09-29-2008 10:31 PM - edited 03-03-2019 11:44 PM
I have a mesh network and direct Internet access comming from my ISP using dot1q vlans over an ethernet interface. I have an internal interface and a DMZ interface(for the Direct Internet Access). How can I prevent the DIA interface from talking to the inside lan interface. Bacically I want to seprate the two networks respectively. Is there a way to prevent one interface from talking to another?
!
interface GigabitEthernet0/0
description LAN_Inside
ip address 10.10.0.4
!
!
interface GigabitEthernet0/1
description LAN_DMZ
ip address <public_IP> 255.255.255.192
!
!
interface FastEthernet0/0/0
description ISP_10meg_port
no ip address
service-policy output voip
!
!
interface FastEthernet0/0/0.1512
description ISP_MESH_to_LAN_Inside
encapsulation dot1q 1512
ip address <CPE_Mesh_WAN_IP> 255.255.255.252
!
!
interface FastEthernet0/0/0.1513
description ISP_DIA_to_LAN_DMZ
encapsulation dot1q 1513
ip address <CPE_DIA_WAN_IP> 255.255.255.252
!
!
router bgp 1234
description ISP_MESH
network 10.25.0.0 mask 255.255.255.0
neighbor <PE_Mesh_WAN_IP> remote-as 5678
!
ip route 10.25.0.0 255.255.255.0 10.6.0.3
09-30-2008 03:09 AM
Tom
I think that VRF lite would be a feature that would provide the isolation that you need.
HTH
Rick
09-30-2008 08:43 AM
Here is my start at a VRF config. Will this effect my dot1q vlans, or anything other than these interfaces? Anything I'm missing? Thanks.
ip vrf DIA
rd 1:1
ip vrf Mesh
rd 2:2
interface GigabitEthernet0/0
description LAN_Inside
ip address 10.10.0.4
ip vrf forwarding Mesh
!
!
interface GigabitEthernet0/1
description LAN_DMZ
ip address
ip vrf forwarding DIA
!
!
interface FastEthernet0/0/0
description ISP_10meg_port
no ip address
service-policy output voip
!
!
interface FastEthernet0/0/0.1512
description ISP_MESH_to_LAN_Inside
encapsulation dot1q 1512
ip address
ip vrf forwarding Mesh
!
!
interface FastEthernet0/0/0.1513
description ISP_DIA_to_LAN_DMZ
encapsulation dot1q 1513
ip address
ip vrf forwarding DIA
!
!
router bgp 1234 vrf MESH
description ISP_MESH
network 10.25.0.0 mask 255.255.255.0
neighbor
!
ip route vrf mesh 10.25.0.0 255.255.255.0 10.10.0.4
ip route vrf DIA 0.0.0.0 0.0.0.0
09-30-2008 02:58 PM
I should have added this is a 3845 router.
09-30-2008 06:10 PM
Tom
I do not believe that there is an issue to do VRF lite on 3845. I do not believe that it will affect your dot1q VLANs.
HTH
Rick
10-01-2008 02:32 PM
I'm also looking at using Zone-Based Policy Firewall (ZFW). This seems to also solve my problems. I don't have overlapping routing so I don't think I need VRF for that purpose. If I just need to isolate the interfaces into two secutity zones then ZFW seems to work well. Does anybody know if ZFW is a good solution? Thanks--
http://www.cisco.com/en/US/products/sw/secursw/ps1018/products_tech_note09186a00808bc994.shtml
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: