Current frustration...

[NetworkGroover]

PSA: Palo Alto enforces eBGP split horizon when talking to multiple peers from the same ASN.

i.e. Switch (AS1) --> Palo (AS2) --> Switch (AS1) - Palo does not send the route on until you change one of the switches to a different AS.

Guess what happens when you run VRFs on any switch, any vendor. (hint: one BGP process....)

Support says log a feature request....

No, this is not RFC behaviour, there should not be any split horizon in eBGP YOU FIREWALL MUPPETS IF YOU'RE GOING TO DO A PROTOCOL FSCKING DO IT PROPERLY

If that wording is defined in an RFC, did you provide them the exact text?

[icecream-guy]

Cisco does one better and simply has the ASA not participate in dynamic routing very much, if at all.



And now I have a new frustration... the upgrade window we had scheduled has now been indefinitely postponed...

Why would you route on a firewall? use a router, let the firewall block/permit traffic.

[NetworkGroover]

Cisco does one better and simply has the ASA not participate in dynamic routing very much, if at all.



And now I have a new frustration... the upgrade window we had scheduled has now been indefinitely postponed...

Why would you route on a firewall? use a router, let the firewall block/permit traffic.

What if you had two firewalls and you wanted active/active functionality and fast convergence in case of failure.  How would you set it up?

[deanwebb]

I would have them set up in active/passive for fastest convergence of all.

[NetworkGroover]

Some folks would rather leverage all of their network all the time than some of it part of the time.

[deanwebb]

Some folks would rather leverage all of their network all the time than some of it part of the time.

Well, they can just kiss my rosy hind quarters. They taste like strawberries. Honest. Just try.

Meanwhile, I got a bigger frustration... spent the better part of a week rebuilding my topology in Tufin and I come to discover that I DID IT ALL WRONG AND HAVE TO DO IT OVER

[wintermute000]

Why would you route on a firewall? use a router, let the firewall block/permit traffic.

Lots of reasons

- internet edge design (HSRP is not a substitute for routing)
- requirement for intra-zone segmentation and there are multiple egress points from that zone (I count HSRP pairs as one... coz it is )
- customers don't want to buy a separate router when their firewall is supposed to work perfectly fine as one

The whole old school 'static routes only on FWs' is outdated and needs to go away, it completely shackles most routing designs including crowbaring a stupid L2 HSRP hop into an otherwise beautiful routed design. Ever had the fun of dealing with routed leaf/spine, MLAG and whoops there's a stupid L2 firewall that can't run a pair of /30s?


And BTW deanwebb, ASA's have run BGP since 9.x Though a little bird tells you not to send any graceful restart capabilities down a BGP peering to 9.1.x code, because the stupid ASA hexdumps the adjacency instead of just not negotiating that capability. *whistles*

[deanwebb]

OK, so ASA runs BGP... but not very well.

But if the firewall does routing, then who manages the firewall? Is it for the R&S team or for the security team? No, we better not have ACLs on the routers and no routing on the firewalls...

[wintermute000]

On that logic you might as well never deploy NSX or Openstack because there's too much networking in there.
Or DMVPN - too much crypto for the networking team, surely...

you see my point....

I acknowledge that management demarcation may be a concern but where there's a will there's a way, and I've seen more than one (large) environment where the firewalls were driven by the networking team

[deanwebb]

Clearly, we must strive for a more pluralistic networking society in which we do not see ourselves as "R&S people" or "Security people". I myself feel the sting of hypocrisy as I curse the developers for using hard-coded IP addresses instead of FQDNs in their code... and then build out ACLs based upon hard-coded IP addresses...

There is a huge difference between not wanting a security device to do routing because of security and not wanting it to do routing because you chose to support firewalls in order to get away from routing. And, you are bang to rights on the firewall == router situation for most SMB environments. That firewall isn't just the router, it's also the core switch. That's a lot to ask of an ASA 5505/5506, but it's the reality we face.

But, back to AspiringNetworker's comment... I really hate active/active. Because convergence.

[NetworkGroover]

You say because convergence.. but convergence is exactly the reason why you go active/active... the more the two entities can act independently (within reason), the better.  The more you have this, the more a failure "appears" to be transparent to a network.  If a FW fails in a meshed routed design.. that's just one less path to take - rather than waiting for stuff to switch from passive to active, etc.  Granted, I'm not a FW guy... so I could be making it sound easier than it is.

As for administration - I see it very simply as if you have separate teams to manage network and security/FW, the security/FW guy works with the network team to identify best practices for the routing piece, and the security guy maintains the other 95% of the FW's job.  I don't see that simply the fact that you're routing on the FW meaning that you give the responsibility of the FWs to the network team.

[deanwebb]

Not gonna argue... dealing with an end-of-life-do-not-resuscitate RADIUS server outage and moving all its WLCs over to the new system that will be at 100% capacity with this unscheduled move... managers be buying more gear as I type...

[NetworkGroover]

Not gonna argue... dealing with an end-of-life-do-not-resuscitate RADIUS server outage and moving all its WLCs over to the new system that will be at 100% capacity with this unscheduled move... managers be buying more gear as I type...

Ok sorry.. I have a habit of just stating opinion, but it coming across as quasi-abrasive.  Not trying to be argumentative.

[deanwebb]

Not gonna argue... I always say that when I got my head totally into a support issue. Does not imply an argument. Just implies I have sacrificed all social skills in order to focus my brain on the issue... which, in this case, has technical, managerial, and budget concerns.

Also giving my lunch order to the guy heading off to a fast-food place concerns.

[burnyd]

Clearly, we must strive for a more pluralistic networking society in which we do not see ourselves as "R&S people" or "Security people". I myself feel the sting of hypocrisy as I curse the developers for using hard-coded IP addresses instead of FQDNs in their code... and then build out ACLs based upon hard-coded IP addresses...

There is a huge difference between not wanting a security device to do routing because of security and not wanting it to do routing because you chose to support firewalls in order to get away from routing. And, you are bang to rights on the firewall == router situation for most SMB environments. That firewall isn't just the router, it's also the core switch. That's a lot to ask of an ASA 5505/5506, but it's the reality we face.

But, back to AspiringNetworker's comment... I really hate active/active. Because convergence.

Lol neither have enough networking.  That is why OS has a bunch of 3rd part plugins that some what work.

NSX well yah...