routing traffic from a network segment to another 3 hops away
Ok, here is the deal, we just had to install a network segment for an outside agency, we don't want this segment to see any of our network or network resources. I have to get this traffic to a router that is 3 hops from where the segment is. Any Ideas on how to do this? I know I could use a VPN/GRE solution but that requires an IOS upgrade and I would like to avoid that.
Re: routing traffic from a network segment to another 3 hops awa
Some additional information would be helpful. Especially I would like to know about how this segment is connected to your network. Is it connected on a separate router with only two interfaces (one for the segment and one connecting to your network - this is Jon's reference to a dedicated router) which would be ideal and would simplify restricting their visibility. Of is it connected on a router which has other connections to other segments of your network.
I would like to re-think your statement that an IOS upgrade would be required. Perhaps it is so if you do VPN but I think that a simple GRE tunnel would do and I doubt that you need an IOS upgrade to do GRE tunnels.
My suggestion would be to do a GRE tunnel from the router where this segment is connected to where the traffic needs to get. And then to do policy based routing on the routers on both ends of the tunnel so that all traffic to and from that segment was sent through the tunnel and not through the normal network routing. If you then do Jon's suggestion about ACLs to restrict access from this segment to other segments on that router, it looks to me like you can achieve the isolation that you need.
 as I re-read my post I am not sure that you need policy based routing on both ends. On the router three hops away you probably only need a static route that sends all traffic for this segment through the tunnel. On the router where the segment is connected you would need PBR to direct all traffic whose source is that segment and send it through the GRE tunnel.
This is actually a pretty cool feature, i didn't even know it existed until I was looking for a solution to advertise a subnet (prefix in BGP talk), only if a certain condition existed. This is exactly what conditional advertisements does
j ai une question j ai achete un routeur cisco 887VA-k9 , je le configuré avec la configuration ci- dessous
si je le lier avec mon pc portable sur l un de ses ports directement ça marche toute est bien ( la connexion internet + m...
Attached policy provides CLI access to the Cisco 4G router over text messaging. Two files are in the attached .tar file:
2. PDF with instructions on how to load and use the .tcl file.