Routing Protocols on Firewalls from a Design Standpoint

darkerosxxdarkerosxx Banned Posts: 1,343
What routing protocols, if any, do you feel it's okay to use on firewalls, from a design standpoint?

With the extra load it's going to put on firewalls, which do you feel it's okay to use, if any?

Comments

  • tech-airmantech-airman Member Posts: 953
    darkerosxx wrote:
    What routing protocols, if any, do you feel it's okay to use on firewalls, from a design standpoint?

    With the extra load it's going to put on firewalls, which do you feel it's okay to use, if any?

    darkerosxx,

    It depends. Are you talking about IOS firewalls on routers/L3Switches or routers/L3Switches in conjunction with a firewall device?
  • GT-RobGT-Rob Member Posts: 1,090
    Quite often I see just static and default routes on FWs. I think you have to take security into consideration as well when talking about this subject (as in, the device advertising its networks).

    Also depends on the placement. Usually FW traffic is either in one end and out the other, or vice versa. No point in really trying to figure out where to send something when there is only 1 direction left to send it.
  • networker050184networker050184 Mod Posts: 11,962 Mod
    GT-Rob wrote:
    Also depends on the placement. Usually FW traffic is either in one end and out the other, or vice versa. No point in really trying to figure out where to send something when there is only 1 direction left to send it.

    Agreed. I haven't seen a situation that has warranted routing protocols on a dedicated firewall when a few static routes will do.

    I say leave the routing to the router and the security to the firewall. The less overhead and unnecessary services running the faster each box will be able to do its primary function.
    An expert is a man who has made all the mistakes which can be made.
  • dtlokeedtlokee Member Posts: 2,378 ■■■■□□□□□□
    IT really can vary, if the firewall is at the edge of your network then it's pretty easy to use static routing, but when it's in the middle of the network that is a different story.

    Other considerations include failover designs (VPN backup to a WAN link), and when firewalls are used to load balance incomming RA VPN sessions and you're using RRI. In these cases it will typically be necessary to use dynamic routing protocols.
    The only easy day was yesterday!
  • darkerosxxdarkerosxx Banned Posts: 1,343
    So my next question is if you're using dynamic routing protocols everywhere else, should you use them on firewalls?

    I've read about the security issues, but I'm wondering about efficiency, really.
  • GT-RobGT-Rob Member Posts: 1,090
    You can mix static and dynamic routing protocols no problem. Again, its going to depend where the FW is placed, but I 'usually' only ever see static routes on dedicated FWs.
  • malcyboodmalcybood Member Posts: 900 ■■■□□□□□□□
    static routes are usually deployed on perimiter firewalls and public facing devices such as VPN concentrators in my experience.

    Static routes configured on the firewall to route traffic to the core LAN switch. The LAN core switch would run a dynamic routing protocol such as OSPF etc between corporate LAN/WAN VLANs (i.e. server VLAN, voice VLAN, WAN VLAN etc) & networks configured on the LAN core switch.

    Remember you would also need static routes configured on the core LAN switch to route traffic back to the networks which hang off the firewall i.e. internet gateway, DMZs etc.
  • dtlokeedtlokee Member Posts: 2,378 ■■■■□□□□□□
    If you are using NAT on the firewall then it becomes the edge of the routing domain and doesn't need you to configure dynamic routing accross it, static routes should be fine. Should you use a dynamic routing protocol on the firewall? Most likely not but in cases where there are multiple internet connections it may be used to provide an alternate path to another firewall if one should fail. This could be a BGP configuration (not from the ASA), dynamic routing, or dynamic routing combined with floating static routes.
    The only easy day was yesterday!
  • darkerosxxdarkerosxx Banned Posts: 1,343
    Thanks for the help, guys.

    We were discussing this at work and the two questions came up about using OSPF on an edge firewall: the performance/efficiency issue and the security issue.

    We use OSPF everywhere else and the claim was that's the reason it should be on the firewall, because we want to have as few static routes as possible. My claim was that from an efficiency standpoint, the CCDA design material I've been studying seems to claim it could cause performance issues and that's not really the way you want to build your infrastructure. You don't want to put extra services on boxes that don't require it and in places where it's not required, especially not because it looks nice. I'm pulling that from the general theory, so it may be wrong/right. I'm not really sure, as I haven't seen it in practice.
Sign In or Register to comment.