cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
750
Views
0
Helpful
8
Replies

1841 - how to block access to a specific interface?

syncrotechnology
Beginner
Beginner

I have an 1841 between my firewall and the ISP.  Three interfaces - multilink to ISP, FA to my firewall, and FA to my inside network.  I use the inside interface for configs aand snmp access, etc.   Only my ISP-assigned fixed address block will get routed to the multilink by the ISP but I am nervous about the inside interface sitting on my LAN.   I know I can remove it, but if I keep it there, how can I set up an ACL so that all traffic from the multilink interface is denied to the inside interface?  I suppose another way to think about it that the inbound iface can only accept traffic from its own outside, not from the router.  I think this is fairly simple but I don't want to knock down the traffic if I get it wrong.  Thanks.

8 Replies 8

Edison Ortiz
Hall of Fame Mentor Hall of Fame Mentor
Hall of Fame Mentor

Create a VRF for the inside interface and leave the rest in the global routing table.

Jeff Van Houten
Contributor
Contributor

If the internal interface is only used for mgt access, look on Cco for the guide to harden Cisco devices, specifically the copp section.

Sent from Cisco Technical Support iPad App

syncrotechnology
Beginner
Beginner

I will try to find the hardening guide - sorry, but Cisco CLI newbie here - what's a VRF? 

I want to block all traffic from multilink interface to inside FA interface.  I was hoping this could be done with an ACL statement and then a reference to it in the interface config.

VRF = Virtual Routing and Forwarding.

In short, you are dividing your routing table and unless you leak routes between your global routing table and routes in a VRF, they won't be able to communicate.

Very simple

ip vrf internal

rd 1:1

interface fx/x

ip vrf forwarding

ip address x.x.x.x y.y.y.y

Make sure to re-enter the ip address assigned to the interface.

When you apply the ip vrf forwarding command, the IP address is removed from the configuration.

With this setup, your multilink and dmz traffic won't be reachable from the internal interface and viceversa.

Edison-

Thanks - I am trying this.  When I enter inthe config for the interface, I can enter

#ip vrf forwarding 

Then it prompts me:

router(config-vrf)#

and will not accept "ip address"

There already is an ip address statement at the interface config level.  Is this another one?  How is it entered?

Thanks

Sorry, the command should be

ip vrf forwarding [vrf_name]

for the example above, we called internal so:

ip vrf forwarding internal

under the interface.

So - like this?

interface FastEthernet0/0

ip vrf forwarding internal

ip address 10.10.x.x 255.255.254.0

no shutdown

duplex auto

speed auto

no mop enabled

I still want to use this interface but only when coming in through it from my LAN.

yes, that should work.

That design is nothing new. It is how newer devices have the 'management' interface configured. With a management vrf, that's essentially what you are doing.

Keep in mind, this subnet won't be reachable if entering via the DMZ or Multilink.

Regards,

Edison

Please make sure to rate helpul posts.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers