Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

Cisco VRF-Lite on 3750 issues

Hello, I have a switch with some VM's hanging off of it. I want to isolate VLAN 888 which is to be used for malware, so I therefore want it isolated BUT I want it to be able to access the Internet to download malware etc.

 

I have set-up VRF on interface VLAN888 and given it an IP address, 20.0.0.1

I just want hosts on 20.0.0.x to be able to get to the internet, download malware, surf the net, etc. I do not want this subnet talking to anything but the gateway. I am trying to limit my exposure from malware (I am doing malware analysis) I have several other vlans which I have taken out of this config for this post.

 

If I don't use the GLOBAL keyword at the end of the ip route vrf red 0.0.0.0 0.0.0.0 10.10.10.1 global command than it will simply not work at all

However, it IS "working" configured like this but I can ping other subnets within the switch. I would of thought, without the global command that this would have worked and everything is sweet and that vrf red would know about the gateway. The gateway also has a route pointing back to 20.0.0.0 255.0.0.0 10.10.10.2

Is this correct? not correct? Any tips? Thanks - Geoff

Config below>>

******************************************************************************************

CYBDKNSW001# show ip route vrf red

Routing Table: red
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route

Gateway of last resort is 10.10.10.1 to network 0.0.0.0

C    20.0.0.0/8 is directly connected, Vlan888
S*   0.0.0.0/0 [1/0] via 10.10.10.1


************************************************************************************************

 

ip routing
no ip domain-lookup

!

!
ip vrf red
 rd 45:1
!

interface Vlan500
 ip address 192.168.6.1 255.255.255.0
 ip helper-address 192.168.3.19
 ip accounting output-packets
 ip accounting access-violations
!

!
interface Vlan800
 description Firewall-Gateway_VLAN
 ip address 10.10.10.2 255.255.255.252
!
interface Vlan888
 description MALWARE
 ip vrf forwarding red
 ip address 20.0.0.1 255.0.0.0
!
ip classless
ip route 0.0.0.0 0.0.0.0 10.10.10.1 (gateway to internet)
ip route 20.0.0.0 255.0.0.0 Vlan888
ip route vrf red 0.0.0.0 0.0.0.0 10.10.10.1 global

2 REPLIES
Cisco Employee

Hi,Since you are using

Hi,

Since you are using default static route, it will end up looking for any destination in the global routing table and will work. 

From your description, I assume you need 20.x.x.x to NOT talk to 10.x.x.x but should talk to internet.

 

You can configure the below to blackhole the traffic destinated to 10.x.x.x from vlan 888,

 

"ip route vrf red 10.0.0.0 255.0.0.0 null0" (without global)

So when vlan 888 receives any traffic destinated to 10.x.x.x, it will be blackholed while any other destination will be looked up in global routing table.

 

-Nagendra

New Member

Thanks Nagendra, I'll give

Thanks Nagendra, I'll give this a try and report back the results. Many thanks for your help,

 

Geoff

336
Views
0
Helpful
2
Replies
CreatePlease to create content