[c-nsp] IPSEC VTIs
Behl, Jeff
jbehl at estalea.com
Tue Apr 8 12:27:13 EDT 2008
I've switched to using VTIs
(http://www.cisco.com/en/US/docs/ios/12_4/secure/configuration/guide/hip
sctm.html) where possible, both for their simplicity in configuration
and (more importantly) I can put ACLs on the actual tunnel interfaces to
manage incoming traffic.
Where this isn't the case (there's a Juniper at the other end, so
IPSEC/GRE) what or where is the best place to enforce ACLs? Applying
them to the tunnel interface obviously doesn't work so it seems the
other choice is to put ACLs on all non-tunnel interfaces, which isn't
ideal, or to do something using VRFs?
Thanks for any input.
-Jeff
More information about the cisco-nsp
mailing list