Policy Based Routing design question....

Unanswered Question
Oct 10th, 2007

I have a need to bridge a B2B DMZ network to a small section of our internal company LAN. I am bridging the networks using a GRE tunnel that terminates at the router servicing the internal LAN segment.

The issue I have is to configure the end point router so that traffic exiting the tunnel interface can only be sent out the router interface for the LAN segment, and traffic from the LAN segment interface can only be sent out the Tunnel interface.

I believe I can do that using the following configuration:

Route-map tu0-to-fa0

Match interface tu0

Set interface fa0

Route-map fa0-to-tu0

Match interface fa0

Set interface tu0

Interface TU0

Description ? endpoint for GRE Tunnel

Ip policy route-map tu0-to-fa0

Interface FA0

Description ? Internal LAN segment

Ip policy route-map fa0-to-tu0

Interface FA0 also has an inbound ACL assigned to it for managing access to other internal network sites. I assume that the ACL will be processed before PBR is applied - Is this accurate?

If more information is required, please ask.

Thanks in advanced.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
lgijssel Wed, 10/10/2007 - 12:07

You are creating some confusion using the expression "bridging". If you really want to bridge traffic, create a bridge-group between LAN an Tunnel interfaces.

Otherwise you will be using routing (which is safer to use).

There is no need to "force" traffic both ways, what goes into the tunnel at one side will come out at the other. The bridge- or routing tables determine the rest.

Looking at your proposed setup, I get the impression that this is a fairly complex matter. It would be wise to configure this in a lab-setup before going live.

If this is a critical environment I would also consider hiring someone to assist with the setup. It would be my pleasure to do this for you but likely we are geographically too far apart.

regards,

Leo

mike.rootvik Wed, 10/10/2007 - 12:30

Sorry, the choice of word bridging was a bad one. It was used in a generic sense just mean I need to get the two seperated networks to talk to each other.

The main issue is not getting traffic into or out of the tunnel, that's simple enough to setup.

The issue is more of a security related one, in that I do not wish traffic coming out of the tunnel on the end point router to be able to access anything else besides the resources on the Internal LAN segment. And the follow on to that is the need to ensure that traffic originating from the internal LAN segment can only access resources on the far end of the GRE tunnel.

I can think of serveral ways it can be done, including putting a firewall in place on the internal LAN segment and using a site-to-site VPN. I would like to avoid a solution that involves deploying additional equipment by using PBR if possible to achive the same result.

I was looking for some confirmation that the concept was sound before spending time labbing a possibly unsound design.

Actions

This Discussion