Pass traffic through 7206 to an IPS appliance then back out?

Unanswered Question
Apr 9th, 2007

I have multiple branch offices with 1811 routers coming into one 7206 at our datacenter as a hub and spoke type WAN. We would like an IPS appliance to filter traffic going from branch office to branch office. How can we accomplish this if we depoly only 1 IPS appliance while still using DMVPN? Is there a way to force the traffic to leave the 7206, then into the IPS appliance, then back into the 7206? (see attached traffic flow)

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (1 ratings)
Loading.
dgahm Mon, 04/09/2007 - 11:39

Anytime you want to override normal routing behavior the solution is usually Policy Based Routing. Here are a couple good documents on PBR:

Basic PBR

http://www.cisco.com/en/US/products/sw/iosswrel/ps1828/products_configuration_guide_chapter09186a00800ca590.html

PBR Multiple Tracking Options

http://www.cisco.com/en/US/products/ps6350/products_configuration_guide_chapter09186a0080457bcc.html

In your case you may require another router on the other side of your IPS unless it can act as a router. If the IPS is layer 2 only you would have one 7206 interface and subnet connect to the other router with the IPS in-line, and a 2nd link direct between the 2 routers with another subnet. Packets inbound on the WAN would be policy routed with a next hop on the 2nd router forcing the traffic through the IPS. The 2nd router would normally route the packets back to the 7206 which would normally route to the intended site.

Please rate helpful posts.

Dave

Actions

This Discussion