Re: 1841 - how to block access to a specific interface?

syncrotechnology · ‎02-12-2013

I have an 1841 between my firewall and the ISP. Three interfaces - multilink to ISP, FA to my firewall, and FA to my inside network. I use the inside interface for configs aand snmp access, etc. Only my ISP-assigned fixed address block will get routed to the multilink by the ISP but I am nervous about the inside interface sitting on my LAN. I know I can remove it, but if I keep it there, how can I set up an ACL so that all traffic from the multilink interface is denied to the inside interface? I suppose another way to think about it that the inbound iface can only accept traffic from its own outside, not from the router. I think this is fairly simple but I don't want to knock down the traffic if I get it wrong. Thanks.

Edison Ortiz · ‎02-12-2013

Create a VRF for the inside interface and leave the rest in the global routing table.

Jeff Van Houten · ‎02-12-2013

If the internal interface is only used for mgt access, look on Cco for the guide to harden Cisco devices, specifically the copp section.

Sent from Cisco Technical Support iPad App

syncrotechnology · ‎02-12-2013

I will try to find the hardening guide - sorry, but Cisco CLI newbie here - what's a VRF?

I want to block all traffic from multilink interface to inside FA interface. I was hoping this could be done with an ACL statement and then a reference to it in the interface config.

Edison Ortiz · ‎02-12-2013

VRF = Virtual Routing and Forwarding.

In short, you are dividing your routing table and unless you leak routes between your global routing table and routes in a VRF, they won't be able to communicate.

Very simple

ip vrf internal

rd 1:1

interface fx/x

ip vrf forwarding

ip address x.x.x.x y.y.y.y

Make sure to re-enter the ip address assigned to the interface.

When you apply the ip vrf forwarding command, the IP address is removed from the configuration.

With this setup, your multilink and dmz traffic won't be reachable from the internal interface and viceversa.

syncrotechnology · ‎02-12-2013

Edison-

Thanks - I am trying this. When I enter inthe config for the interface, I can enter

#ip vrf forwarding

Then it prompts me:

router(config-vrf)#

and will not accept "ip address"

There already is an ip address statement at the interface config level. Is this another one? How is it entered?

Thanks

Edison Ortiz · ‎02-12-2013

Sorry, the command should be

ip vrf forwarding [vrf_name]

for the example above, we called internal so:

ip vrf forwarding internal

under the interface.

syncrotechnology · ‎02-12-2013

So - like this?

interface FastEthernet0/0

ip vrf forwarding internal

ip address 10.10.x.x 255.255.254.0

no shutdown

duplex auto

speed auto

no mop enabled

I still want to use this interface but only when coming in through it from my LAN.

Edison Ortiz · ‎02-12-2013

yes, that should work.

That design is nothing new. It is how newer devices have the 'management' interface configured. With a management vrf, that's essentially what you are doing.

Keep in mind, this subnet won't be reachable if entering via the DMZ or Multilink.

Regards,

Edison

Please make sure to rate helpul posts.