WE have a need to send all traffic from a specific IP address though special routing to bypass an inline device that we have and I am not entirely sure how to approach this. We are using an SRX550 and my searches keep giving me BGP and that is not the answer we need I am sure. I have stumble upon Advanced Policy-Based Routing but in the description it says it cannot filter on Level 3 or 4 and that is what we really need I would think. I know this is a bit vague on the details and I can answer them and flush this out a bit more if you guys need. thanks for the help.
--EDIT--
So the device in question is an inline content filter and is having trouble when scans are being run across it, even though the content of the scan should not be scanned but is causing the filter to cripple. Thinking about it, I was wondering if setting up a firewall rule on the SRX to send the traffic to a different routing instance that would bypass the content filter and go directly to the actual firewall we are using. The big question is if you can have two routing instances on a single interface.
--EDIT 2--
Whatever fix is decided on would have to be done on about 100 other networks so pushing out a fix would be very much preferred over having to change any of the cabling. As far as having them get a VPN that won't fix the core issue as the VPN traffic would still be going through the content filter.
--EDIT 3-- Here is a quick breakdown of the network design as it is now.
The one routing instance on the left uses some VLAN voodoo to force all traffic through the filter at the bottom since it is an inline device and cannot be assigned an IP address. Again, the idea is to see if we can assign two routing instances to a single interface as that would likely be the simplest solution.
No comments:
Post a Comment