02-12-2013 05:08 AM - edited 03-04-2019 07:00 PM
I have an 1841 between my firewall and the ISP. Three interfaces - multilink to ISP, FA to my firewall, and FA to my inside network. I use the inside interface for configs aand snmp access, etc. Only my ISP-assigned fixed address block will get routed to the multilink by the ISP but I am nervous about the inside interface sitting on my LAN. I know I can remove it, but if I keep it there, how can I set up an ACL so that all traffic from the multilink interface is denied to the inside interface? I suppose another way to think about it that the inbound iface can only accept traffic from its own outside, not from the router. I think this is fairly simple but I don't want to knock down the traffic if I get it wrong. Thanks.
02-12-2013 05:40 AM
Create a VRF for the inside interface and leave the rest in the global routing table.
02-12-2013 06:26 AM
If the internal interface is only used for mgt access, look on Cco for the guide to harden Cisco devices, specifically the copp section.
Sent from Cisco Technical Support iPad App
02-12-2013 06:40 AM
I will try to find the hardening guide - sorry, but Cisco CLI newbie here - what's a VRF?
I want to block all traffic from multilink interface to inside FA interface. I was hoping this could be done with an ACL statement and then a reference to it in the interface config.
02-12-2013 06:47 AM
VRF = Virtual Routing and Forwarding.
In short, you are dividing your routing table and unless you leak routes between your global routing table and routes in a VRF, they won't be able to communicate.
Very simple
ip vrf internal
rd 1:1
interface fx/x
ip vrf forwarding
ip address x.x.x.x y.y.y.y
Make sure to re-enter the ip address assigned to the interface.
When you apply the ip vrf forwarding command, the IP address is removed from the configuration.
With this setup, your multilink and dmz traffic won't be reachable from the internal interface and viceversa.
02-12-2013 07:09 AM
Edison-
Thanks - I am trying this. When I enter inthe config for the interface, I can enter
#ip vrf forwarding
Then it prompts me:
router(config-vrf)#
and will not accept "ip address"
There already is an ip address statement at the interface config level. Is this another one? How is it entered?
Thanks
02-12-2013 08:07 AM
Sorry, the command should be
ip vrf forwarding [vrf_name]
for the example above, we called internal so:
ip vrf forwarding internal
under the interface.
02-12-2013 08:15 AM
So - like this?
interface FastEthernet0/0
ip vrf forwarding internal
ip address 10.10.x.x 255.255.254.0
no shutdown
duplex auto
speed auto
no mop enabled
I still want to use this interface but only when coming in through it from my LAN.
02-12-2013 08:19 AM
yes, that should work.
That design is nothing new. It is how newer devices have the 'management' interface configured. With a management vrf, that's essentially what you are doing.
Keep in mind, this subnet won't be reachable if entering via the DMZ or Multilink.
Regards,
Edison
Please make sure to rate helpul posts.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide