>>PIX1 (10.9.0.0)
>>>|
>>>|
>>>PIX2 (10.1.0.5)
>>>|
>>>RouterB(10.1.0.1)
>>>|
>>>+---------------+-------------+-----
>>>RouterC RouterD RouterE
>>>(10.8.0.0) (10.3.0.0) (10.4.0.0)
>>>| | |
>>>PC PC PC
>>
>>
>> A few critical questions which can/will change the "correct" answer...
>>
>> Is this a VPN with a net-to-net IPSec tunnel between the two PIX?
>
>Yes, the VPN is net to net between two PIX's.
>
>>
>> How much do the two LAN's trust one-another?
>>
>
>Same company so they trust another.
>
>
>> Is/are the application(s) being supported sensitive to MTU reduction?
>>
>
>Simple windows networking, other apps are unknown.
>
>
>
>> What do you expect to gain by using dynamic routing in this scenario?
>>
>
>The only gain, is that as more network spring up on the one side, the
>remote site would know about it immediately although someone would have
>to allow it in the pix. I guess my question was a broad one. What is
>the common practice.
There is common practice and there are best practices, which in this
case are not the same:
Common practice is to just use static routes. This recognizes that
the IPsec tunnels on the firewalls are all static definitions so
there is no way around the need to "visit" each site when adding
coverage of new networks (it doesn't help to have the routers
auto-learn new LANs if the firewalls are black holes).
When dynamic routing would be useful (multiple tunnels connecting
sites), common practice is to set up a GRE tunnel between the
routers and configure it to pretend to have a 1500 byte MTU. This
is a recently introduced IOS feature. Prior common practice was
to set up a GRE tunnel between the routers and manually configure
those Windows boxes which couldn't correctly dynamically determine
the MTU to apply a reduced MTU to all packets even if local.
Best practice is to determine the driving requirements and provide a
solution which optimizes that aspect of implementation:
1 - Fake 1500 MTU with GRE feature, which means broken applications
can run without touching the desktop, but defeats the purpose of
max MTU discovery and reduces efficiency of WAN communications.
2 - Classical GRE tunnel with every desktop hard-coded to 1250
byte MTU (or similar, worst case low value). No thinking
required, but does require strict desktop configuration control.
3 - Static routing eliminates the MTU reduction of a GRE, but then
requires keeping all routes up to date. On the other hand,
the VPN setups on the firewalls are all static configurations
anyway, so unless there are alternate routes available, there
is no real benefit to implementing a routing protocol.
4 - Use BGP routing over the IPsec tunnels to provide dynamic
routing capability without GRE tunnels. This approach has three
primary drawbacks: upgrades to routers to provide support for
BGP, multiple firewalls required at each site requiring redundant
IPsec, and the lack of example configs on CCO means the network
designer must actually understand networking, IPsec and BGP.
As always, your mileage may vary.
--
Vincent C Jones, Consultant Expert advice and a helping hand
Networking Unlimited, Inc. for those who want to manage and
Tenafly, NJ Phone: 201 568-7810 control their networking destiny
http://www.networkingunlimited.com
|