cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
370
Views
8
Helpful
5
Replies

Isolate Mesh and DIA with access list

TomWills1
Level 1
Level 1

I have a mesh network and direct Internet access comming from my ISP using dot1q vlans over an ethernet interface. I have an internal interface and a DMZ interface(for the Direct Internet Access). How can I prevent the DIA interface from talking to the inside lan interface. Bacically I want to seprate the two networks respectively. Is there a way to prevent one interface from talking to another?

!

interface GigabitEthernet0/0

description LAN_Inside

ip address 10.10.0.4

!

!

interface GigabitEthernet0/1

description LAN_DMZ

ip address <public_IP> 255.255.255.192

!

!

interface FastEthernet0/0/0

description ISP_10meg_port

no ip address

service-policy output voip

!

!

interface FastEthernet0/0/0.1512

description ISP_MESH_to_LAN_Inside

encapsulation dot1q 1512

ip address <CPE_Mesh_WAN_IP> 255.255.255.252

!

!

interface FastEthernet0/0/0.1513

description ISP_DIA_to_LAN_DMZ

encapsulation dot1q 1513

ip address <CPE_DIA_WAN_IP> 255.255.255.252

!

!

router bgp 1234

description ISP_MESH

network 10.25.0.0 mask 255.255.255.0

neighbor <PE_Mesh_WAN_IP> remote-as 5678

!

ip route 10.25.0.0 255.255.255.0 10.6.0.3

5 Replies 5

Richard Burts
Hall of Fame
Hall of Fame

Tom

I think that VRF lite would be a feature that would provide the isolation that you need.

HTH

Rick

HTH

Rick

Here is my start at a VRF config. Will this effect my dot1q vlans, or anything other than these interfaces? Anything I'm missing? Thanks.

ip vrf DIA

rd 1:1

ip vrf Mesh

rd 2:2

interface GigabitEthernet0/0

description LAN_Inside

ip address 10.10.0.4

ip vrf forwarding Mesh

!

!

interface GigabitEthernet0/1

description LAN_DMZ

ip address 255.255.255.192

ip vrf forwarding DIA

!

!

interface FastEthernet0/0/0

description ISP_10meg_port

no ip address

service-policy output voip

!

!

interface FastEthernet0/0/0.1512

description ISP_MESH_to_LAN_Inside

encapsulation dot1q 1512

ip address 255.255.255.252

ip vrf forwarding Mesh

!

!

interface FastEthernet0/0/0.1513

description ISP_DIA_to_LAN_DMZ

encapsulation dot1q 1513

ip address 255.255.255.252

ip vrf forwarding DIA

!

!

router bgp 1234 vrf MESH

description ISP_MESH

network 10.25.0.0 mask 255.255.255.0

neighbor remote-as 5678

!

ip route vrf mesh 10.25.0.0 255.255.255.0 10.10.0.4

ip route vrf DIA 0.0.0.0 0.0.0.0

I should have added this is a 3845 router.

Tom

I do not believe that there is an issue to do VRF lite on 3845. I do not believe that it will affect your dot1q VLANs.

HTH

Rick

HTH

Rick

I'm also looking at using Zone-Based Policy Firewall (ZFW). This seems to also solve my problems. I don't have overlapping routing so I don't think I need VRF for that purpose. If I just need to isolate the interfaces into two secutity zones then ZFW seems to work well. Does anybody know if ZFW is a good solution? Thanks--

http://www.cisco.com/en/US/products/sw/secursw/ps1018/products_tech_note09186a00808bc994.shtml

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco