Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
694
Views
0
Helpful
2
Replies

Cisco VRF-Lite on 3750 issues

geoffwynn
Level 1
Level 1

‎08-26-2014 10:35 PM

Hello, I have a switch with some VM's hanging off of it. I want to isolate VLAN 888 which is to be used for malware, so I therefore want it isolated BUT I want it to be able to access the Internet to download malware etc.

 

I have set-up VRF on interface VLAN888 and given it an IP address, 20.0.0.1

I just want hosts on 20.0.0.x to be able to get to the internet, download malware, surf the net, etc. I do not want this subnet talking to anything but the gateway. I am trying to limit my exposure from malware (I am doing malware analysis) I have several other vlans which I have taken out of this config for this post.

 

If I don't use the GLOBAL keyword at the end of the ip route vrf red 0.0.0.0 0.0.0.0 10.10.10.1 global command than it will simply not work at all

However, it IS "working" configured like this but I can ping other subnets within the switch. I would of thought, without the global command that this would have worked and everything is sweet and that vrf red would know about the gateway. The gateway also has a route pointing back to 20.0.0.0 255.0.0.0 10.10.10.2

Is this correct? not correct? Any tips? Thanks - Geoff

Config below>>

******************************************************************************************

CYBDKNSW001# show ip route vrf red

Routing Table: red
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route

Gateway of last resort is 10.10.10.1 to network 0.0.0.0

C    20.0.0.0/8 is directly connected, Vlan888
S*   0.0.0.0/0 [1/0] via 10.10.10.1


************************************************************************************************

 

ip routing
no ip domain-lookup

!

!
ip vrf red
 rd 45:1
!

interface Vlan500
 ip address 192.168.6.1 255.255.255.0
 ip helper-address 192.168.3.19
 ip accounting output-packets
 ip accounting access-violations
!

!
interface Vlan800
 description Firewall-Gateway_VLAN
 ip address 10.10.10.2 255.255.255.252
!
interface Vlan888
 description MALWARE
 ip vrf forwarding red
 ip address 20.0.0.1 255.0.0.0
!
ip classless
ip route 0.0.0.0 0.0.0.0 10.10.10.1 (gateway to internet)
ip route 20.0.0.0 255.0.0.0 Vlan888
ip route vrf red 0.0.0.0 0.0.0.0 10.10.10.1 global

Labels:
0 Helpful
2 Replies 2

Nagendra Kumar Nainar
Cisco Employee
Cisco Employee

‎09-07-2014 11:13 AM

Hi,

Since you are using default static route, it will end up looking for any destination in the global routing table and will work. 

From your description, I assume you need 20.x.x.x to NOT talk to 10.x.x.x but should talk to internet.

 

You can configure the below to blackhole the traffic destinated to 10.x.x.x from vlan 888,

 

"ip route vrf red 10.0.0.0 255.0.0.0 null0" (without global)

So when vlan 888 receives any traffic destinated to 10.x.x.x, it will be blackholed while any other destination will be looked up in global routing table.

 

-Nagendra

0 Helpful

geoffwynn
Level 1
Level 1
In response to Nagendra Kumar Nainar

‎09-18-2014 09:55 PM

Thanks Nagendra, I'll give this a try and report back the results. Many thanks for your help,

 

Geoff

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents