[c-nsp] IPSec L2L tunnel - traffic from IVRF to other VRFs
Derick Winkworth
dwinkworth at att.net
Wed Dec 24 17:58:31 EST 2008
If security is an issue, put any old router in that will do VRFs and configure it with IOS FW or ACLs... You can put an IOS FW "on a stick" with VLAN's going to it...
Or put an actual firewall in place...
________________________________
From: "Ramcharan, Vijay A" <vijay.ramcharan at verizonbusiness.com>
To: cisco-nsp at puck.nether.net
Sent: Wednesday, December 24, 2008 2:40:53 PM
Subject: [c-nsp] IPSec L2L tunnel - traffic from IVRF to other VRFs
I've read the doc at
http://www.cisco.com/en/US/docs/ios/security/configuration/guide/sec_vrf
_aware_ipsec_ps6350_TSD_Products_Configuration_Guide_Chapter.html#wp1027
175 and ignoring the restriction about mapping VRF to VRF traffic have
tried (unsuccessfully) to circumvent this restriction.
Is it at all possible to terminate an IPSec L2L tunnel in VRF A and then
have traffic exit that VRF A to reach resources located in VRF B or
possibly the global routing table?
I see the security implications naturally of allowing traffic from
remote sites to leak across VRFs but if it's not possible then is there
some way of providing a "central service" type of resource to a bunch of
different sites (assume each site goes into a different VRF) which
connect to that resource via IPSec tunnels?
[Site A]---IPSec tunnel over Internet---[Hub Router--VRF A--]
|
[VRF B]
|
(Central Service)
Vijay Ramcharan
_______________________________________________
cisco-nsp mailing list cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
More information about the cisco-nsp
mailing list