RE: DMVPN VRF and ZBF

If I put the tunnel in the outside zone I get
%VRF mismatch. All interfaces in a zone must be in the same VRF

Patrick Saldou
Enterprise Consultant
ePlus Technology, inc.
1376 Borregas Ave
Sunnyvale, CA 94089
408-220-1817

From: Sadiq Yakasai [mailto:sadiqtanko_at_gmail.com]
Sent: Thursday, July 08, 2010 2:59 PM
To: Patrick Saldou
Cc: ccielab_at_groupstudy.com; security_at_groupstudy.com
Subject: Re: DMVPN VRF and ZBF

First things first: I like to think of this like this: a VRF is a superset of
a Zone. So we can have multiple zones within a VRF and not the other way
around. So you are on the right track there. The Tunnel, F0/0/0 and S0/0/0 are
all inside the same VRF.

That said, I would design this based on my traffic flow pattern and relative
security of the respected interfaces. If I consider the Tunnel interface to be
in a somewhat independent routing/activity domain, then I would simply create
a seperate zone for it and configure my various inspection within the
different zones. Although this will make manageability more complex.

Otherwise, I could just make it simpler by collapsing this interface into the
DMZ interface.

How about that?
On Thu, Jul 8, 2010 at 10:37 PM, Patrick Saldou
<psaldou_at_eplus.com<mailto:psaldou_at_eplus.com>> wrote:
Hey Guys,
OK I need help: I've got a DMVPN spoke router configured to use VRFs so that
encrypted traffic is in vrf outside and the unencrypted traffic is in the
global vrf. The WAN interface is serial0/0/0 and is in the outside vrf.
Everything works. (Actually any tunnel interface will do fine for this
question).

interface Tunnel0
ip address X.X.X.X 255.255.255.0
...
tunnel source s0/0/0
 tunnel mode gre multipoint
 tunnel key 1
 tunnel vrf outside
 tunnel protection ipsec profile dmvpn_prof

Now I add a new interface (f0/0/0) to the router and have placed it in the
outside vrf. I'd like to protect traffic to and from the Internet from this
interface using a Zone Based Firewall. I put the new interface in zone dmz
and the S0/0/0 interface in zone outside.

Question: What zone do I use for the Tunnel interface?

Thank you in advance!!
Patrick Saldou
Enterprise Consultant
ePlus Technology, inc.
1376 Borregas Ave
Sunnyvale, CA 94089
408-220-1817

-----Original Message-----
From: nobody_at_groupstudy.com<mailto:nobody_at_groupstudy.com>
[mailto:nobody_at_groupstudy.com<mailto:nobody_at_groupstudy.com>] On Behalf Of
Edouard Zorrilla
Sent: Thursday, July 08, 2010 7:59 AM
To: ccielab_at_groupstudy.com<mailto:ccielab_at_groupstudy.com>
Cc: security_at_groupstudy.com<mailto:security_at_groupstudy.com>
Subject: OT : Windows machine sending ICMP echo request (ping)

Hi Guys,

I have a windows machine which keeps sending pings to others. The destination
are random, but valid IP Address (seems it query dns or wins). Do you know how
can I track the .exe which sends that kind of ping packets to the network ?. I
have tried with tcpview but this shows me tcp/udp connections, not icmp
traffic. I had scan with antivirus/antimalware and all is clean.,

Thanks in advance for your time,

Regads

Blogs and organic groups at http://www.ccie.net
Received on Thu Jul 08 2010 - 18:22:27 ART