In response to the message from Peter Cheng-Yue Zhang on Tue Feb 17 17:37:00 1998:
>
> Hi Dan,
>
> Thanks for the response. After I read your latest response, I am
> surprised to see that the NBII router would have to add static routes
> for all the subnets on the "non-secure" side. Although I don't have
> the router's manuals, I think if a router follows the usual routing
> algorithm, it should know to look up the default route for any
> network address, no matter what class of the network it is, that
> does not appear in the routing table. May I borrow the manuals of the NBII
> router?
>
A slight amendment to what I said:
" Most routers, including the NB-II, assume that their routing
knowledge of a known subnetted Class B is complete. In effect,
if they know of some subnet routes, they assume that that's all
the routes there are. Therefore they will only route those
subnets that they explicitly know, and drop the rest. The
default route is reserved for networks that they know nothing
at all about. "
It appears that the NetBuilder will forward packets destined for
unknown subnets if RIP is turned off on the router. It won't if
rip is enabled and the default route goes out an interface whose
IP address is on a completely different net. We discovered the
latter when we attempted to use a IP address between the NSC and
the NetBuilder that wasn't part of our 136.159 class B. The
NetBuilder then made the assumption that it knew all of the
136.159 subnets and would not forward any unknown 136.159
addresses to the default gateway.
( In case you're interested, Peter, this is how the NSC works as
well, as illustrated by the following route displays:
The first is just a bogus default route,
which is forwarded to the default gateway
that represents the "next hop":
nsc-ip> d ipman table best 123.123.123.123
Best match in routing table for 123.123.123.123
Address Mask Proto Metric Class Fwd Next Hop
0.0.0.0 00000000 RIP 2 1 Y 192.168.47.1
The second is a 136.159 subnet for which no route
exists:
nsc-ip> d ipman table best 136.159.18.0
Best match in routing table for 136.159.18.0
Address Mask Proto Metric Class Fwd Next Hop
136.159.0.0 ffff0000 RIP_DIS 0 1 Y none
^ ^^^^
and you'll notice that there is no next hop, nor a routing metric
between 1 and 15, meaning the NSC does not even attempt to
forward it.
The NSC assumes that, because IT doesn't know about the route,
there is no resonable prospect that the default router does
either. Also, this behavior avoids the possibility of a routing
loop, because the default router in this case might have a
136.159.0.0 route - i.e. a route for the entire class B - that
points right back to the NSC. )
So, in summary then, we should be able to put the NetBuilder
behind the firewall, with RIP off, and not have to enter and
manually maintain all of the 200 or so 136.159 subnet routes.
Dan.
Peter University Computing Services Tel. (403)-220-4061
|
|
