[c-nsp] IOS SLB and VRF Lite

Robert Blayzor rblayzor at inoc.net
Fri Nov 17 12:06:30 EST 2006

I know there was discussion a while back about SLB and VRF.

Part of the problem is that it seems that SLB vservers seem to be
visible from all VRF's, which seems to be a big problem if you have a
switch with multiple VRF's and only a few interfaces (or SVIs) with
servers you want to use SLB on.  It seems as though SLB inspects any
ingress interface regardless of VRF and will switch or load-balance to
another interface not in the same VRF.  That's a bit of a security problem.

I did notice that there is an "access" sub-command under the vserver
options where you could say something like "access Vlan20" which will
turn on the inspection perhaps for only that interface.  The
documentation isn't clear, it mostly talks about the other options that
goes with it for framed-ip users.  Is it possible this is the option we
need for selectively enabling only SLB inspection for vservers on
specific interfaces?

I've yet to test it, but before going through all that pain, was
wondering if someone else has run into this and either used this option
or found another way around it.


Robert Blayzor, BOFH
PGP: 0x66F90BFC @ http://pgp.mit.edu
Key fingerprint = 6296 F715 038B 44C1 2720  292A 8580 500E 66F9 0BFC

Debugger: A tool that substitutes afterthought for forethought.

More information about the cisco-nsp mailing list