Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1512
Views
5
Helpful
5
Replies

Blocking/disabling ability for external connector?

Go to solution
johnl3
Level 1
Level 1

‎09-03-2021 06:13 PM

We plan on putting this on our internal network, but before I do that I need to ensure that the external connector is not possible, as it's not worth the risk of a junior tech messing around and bringing down the network. 

 

Is there a way to do this?

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
shin.sterneck
Level 1
Level 1

‎09-04-2021 02:30 PM - edited ‎09-04-2021 02:34 PM

Hi johnl3,

 

you have multiple options:

 

1. Configure firewall rules on the host, so even with external connectors, traffic would get blocked. (e.g: via Cockpit or SSH/iptables).

 

2. Another option would be to modify the CML host network configuration (easily done using cockpit).

- CML assigns the external-connector's "bridge" mode to the host's bridge interface "bridge0". This typically is the interface also bound to the external network interface on the host. You can remove the interface from the bridge interface, so the labs simply can't get out (just be careful as you might loose network connectivity, so having console access is advisable). Create a snapshot so you can restore the configuration in case you break your network config.

 

You could even create a new bridge interface (e.g: bridge99) on the host with external connectivity and use the external-connector's "custom" mode to only allow people that know the name of the bridge interface "bridge99" to actually access the external network.

 

- CML assigns the external "NAT" mode to the host's bridge interface "virbr0". This interface is NATed through iptables on the host. You can either remove the NAT configuration or simply remove the interfaces IP address so lab machines have no gateway to get out in the first place.

 

3. Another way could be to have CML in its own VLAN on the switch side to try to isolate it from the reset of the network (external real switch) and use ACLs to block everything except CML access.

 

Hope that helped.

 

Regards,

Shin

View solution in original post

5 Replies 5

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame

‎09-03-2021 06:15 PM

If this is an internal IP address, until you allow it, how CML can connect outside a network like internet?

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

Go to solution
johnl3
Level 1
Level 1
In response to balaji.bandi

‎09-03-2021 06:17 PM - edited ‎09-03-2021 06:18 PM

You can create an external connector that bridges the connection, thus giving the simulation access to the internal network:

https://developer.cisco.com/docs/modeling-labs/#!bridge-mode

Notice the giant warning in the link. 

0 Helpful

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame
In response to johnl3

‎09-03-2021 06:33 PM

Agreed if your environment is protected, i would not allow any traffic going out of CML, we do use at work place...

 

It all depends on how you implement it, how the user wants to use it.

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

Go to solution
shin.sterneck
Level 1
Level 1

‎09-04-2021 02:30 PM - edited ‎09-04-2021 02:34 PM

Hi johnl3,

 

you have multiple options:

 

1. Configure firewall rules on the host, so even with external connectors, traffic would get blocked. (e.g: via Cockpit or SSH/iptables).

 

2. Another option would be to modify the CML host network configuration (easily done using cockpit).

- CML assigns the external-connector's "bridge" mode to the host's bridge interface "bridge0". This typically is the interface also bound to the external network interface on the host. You can remove the interface from the bridge interface, so the labs simply can't get out (just be careful as you might loose network connectivity, so having console access is advisable). Create a snapshot so you can restore the configuration in case you break your network config.

 

You could even create a new bridge interface (e.g: bridge99) on the host with external connectivity and use the external-connector's "custom" mode to only allow people that know the name of the bridge interface "bridge99" to actually access the external network.

 

- CML assigns the external "NAT" mode to the host's bridge interface "virbr0". This interface is NATed through iptables on the host. You can either remove the NAT configuration or simply remove the interfaces IP address so lab machines have no gateway to get out in the first place.

 

3. Another way could be to have CML in its own VLAN on the switch side to try to isolate it from the reset of the network (external real switch) and use ACLs to block everything except CML access.

 

Hope that helped.

 

Regards,

Shin

Go to solution
johnl3
Level 1
Level 1
In response to shin.sterneck

‎09-07-2021 07:54 AM

Thank you for the detailed reply! 

0 Helpful
Customers Also Viewed These Support Documents