! Listing 9.7: Router R-A supporting redundant firewalls in routing mode ! !Copyright (C) 2001 by Vincent C Jones. All Rights Reserved. version 11.2 ! hostname R-A ! ! WARNING!! Self defense configuration statements not shown ! ip subnet-zero ! interface Loopback0 description Management ID for this Router ip address 100.0.0.201 255.255.255.255 ! interface Loopback11 description Target IP for inside to outside through firewall F-1A ip address 10.255.255.11 255.255.255.255 ! interface Loopback12 description Target IP for inside to outside through firewall F-2B ip address 10.255.255.12 255.255.255.255 ! interface Serial0/0 description T1 to ISP #1 ip address 110.0.0.1 255.255.255.252 ! interface Ethernet1/0 description Firewall Access LAN-A ip address 100.0.0.2 255.255.255.192 no ip redirects standby 1 priority 200 standby 1 preempt standby 1 ip 100.0.0.1 ! interface Ethernet1/1 description Firewall Access LAN-B ip address 101.0.0.3 255.255.255.192 no ip redirects standby 2 priority 100 standby 2 ip 101.0.0.1 ! router ospf 123 network 100.0.0.201 0.0.0.0 area 59 network 100.0.0.0 0.0.0.63 area 59 network 101.0.0.0 0.0.0.63 area 59 network 110.0.0.0 0.0.0.3 area 59 ! router bgp 60000 no synchronization network 10.255.255.11 mask 255.255.255.255 network 10.255.255.12 mask 255.255.255.255 network 100.0.0.0 mask 255.255.255.0 network 101.0.0.0 mask 255.255.255.0 network 110.0.0.0 mask 255.255.255.252 redistribute connected neighbor 100.0.0.202 remote-as 60000 neighbor 100.0.0.202 description IBGP with Router R-B neighbor 100.0.0.202 timers 5 15 neighbor 100.0.0.202 update-source Loopback0 neighbor 100.0.0.202 route-map map_here out neighbor 100.0.0.65 remote-as 65111 neighbor 100.0.0.65 description Peering with R-1 through F-1A (10.255.255.1) neighbor 100.0.0.65 ebgp-multihop neighbor 100.0.0.65 timers 5 15 neighbor 100.0.0.65 distribute-list 1 in neighbor 100.0.0.65 distribute-list 11 out neighbor 100.0.0.65 route-map map_hop_1 in neighbor 101.0.0.66 remote-as 65111 neighbor 101.0.0.66 description Peering with R-2 through F-2B (10.255.255.4) neighbor 101.0.0.66 ebgp-multihop neighbor 101.0.0.66 timers 5 15 neighbor 101.0.0.66 distribute-list 4 in neighbor 101.0.0.66 route-map map_hop_4 in neighbor 101.0.0.66 distribute-list 12 out neighbor 110.0.0.2 remote-as 54321 neighbor 110.0.0.2 description ISP Routes neighbor 110.0.0.2 distribute-list 10 out neighbor 110.0.0.2 filter-list 9 out no auto-summary ! ip classless ! Direct to F-1A ip route 100.0.0.99 255.255.255.255 10.255.255.1 1 ! F-1A through R-B ip route 100.0.0.99 255.255.255.255 10.255.255.3 2 ! Direct to F-2B ip route 100.0.0.99 255.255.255.255 10.255.255.4 3 ! F-2B through R-B ip route 100.0.0.99 255.255.255.255 10.255.255.2 4 ! Direct to F-2B ip route 101.0.0.99 255.255.255.255 10.255.255.4 1 ! F-2B through R-B ip route 101.0.0.99 255.255.255.255 10.255.255.2 2 ! Direct to F-1A ip route 101.0.0.99 255.255.255.255 10.255.255.1 3 ! F-1A through R-B ip route 101.0.0.99 255.255.255.255 10.255.255.3 4 ! Route to R-1 ip route 100.0.0.65 255.255.255.255 100.0.0.4 ! Route to R-2 ip route 101.0.0.66 255.255.255.255 101.0.0.4 ! Summaries for BGP ip route 100.0.0.0 255.255.255.0 null0 ip route 101.0.0.0 255.255.255.0 null0 ! ! Router R-1 through F-1A access-list 1 permit 10.255.255.1 ! Router R-2 through F-2B access-list 4 permit 10.255.255.4 ! Keep internal routes out of BGP access-list 10 deny 10.0.0.0 0.255.255.255 access-list 10 permit any ! Router R-1 through F-1A access-list 11 permit 10.255.255.11 ! Router R-2 through F-2B access-list 12 permit 10.255.255.12 ! route-map map_here permit 15 match ip address 1 set ip next-hop 100.0.0.201 ! route-map map_here permit 25 match ip address 4 set ip next-hop 100.0.0.201 ! route-map map_hop_1 permit 10 match ip address 1 set ip next-hop 100.0.0.4 ! route-map map_hop_4 permit 10 match ip address 4 set ip next-hop 101.0.0.4 ! ip as-path access-list 9 permit ^(_60000)*$ ! end