limit the access of branches without access-list

Unanswered Question
Feb 25th, 2007

Hi everybody

I want to limit the access of our branches toghether ,but each branch has an access to headquarter . we use ospf,eigrp ,static route in our routing could I limit these access without ACL ? if i want to user route filtering , what do you think about it?

what does route filter do it for us?

best regards

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
mrmozaffari Sun, 02/25/2007 - 02:52


Dont use Dynamic routing protocol just use static routes and also dont define default ip route or gateway like this in any router :

ip route x.x.x.x

If you only want your branches see your headquarter just define an ip route in each router and also in headquarter do not define a route in branch "a" to branch "b".

Also if you send your topology its better to know what you want to do exactly.

Best Regards B Mozaffari.

Jon Marshall Sun, 02/25/2007 - 02:55


Depends on how your routing works at the branch sites. If you are using default routes from the branch sites then you would have an issue.

Otherwise yes you could selectively filter your routing so that your branch sites only got routes for networks you want them to be able to connect to.

Having said that it is not the most secure solution. With acls you have control of at the headquarters end of what is allowed and what isn't. By selectively filtering routes you are relying on the remote branch not knowing how to get to one of your networks. If they could route to your headquarters then there is nothing really stopping them sending and recieving traffic to networks you don't want to give access to.



ladan.eftetahi Sun, 02/25/2007 - 03:41

Dear Jon

thanx for attention , we have too many branches that connected to headquarter with ospf protocols , we have department that is connected to HQ by EIGRP , so we want enach of the branches have access to HQ & these department .so , in the routing table of each branch we have EIGRP & ospf .although we don't want that branches have access to each other. as regards , we have IPsec between each branch to HQ , so we could not use ACL ,because for introduce interesting traffic, we user acl in IPsec.

what do you think , what can i do ?

route filtering , could be a suitable solution?


Jon Marshall Sun, 02/25/2007 - 04:26


Yes, as i said, route filtering would do the job but if your are running IPSEC between your branch site and headquarters then you can just make sure that the acl that defines interesting traffic only allows the subnets you want. If traffic is then sent that doesn't match this acl it will not be encrypted. This would work if to get from one branch to another branch you have to go via the HQ VPN device.

By the way, you can have more than one acl when using IPSEC. You have an ACL that defines interesting traffic but you can still have an acl that restricts the traffic after the traffic has been decrypted. Note if you are using pix etc. and you have "sysopt connection permit-ipsec" this will bypass any acl you have applied to the outside interface.

It's difficult without knowing the full topology to comment further. Route filtering would work but there are more secure ways.



ladan.eftetahi Sun, 02/25/2007 - 04:56


I appreciate you , could u pls guide me , what are the other ways for limit these access exclude of Route filtering?


This Discussion