routing traffic from a network segment to another 3 hops away

Unanswered Question
Jul 19th, 2007

Ok, here is the deal, we just had to install a network segment for an outside agency, we don't want this segment to see any of our network or network resources. I have to get this traffic to a router that is 3 hops from where the segment is. Any Ideas on how to do this? I know I could use a VPN/GRE solution but that requires an IOS upgrade and I would like to avoid that.

Any Ideas would be appreciated thanks

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 3 (1 ratings)
Jon Marshall Thu, 07/19/2007 - 04:52


If you don't want to use GRE/VPN then you could

1) If the segment attaches to a dedicated router for that segment make sure that router only has routes for the remote network and no other including a default route.

2) if not or in addition to 1) use access-lists on the L3 interface for that segment allowing the source IP addresses access only to the remote network.



Richard Burts Thu, 07/19/2007 - 09:05


Some additional information would be helpful. Especially I would like to know about how this segment is connected to your network. Is it connected on a separate router with only two interfaces (one for the segment and one connecting to your network - this is Jon's reference to a dedicated router) which would be ideal and would simplify restricting their visibility. Of is it connected on a router which has other connections to other segments of your network.

I would like to re-think your statement that an IOS upgrade would be required. Perhaps it is so if you do VPN but I think that a simple GRE tunnel would do and I doubt that you need an IOS upgrade to do GRE tunnels.

My suggestion would be to do a GRE tunnel from the router where this segment is connected to where the traffic needs to get. And then to do policy based routing on the routers on both ends of the tunnel so that all traffic to and from that segment was sent through the tunnel and not through the normal network routing. If you then do Jon's suggestion about ACLs to restrict access from this segment to other segments on that router, it looks to me like you can achieve the isolation that you need.

[edit] as I re-read my post I am not sure that you need policy based routing on both ends. On the router three hops away you probably only need a static route that sends all traffic for this segment through the tunnel. On the router where the segment is connected you would need PBR to direct all traffic whose source is that segment and send it through the GRE tunnel.




This Discussion