Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Pass traffic through 7206 to an IPS appliance then back out?

I have multiple branch offices with 1811 routers coming into one 7206 at our datacenter as a hub and spoke type WAN. We would like an IPS appliance to filter traffic going from branch office to branch office. How can we accomplish this if we depoly only 1 IPS appliance while still using DMVPN? Is there a way to force the traffic to leave the 7206, then into the IPS appliance, then back into the 7206? (see attached traffic flow)


Re: Pass traffic through 7206 to an IPS appliance then back out?

Anytime you want to override normal routing behavior the solution is usually Policy Based Routing. Here are a couple good documents on PBR:

Basic PBR

PBR Multiple Tracking Options

In your case you may require another router on the other side of your IPS unless it can act as a router. If the IPS is layer 2 only you would have one 7206 interface and subnet connect to the other router with the IPS in-line, and a 2nd link direct between the 2 routers with another subnet. Packets inbound on the WAN would be policy routed with a next hop on the 2nd router forcing the traffic through the IPS. The 2nd router would normally route the packets back to the 7206 which would normally route to the intended site.

Please rate helpful posts.