The MPLS-OPS Archive

Cell Relay Retreat>MPLS-OPS Archive>month:2005-Sep> msg00000



[Date Prev][Date Next][Thread Prev][Thread Next]  
  [Date Index][Thread Index][Author Index][Subject Index]

RE: Send internal flows through a firewall?

  • From: "Julian Breen" <Julian.Breen@comindico.com.au>
  • Date: Fri, 2 Sep 2005 16:25:17 +1000
  • Resent-Date: Fri, 2 Sep 2005 02:58:35 -0400
  • X-MIME-Autoconverted: from quoted-printable to 8bit by host.secure4-hosting.net id j826PgCr025320
  • X-OriginalArrivalTime: 02 Sep 2005 06:25:18.0004 (UTC) FILETIME=[1654F740:01C5AF87]
  • X-Scanned-By: MIMEDefang 2.45


Nathan,

Can you not simply attach some RADIUS attributes (to the ones you
probably already use to bind the user to a VRF)?
I do this sort of stuff;

<snip>
cisco-avpair = "ip:inacl#1=permit ip 10.32.0.0 0.0.3.255 10.1.1.1
0.0.0.0", \
cisco-avpair = "ip:inacl#2=deny ip any any"
</snip>


Regards,
Julian Breen
SPT


-----Original Message-----
From: Nathan [mailto:paranoia@phreaker.net] 
Sent: Thursday, 25 August 2005 8:33 PM
To: mpls-ops@mplsrc.com
Subject: [MPLS-OPS]: Send internal flows through a firewall?

Hi, I have a quick question about a deployment. I have a rather classic
setup, with L2TP tunnels coming to my router, and radius telling the
router to attach the tunnel to one or another VRF.

We want to set up a solution in which several hundred L2TP tunnels (with
non-overlapping IPs) are forced through a firewall, even though the
flows may be between two of the L2TP tunnels. The subscriber cannot
communicate with *anyone* without the flow going through the firewall.

The problem is that all or most of the L2TP tunnels are on one PE, so I
don't see how import-export of routes can help me. The firewall is on
another PE, but if necessary I could move it.

The firewall has an internal ethernet interface, non-dot1q AFAICT, and
an external one that it will use for communicating with the Internet.
It's not a Linux but some closed-box thing.

I am at a loss on how to implement this, and I'm being told "XYZ
competitor does this at no cost, why can't you?".  What should I
try:

  one VRF for each line, that's hundreds of different VRFs to
  configure and maintain. I put the internal firewall interface
  on one VRF, and for each of the hundreds of client VRFs I
  import a default route to the firewall, and import-export the
  client VRF to the firewall VRF -- but won't the flow turn
  at the PE interface in front of the firewall without going
  through the firewall?

  have two VRFs and somehow put packets incoming from clients
  into one VRF and packets from the firewall into the other. I
  think there's a way to do this on the Firewall side (configure
  two subinterfaces without dot1q, same network, different VRFs,
  would that work?), but I don't see a way to do it on the L2TP
  side.

  Try to combine ACLs and MPLS NAT somehow

  attach route maps in the radius configuration that depend on
  the incoming interface (if incoming from L2TP map next-hop to
  firewall, if not use the VRF routing table), is this possible?
  Does it combine with the "two VRFs" idea?

  use some cisco feature I haven't discovered yet

  something else?

Please help me out. Thanks.

Nathan

-------
The MPLS-OPS Mailing List
Subscribe/Unsubscribe:  http://www.mplsrc.com/mplsops.shtml
Archive: http://www.mplsrc.com/mpls-ops_archive.shtml



-------
The MPLS-OPS Mailing List
Subscribe/Unsubscribe:  http://www.mplsrc.com/mplsops.shtml
Archive: http://www.mplsrc.com/mpls-ops_archive.shtml