09-03-2021 06:13 PM
We plan on putting this on our internal network, but before I do that I need to ensure that the external connector is not possible, as it's not worth the risk of a junior tech messing around and bringing down the network.
Is there a way to do this?
Solved! Go to Solution.
09-04-2021 02:30 PM - edited 09-04-2021 02:34 PM
Hi johnl3,
you have multiple options:
1. Configure firewall rules on the host, so even with external connectors, traffic would get blocked. (e.g: via Cockpit or SSH/iptables).
2. Another option would be to modify the CML host network configuration (easily done using cockpit).
- CML assigns the external-connector's "bridge" mode to the host's bridge interface "bridge0". This typically is the interface also bound to the external network interface on the host. You can remove the interface from the bridge interface, so the labs simply can't get out (just be careful as you might loose network connectivity, so having console access is advisable). Create a snapshot so you can restore the configuration in case you break your network config.
You could even create a new bridge interface (e.g: bridge99) on the host with external connectivity and use the external-connector's "custom" mode to only allow people that know the name of the bridge interface "bridge99" to actually access the external network.
- CML assigns the external "NAT" mode to the host's bridge interface "virbr0". This interface is NATed through iptables on the host. You can either remove the NAT configuration or simply remove the interfaces IP address so lab machines have no gateway to get out in the first place.
3. Another way could be to have CML in its own VLAN on the switch side to try to isolate it from the reset of the network (external real switch) and use ACLs to block everything except CML access.
Hope that helped.
Regards,
Shin
09-03-2021 06:15 PM
If this is an internal IP address, until you allow it, how CML can connect outside a network like internet?
09-03-2021 06:17 PM - edited 09-03-2021 06:18 PM
You can create an external connector that bridges the connection, thus giving the simulation access to the internal network:
https://developer.cisco.com/docs/modeling-labs/#!bridge-mode
Notice the giant warning in the link.
09-03-2021 06:33 PM
Agreed if your environment is protected, i would not allow any traffic going out of CML, we do use at work place...
It all depends on how you implement it, how the user wants to use it.
09-04-2021 02:30 PM - edited 09-04-2021 02:34 PM
Hi johnl3,
you have multiple options:
1. Configure firewall rules on the host, so even with external connectors, traffic would get blocked. (e.g: via Cockpit or SSH/iptables).
2. Another option would be to modify the CML host network configuration (easily done using cockpit).
- CML assigns the external-connector's "bridge" mode to the host's bridge interface "bridge0". This typically is the interface also bound to the external network interface on the host. You can remove the interface from the bridge interface, so the labs simply can't get out (just be careful as you might loose network connectivity, so having console access is advisable). Create a snapshot so you can restore the configuration in case you break your network config.
You could even create a new bridge interface (e.g: bridge99) on the host with external connectivity and use the external-connector's "custom" mode to only allow people that know the name of the bridge interface "bridge99" to actually access the external network.
- CML assigns the external "NAT" mode to the host's bridge interface "virbr0". This interface is NATed through iptables on the host. You can either remove the NAT configuration or simply remove the interfaces IP address so lab machines have no gateway to get out in the first place.
3. Another way could be to have CML in its own VLAN on the switch side to try to isolate it from the reset of the network (external real switch) and use ACLs to block everything except CML access.
Hope that helped.
Regards,
Shin
09-07-2021 07:54 AM
Thank you for the detailed reply!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide