I'm trying to find some best practices on this but it's hard to say exactly what I'm searching for. I don't get into routing a whole lot so I figured I'd ask you guys to see what you would do in these scenario(s). Let me use a quick example:
- We have a network with about 20 VLANs on it.
- A core switch handles the routing between the VLANs.
- All VLANs are of the format 10.50.<VID>.<HOSTS>.
- A firewall is connected to the core switch and handles the NAT and firewalling.
Currently the default route of the core switch points to the firewall. The route from the firewall pointing back to the core switch is just a rule like:
10.50.0.0/16 --> LAN interface
While this route does work, it does seem to create a loop if a subnet does not exist or is not routeable. For example, if I were to tracert 10.50.99.20 from inside the network and there is no 10.50.99.0 network, the core switch's default route passes this to the firewall. The firewall then matches this address to the core switch. The two devices pass back this traffic until the TTL expires.
Now obviously a non-existent network shouldn't be accessed in a perfect world. Yet it seems careless to leave it like that where errant or malicious requests can possibly saturate that link.
My questions regarding this are:
-
Is routing the whole /16--even though only 20 or so /23 or /24 networks exist within it--acceptable?
-
If not, would you rather add ~20 static routes, or use a routing protocol between the core and firewall?
-
Does adding a lot more routes (going from 1 to 20 in this case) really cause any noticeable hit in throughput or performance?
No comments:
Post a Comment