From: Aaron DuShey-Yahoo (adushey@xxxxxxxxx)
Date: Thu Nov 15 2001 - 10:19:33 GMT-3
I have a situation where a customer wants to create two virtual routers
out of one router.
Below is the scenario I was thinking would work.
( Layer 2 bridging ) (Layer 3 comes in)
ISPT1 B<----s0/0 eth0/0---->B ------>PIX
3640 |
Frame R<----S1/0 eth1/0---->R ------Internal LAN
( Layer 3 routing )
Basically what I was thinking was CRB/IRB. Bridging the external
interfaces s0/0+e0/0. NO Layer 3 configuration. 3640 on the s0/0+e0/0
just used for T-1<->Ethernet conversion and PIX handles ISP<->Customer
layer 3 traffic.
Problem is, I am getting red flags in my mind and from others about
security compromises in this configuration. Understood. My question is
though how is it really more of a breach than having two separate
routers? If the 36xx is only layer 2 on the outside of the PIX, then my
risks as far as that side of things are limited to layer 2 correct?
Which would mean I would need some sort of physical access to the
segment, or have hacked the ISP edge router, or hacked the PIX to get to
the 3640 on the outside, both of which are disaster scenarios even if
you have 2 separate routers. What are the true technical security
concerns beyond saying, its not recommended? Why exactly is this more of
a risk than having 2 separate routers? I called TAC and talked to some
Cisco SE's and am still searching for more details-
Any help much appreciated
aaron
This archive was generated by hypermail 2.1.4 : Fri Jun 21 2002 - 06:45:16 GMT-3