Re: Nokia firewall solution

[Lart <lart () hacksec org>]

On Thu, Mar 25, 1999 at 03:45:53PM -0800, John McDonald wrote:
: You
: cannot use them for High availability on your gateway without using
: another router in front of them due to the fact that you can't use the
: Nokia HA protocols on the Internet. 

Just because Nokia says you *can* use an IP400 as a router doesn't mean
that you really should.... <g>

: They work great behind a router(and what's the chance that your router
: is going to go down?) also the VRRP is quite tricky to set up. 

VRRP is not hard to setup at all.  You need to plan out your VRIDs,
and set your firewall rules to allow the multicasts for VRRP.

: Their
: tend to be a tremendous amount of routing issues even in the most
: simplistic environment due to the HA. (lost of HUBS). 

No more hubs/vlans than you'd already have.  The link between the boxes
is a crossover cable.

: BTW. If you are planning on HEAVY traffic through this box you may
: consider the Nokia IP650. MUCH FASTER.

If IP440's can handle up to 98 Mbps (as they were tested), you could
reliably expect full DS-3 speeds.

Seriously though folks, lots of companies make mountains out of mole
hills when it comes to setting up VRRP.  In fact, here's a cookbook:

You've got two IP440's.  Let's call them 1 and 2.  You've got a single
quad ethernet in each box.  Nokia's naming scheme for these cards is
eth-s<slot>p<port>.  So, the first port on the first card is eth-s1p1.



            +-------+
            | I-Net |                On each box, setup the interfaces
            | Router|                as:
            |       |
            +-------+                s1p1: external
                |                    s1p2: internal
      +---------+---------+          s1p3: crossover
      |                   |
  +-------+           +-------+
  |       |           |       |      Box 1 VRIDs:
  |   1   |-----------|   2   |      s1p1=111
  |       |           |       |      s1p2=112
  +-------+           +-------+      
      |                   |          Box 2 VRIDs:
      +---------+----------          s1p1=211
                |                    s1p2=212
            +-------+
            | Choke |
            | Router|
            |       |
            +-------+

First, turn on OSPF on each box's eth-s1p3.  Export interface routes and
statics into OSPF external.  Setup VRRP on each of the s1p1 and s1p2 
interfaces so that it "backs up itself".  After you've done that, it's
safe to have the interfaces backup the partner interfaces.

If you are running NAT, you have to consider the case where the external
interface on the primary box fails.  Traffic will enter box 1, and since
VRRP has done it's stuff, and OSPF between the boxes has re-advertised
the failed interface via box 2, the traffic will flow over the crossover
cable into box 2.  Since you're running NAT, when the traffic leaves
box 1, the addresses will be translated (before they hit box 2).  Your
rules need to account for that case.  If you're not running NAT, this
case is irrelevant to you.

If you've got a good networking staff, you can work out the logistics
yourself.  You may, or may not, however, have security specialists, so
it may be beneficial to have someone in to help design your firewall 
rules..