[c-nsp] IPSEC VTIs

Fred Reimer freimer at ctiusa.com
Tue Apr 8 12:57:19 EDT 2008


I don't know what code you are running, supposedly 12.4 something, but in
later versions of code you can put an input and output ACL in the crypto map
in addition to the match ACL.  I've used this with VRF aware IPsec with
failover separating out several different connections.

Fred Reimer, CISSP, CCNP, CQS-VPN, CQS-ISS
Senior Network Engineer
Coleman Technologies, Inc.
954-298-1697


> -----Original Message-----
> From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-
> bounces at puck.nether.net] On Behalf Of Behl, Jeff
> Sent: Tuesday, April 08, 2008 12:27 PM
> To: cisco-nsp at puck.nether.net
> Subject: [c-nsp] IPSEC VTIs
> 
> I've switched to using VTIs
> (http://www.cisco.com/en/US/docs/ios/12_4/secure/configuration/guide/hi
> p
> sctm.html) where possible, both for their simplicity in configuration
> and (more importantly) I can put ACLs on the actual tunnel interfaces
> to
> manage incoming traffic.
> 
> 
> 
> Where this isn't the case (there's a Juniper at the other end, so
> IPSEC/GRE) what or where is the best place to enforce ACLs?  Applying
> them to the tunnel interface obviously doesn't work so it seems the
> other choice is to put ACLs on all non-tunnel interfaces, which isn't
> ideal, or to do something using VRFs?
> 
> 
> 
> Thanks for any input.
> 
> 
> 
> -Jeff
> 
> 
> 
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3080 bytes
Desc: not available
Url : https://puck.nether.net/pipermail/cisco-nsp/attachments/20080408/2847b55b/attachment.bin 


More information about the cisco-nsp mailing list