08-26-2014 10:35 PM
Hello, I have a switch with some VM's hanging off of it. I want to isolate VLAN 888 which is to be used for malware, so I therefore want it isolated BUT I want it to be able to access the Internet to download malware etc.
I have set-up VRF on interface VLAN888 and given it an IP address, 20.0.0.1
I just want hosts on 20.0.0.x to be able to get to the internet, download malware, surf the net, etc. I do not want this subnet talking to anything but the gateway. I am trying to limit my exposure from malware (I am doing malware analysis) I have several other vlans which I have taken out of this config for this post.
If I don't use the GLOBAL keyword at the end of the ip route vrf red 0.0.0.0 0.0.0.0 10.10.10.1 global command than it will simply not work at all
However, it IS "working" configured like this but I can ping other subnets within the switch. I would of thought, without the global command that this would have worked and everything is sweet and that vrf red would know about the gateway. The gateway also has a route pointing back to 20.0.0.0 255.0.0.0 10.10.10.2
Is this correct? not correct? Any tips? Thanks - Geoff
Config below>>
******************************************************************************************
CYBDKNSW001# show ip route vrf red
Routing Table: red
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route
Gateway of last resort is 10.10.10.1 to network 0.0.0.0
C 20.0.0.0/8 is directly connected, Vlan888
S* 0.0.0.0/0 [1/0] via 10.10.10.1
************************************************************************************************
ip routing
no ip domain-lookup
!
!
ip vrf red
rd 45:1
!
interface Vlan500
ip address 192.168.6.1 255.255.255.0
ip helper-address 192.168.3.19
ip accounting output-packets
ip accounting access-violations
!
!
interface Vlan800
description Firewall-Gateway_VLAN
ip address 10.10.10.2 255.255.255.252
!
interface Vlan888
description MALWARE
ip vrf forwarding red
ip address 20.0.0.1 255.0.0.0
!
ip classless
ip route 0.0.0.0 0.0.0.0 10.10.10.1 (gateway to internet)
ip route 20.0.0.0 255.0.0.0 Vlan888
ip route vrf red 0.0.0.0 0.0.0.0 10.10.10.1 global
09-07-2014 11:13 AM
Hi,
Since you are using default static route, it will end up looking for any destination in the global routing table and will work.
From your description, I assume you need 20.x.x.x to NOT talk to 10.x.x.x but should talk to internet.
You can configure the below to blackhole the traffic destinated to 10.x.x.x from vlan 888,
"ip route vrf red 10.0.0.0 255.0.0.0 null0" (without global)
So when vlan 888 receives any traffic destinated to 10.x.x.x, it will be blackholed while any other destination will be looked up in global routing table.
-Nagendra
09-18-2014 09:55 PM
Thanks Nagendra, I'll give this a try and report back the results. Many thanks for your help,
Geoff
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: