[c-nsp] Virtual Routers

Ben Steele ben.steele at internode.on.net
Mon Nov 17 06:24:20 EST 2008


Actually I just realised after I sent this that you will need to PBR the
last hop in the 6500 before the inside host too if you haven't brought it
into a vrf otherwise the intial route will take hold and loop you back into
the FWSM again.


-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Ben Steele
Sent: Monday, 17 November 2008 9:39 PM
To: 'Holemans Wim'; cisco-nsp at puck.nether.net
Subject: Re: [c-nsp] Virtual Routers

You can do what you want without vrf using PBR, as you mentioned.

Using the standard svclc vlans the flow of traffic would be:

Outside Host ->6500 VLAN 1 -> FWSM -> 6500 VLAN 2(PBR set ip next-hop IPS)
-> IPS -> 6500 VLAN 3 -> Inside Host

So in this example physically the IPS would be cabled with 2 separate cables
(in/out) in 2 different vlans on the 6500.

Any reason that wouldn't work? Gives you the option to bypass the IPS by
simply not including it in the IPS PBR acl.

Ben

-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Holemans Wim
Sent: Monday, 17 November 2008 7:01 PM
To: cisco-nsp at puck.nether.net
Subject: [c-nsp] Virtual Routers

Is there a way to divide a 6500 into multiple 'Virtual Routers' with
different routing tables ? I've read about VRF-Lite but it is always
mentioned in a VPN environment with remote and central devices. I need
to get some traffic into a FWSM on a 6500, out of the 6500 to an IPS and
back into the same 6500. Maybe PBR would do the trick but I'm still
looking for some good and clear info on virtual routing in a LAN
environment (if existing).

 

Thanks,

 

 

Wim Holemans

Netwerkdienst Universiteit Antwerpen

 

_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

No virus found in this incoming message.
Checked by AVG - http://www.avg.com 
Version: 8.0.175 / Virus Database: 270.9.4/1793 - Release Date: 16/11/2008
7:58 PM

_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

No virus found in this incoming message.
Checked by AVG - http://www.avg.com 
Version: 8.0.175 / Virus Database: 270.9.4/1793 - Release Date: 16/11/2008
7:58 PM



More information about the cisco-nsp mailing list