Netscreen config question

Stephen Hope shope at ENERGIS-EIS.CO.UK
Wed Apr 18 05:00:17 EDT 2001


Chris,

basically no - it doesnt "need" a default route.

A default is an escape clause for any routes you dont have more specific
information for in the routing table - enterprise networks often have
"complete" sets of rooutes, and so do the core routers within the Internet.

I try to avoid default routes in enterprise networks - inconsistent use of
defaults and other statics is a fairly common source of routing loops. And
you can never tell what someone else will / has configured somewhere that is
going to trip you up.

Routers need enough routing information to send traffic to the sets of
destinations they carry traffic for - that may be just a local LAN or 2 and
a default, or more complex dynamic topologies. sometimes you need a default
route (i.e. connect natively to the Internet), and sometimes you dont (i.e.
a proxy gateway, or no internet connection).

If you must have a default, the way i recommend is to configure it in 1
place, and let a routing protocol propagate it - that way there is less to
get configured wrongly.

One of the biggest problems i have with VPNs is the way that many designs
require lots of manual route configs in different places scattered across a
single logical network - and they have to be kept consistent over the life
of the network.

routing protocols reduce this problem, and i prefer kit that can use them -
statics tend to bit a bit limiting in some ways:

Too much manual config in different boxes to build a system
No automatic consistency checks
Difficult to build resilient topologies
Only react to faults via "side effects" (e.g. detect a next hop failure via
ARP cache timeout).

but of course firewalls have a different perspective - i want a router
network (or a VPN) that have resilience, and reacts to faults by rerouting,
so routers need to "trust" each other to some extent - a firewall needs more
paranoia.

Stephen

My opinions, not my employers.

Stephen Hope C. Eng, Network Consultant, shope at energis-eis.co.uk,
Energis Integration Services Ltd, WWW: http://www.energis-eis.co.uk
Carrington Business Park, Carrington, Manchester , UK. M31 4ZU
Tel: +44 (0)161 776 4194 Mob: +44 (0)7767 256 180 Fax: +44 (0)161 776
4189


> -----Original Message-----
> From: Chris Carlson [mailto:carlsonmail at YAHOO.COM]
> Sent: 16 April 2001 17:27
> To: VPN at SECURITYFOCUS.COM
> Subject: Re: Netscreen config question
>
>
> Uh, doesn't every router need a default gateway, i.e.
> the next hop for all traffic not defined by other
> routes?
>
> So, in your case, the NetScreen's default gateway
> would be the upstream router (either the one
> terminating the ISP connection) or the ISP's router
> itself.
>
> Since you're mostly likely doing this in a lab and
> your networks are pretty self-contained, I would think
> that static routes would cover it all, but I think you
> still need a default route.
>
> Chris
> --
>
>
> --- David Newman <dnewman at NETWORKTEST.COM> wrote:
> > I'm looking to configure a Netscreen-5 as both
> > router and VPN gateway. The
> > trusted interface uses a private address with no
> > problem.  The untrusted
> > side is asking for both an address and default
> > gateway, and it will NOT
> > accept identical entries here.
> >
> > It's a router -- it shouldn't need a default
> > gateway. Is it acceptable to
> > supply all zeros as the untrusted default gateway?
> >
> > Thanks.
> >
> > David Newman
> >
> > VPN is sponsored by SecurityFocus.COM
>
>
> __________________________________________________
> Do You Yahoo!?
> Get email at your own domain with Yahoo! Mail.
> http://personal.mail.yahoo.com/
>
> VPN is sponsored by SecurityFocus.COM
>

-----------------------------------------------------------------------------------------------------------

This email is confidential and intended solely for the use of the individual to
whom it is addressed. Any views or opinions presented are solely those of the
author and do not necessarily represent those of Energis Integration Services.
If you are not the intended recipient, be advised that you have received this
email in error and that any use, dissemination, forwarding, printing, or copying
of this email is strictly prohibited.

We have an anti-virus system installed on all our PC's and therefore any files
leaving us via e-mail will have been checked for known viruses.
Energis Integration Services accepts no responsibility once an e-mail
and any attachments leave us.

If you have received this email in error please notify Energis Integration Services Communications
IT department on +44 (0) 1494 476222..
-----------------------------------------------------------------------------------------------------------

VPN is sponsored by SecurityFocus.COM




More information about the VPN mailing list