[c-nsp] IPSec L2L tunnel - traffic from IVRF to other VRFs

Derick Winkworth dwinkworth at att.net
Wed Dec 24 19:22:02 EST 2008


I stated that wrong, the old router does not need to do VRFs...

It just needs to do VLAN's. 

Derick Winkworth wrote:
> If security is an issue, put any old router in that will do VRFs and configure it with IOS FW or ACLs...  You can put an IOS FW "on a stick" with VLAN's going to it...
>
> Or put an actual firewall in place...
>
>
>
>
> ________________________________
> From: "Ramcharan, Vijay A" <vijay.ramcharan at verizonbusiness.com>
> To: cisco-nsp at puck.nether.net
> Sent: Wednesday, December 24, 2008 2:40:53 PM
> Subject: [c-nsp] IPSec L2L tunnel - traffic from IVRF to other VRFs
>
> I've read the doc at
> http://www.cisco.com/en/US/docs/ios/security/configuration/guide/sec_vrf
> _aware_ipsec_ps6350_TSD_Products_Configuration_Guide_Chapter.html#wp1027
> 175 and ignoring the restriction about mapping VRF to VRF traffic have
> tried (unsuccessfully) to circumvent this restriction. 
>
> Is it at all possible to terminate an IPSec L2L tunnel in VRF A and then
> have traffic exit that VRF A to reach resources located in VRF B or
> possibly the global routing table? 
>
> I see the security implications naturally of allowing traffic from
> remote sites to leak across VRFs but if it's not possible then is there
> some way of providing a "central service" type of resource to a bunch of
> different sites (assume each site goes into a different VRF) which
> connect to that resource via IPSec tunnels? 
>
> [Site A]---IPSec tunnel over Internet---[Hub Router--VRF A--]
>                         |
>                         [VRF B]
>                         |
>                     (Central Service) 
>
> Vijay Ramcharan 
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
> ------------------------------------------------------------------------
>
>
> No virus found in this incoming message.
> Checked by AVG - http://www.avg.com 
> Version: 8.0.176 / Virus Database: 270.10.0/1863 - Release Date: 12/24/2008 11:49 AM
>
>   


More information about the cisco-nsp mailing list