I will preface this by stating this is in reference to a network designed by others who are no longer at the company and was expensive and pretty complex and seemingly well designed. The network relies on the default route being redistributed from our perimeter firewalls into our core network running OSPF and from there redistributed down a few hops to our edge switches that users connect to. The edge devices are basic L3 and are running RIP (they don't support OSPF) and only get 0.0.0.0/0 redistributed to them, rest is filtered. As the switches only have one link back to the core that makes sense, rather than fill the routing table up with specific subnets that would all have the same next hop. It recently became apparent that when the default route goes (firewall issues) the entire edge of our network stops functioning as relies on the 0.0.0.0/0 route. This means that along with the internet being down, the internal network stops functioning so everything for users stops working including access to internal systems.
Is there any logical reason not to just put a static route on each of our edge switches? I know I have probably answered my own question here but just can't get my head round how what seems to be a pretty complex, expensive and seemingly well designed network has such a large flaw. I can only imagine that as there are 2 perimiter firewalls and two internet links at different locations the designers never considered these both failing at the same time. That or they didn't think there was any point for the internal LAN to work if internet was down.
No comments:
Post a Comment