So here is the situation... We have a client who has a Symantec Gateway Security 5000 appliance which is used as the edge router, firewall, and VPN aggregation device. The topology is as follows...
Internet -----> ATT Cisco 2600 -----> Symantec 5000 appliance -----> Cisco 3560 (L2 config)
Currently this client has no visibility of traffic and what's going on throughout the network. What we'd like to do is setup a spare 1841 router between the Symantec firewall and the first 3560, enable netflow and nbar then export that data to a netflow collector/appliance. The reason it needs to go here is we'd like to see all VPN traffic after it's processed through the Symantec. The catch with all this is, currently the Symantec box acts as a headend VPN endpoint with about 30 sites connecting, it also routes the local office internal 172.16.1.x network. So we really can't change the addressing on it and move that network to the 1841. Is there a way we can put the 1841 inline to capture traffic flowing through it? I was looking at a bridge (irb) configuration but because traffic isn't routed through the FE interfaces on the router I'm not sure it'll work. Also I can't seem to figure out how to setup a management interface within a bridge configuration to manage the router. Another solution I was looking at was setting up two small /30 networks on the 1841 to connect to both the Symantec firewall and the first 3560 (after enabling routing) but the network behind the 3560 needs to remain 172.16.1.x. I not sure I can do that with this routed configuration. In the end this is the topo we're hoping for, see attached.
If we can't this 1841 to work and do netflow, we'll probably end up just doing a span port on the first 3560 and sending that traffic to an ntop like appliance. Needless to say we'd really rather do the 1841/netflow setup.