cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
212
Views
4
Helpful
1
Replies

Pass traffic through 7206 to an IPS appliance then back out?

hiding_elephant
Level 1
Level 1

I have multiple branch offices with 1811 routers coming into one 7206 at our datacenter as a hub and spoke type WAN. We would like an IPS appliance to filter traffic going from branch office to branch office. How can we accomplish this if we depoly only 1 IPS appliance while still using DMVPN? Is there a way to force the traffic to leave the 7206, then into the IPS appliance, then back into the 7206? (see attached traffic flow)

1 Reply 1

dgahm
Level 8
Level 8

Anytime you want to override normal routing behavior the solution is usually Policy Based Routing. Here are a couple good documents on PBR:

Basic PBR

http://www.cisco.com/en/US/products/sw/iosswrel/ps1828/products_configuration_guide_chapter09186a00800ca590.html

PBR Multiple Tracking Options

http://www.cisco.com/en/US/products/ps6350/products_configuration_guide_chapter09186a0080457bcc.html

In your case you may require another router on the other side of your IPS unless it can act as a router. If the IPS is layer 2 only you would have one 7206 interface and subnet connect to the other router with the IPS in-line, and a 2nd link direct between the 2 routers with another subnet. Packets inbound on the WAN would be policy routed with a next hop on the 2nd router forcing the traffic through the IPS. The 2nd router would normally route the packets back to the 7206 which would normally route to the intended site.

Please rate helpful posts.

Dave

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco