[c-nsp] IPSec L2L tunnel - traffic from IVRF to other VRFs

Derick Winkworth dwinkworth at att.net
Wed Dec 24 17:58:31 EST 2008

If security is an issue, put any old router in that will do VRFs and configure it with IOS FW or ACLs...  You can put an IOS FW "on a stick" with VLAN's going to it...

Or put an actual firewall in place...

From: "Ramcharan, Vijay A" <vijay.ramcharan at verizonbusiness.com>
To: cisco-nsp at puck.nether.net
Sent: Wednesday, December 24, 2008 2:40:53 PM
Subject: [c-nsp] IPSec L2L tunnel - traffic from IVRF to other VRFs

I've read the doc at
175 and ignoring the restriction about mapping VRF to VRF traffic have
tried (unsuccessfully) to circumvent this restriction. 

Is it at all possible to terminate an IPSec L2L tunnel in VRF A and then
have traffic exit that VRF A to reach resources located in VRF B or
possibly the global routing table? 

I see the security implications naturally of allowing traffic from
remote sites to leak across VRFs but if it's not possible then is there
some way of providing a "central service" type of resource to a bunch of
different sites (assume each site goes into a different VRF) which
connect to that resource via IPSec tunnels? 

[Site A]---IPSec tunnel over Internet---[Hub Router--VRF A--]
                        [VRF B]
                    (Central Service) 

Vijay Ramcharan 
cisco-nsp mailing list  cisco-nsp at puck.nether.net
archive at http://puck.nether.net/pipermail/cisco-nsp/

More information about the cisco-nsp mailing list