I have an 1841 between my firewall and the ISP. Three interfaces - multilink to ISP, FA to my firewall, and FA to my inside network. I use the inside interface for configs aand snmp access, etc. Only my ISP-assigned fixed address block will get routed to the multilink by the ISP but I am nervous about the inside interface sitting on my LAN. I know I can remove it, but if I keep it there, how can I set up an ACL so that all traffic from the multilink interface is denied to the inside interface? I suppose another way to think about it that the inbound iface can only accept traffic from its own outside, not from the router. I think this is fairly simple but I don't want to knock down the traffic if I get it wrong. Thanks.
VRF = Virtual Routing and Forwarding.
In short, you are dividing your routing table and unless you leak routes between your global routing table and routes in a VRF, they won't be able to communicate.
ip vrf internal
ip vrf forwarding
ip address x.x.x.x y.y.y.y
Make sure to re-enter the ip address assigned to the interface.
When you apply the ip vrf forwarding command, the IP address is removed from the configuration.
With this setup, your multilink and dmz traffic won't be reachable from the internal interface and viceversa.
Thanks - I am trying this. When I enter inthe config for the interface, I can enter
#ip vrf forwarding
Then it prompts me:
and will not accept "ip address"
There already is an ip address statement at the interface config level. Is this another one? How is it entered?
yes, that should work.
That design is nothing new. It is how newer devices have the 'management' interface configured. With a management vrf, that's essentially what you are doing.
Keep in mind, this subnet won't be reachable if entering via the DMZ or Multilink.
Please make sure to rate helpul posts.