Practical application of dynamic routing technology in Firewall

With the development of China's routing industry, it has also promoted the update and upgrade of dynamic routing technology. Here we mainly explain the practical application of dynamic routing technology in the firewall, the essence of this solution is to consider the firewall as a security switch, which is purely backed up by network technology. Therefore, we do not recommend that you enable nat, map, and other communication policies on the firewall.

The last interface is used for STP status transmission, and other interfaces are placed in the same transparent group. Then, only the access policy is enabled, and the firewall only performs security access control. When dynamic routing technology is used in the network, the method mentioned above may not be suitable. Another solution is provided below. The dynamic OSPF routing technology is used to implement the firewall in the whole cross environment.

Now we will discuss the following typical three-level structure of the banking network. Below the figure is the province line router R3, R4, the city line router R1, R2, generally to ensure network stability, both provincial and municipal routes use dual-link and dual-router backup methods. At the same time, these routers R1, R2, R3, and R4 should all run the OSPF dynamic routing technology, in the root AREA, OSPF dynamic routing technology should also be used for Routers R3, R4 and core layer-3 switches S1 and S2 in the local AREA. Different county branches or other branches may also adopt the OSPF dynamic routing technology due to different access conditions. We will not discuss it here. We mainly look at the solution of full cross-region traffic after adding a Firewall:

In a crossover network, four network segments are usually used, which is the same as ospf area 1. This makes it easier to control and troubleshoot dynamic network routing. On the firewall, you only need to divide the two interfaces of the same network segment into the same transparent group. Similarly, we do not recommend that you enable nat, map, and other communication policies on the firewall. The last interface is used for STP status transmission, and other interfaces are placed in two transparent groups. Then, only the access policy is enabled, and the firewall only performs security access control.
 
The remaining problem is the switching time. The redundant switching time in this solution depends on the convergence time of the Dynamic Routing Technology OSPF. You only need to adjust the OSPF hello time. The minimum hello time of OSPF can be adjusted to 1 second, plus the delay of the 5-Second shortest path algorithm. The convergence time is that the network switching time can be controlled within 6 seconds.