Re: DMVPN VRF and ZBF

Patrick,

So are you guys the official World Cup Network Partners? LOL!! Your network
diagram is actually a dis-proportionate football (soccer) field man! I like
the representation of the interfaces there.

Back to the issue here. Sorry but my little VRF knowedge is actually at a
boundary now. Once you start getting into the subtle differences of the
backdoor and front door VRFs, I would prefer to just listen and observe :-)
- sorry.

Perhaps some of the SP gurus would chime in now and help us out!

Thanks,
Sadiq

On Thu, Jul 8, 2010 at 11:55 PM, Patrick Saldou <psaldou_at_eplus.com> wrote:

> Sadiq,
>
> Here is a drawing of the router. I hope this clears up what Im trying
> to communicate. Thanks again for spending time looking at this.
>
>
>
> *Patrick Saldou*
>
> Enterprise Consultant
>
> ePlus Technology, inc.
>
> 1376 Borregas Ave
>
> Sunnyvale, CA 94089
>
> 408-220-1817
>
>
>
> *From:* Sadiq Yakasai [mailto:sadiqtanko_at_gmail.com]
> *Sent:* Thursday, July 08, 2010 3:22 PM
>
> *To:* Patrick Saldou
> *Cc:* ccielab_at_groupstudy.com; security_at_groupstudy.com
> *Subject:* Re: DMVPN VRF and ZBF
>
>
>
> hmm, I am getting abit lost here.
>
> When you make reference to "inside" and "outside" there, what exactly are
> do you mean? I may be missing something here.
>
> I have just read your first post and still have the impression that all 3
> interfaces (tun, s0/0/0 and f0/0/0) are in the "outside" VRF. Although the
> post does not show the tunnel source and destination for the interface.....
> could you clarify please?
>
> Thanks!
>
> On Thu, Jul 8, 2010 at 11:07 PM, Patrick Saldou <psaldou_at_eplus.com> wrote:
>
> Thank you so much for the response. Where I get twisted is that the
> outside of the tunnel is in the outside VRF and the inside is in the global
> vrf. I can assign the tunnel to one zone. If I assign it to the dmz
> security zone, is this zone bridging VRFs? Will my inside interface still
> be able to reach the tunnel (unencrypted)?
>
>
>
>
>
> *Patrick Saldou*
>
> Enterprise Consultant
>
> ePlus Technology, inc.
>
> 1376 Borregas Ave
>
> Sunnyvale, CA 94089
>
> 408-220-1817
>
>
>
> *From:* Sadiq Yakasai [mailto:sadiqtanko_at_gmail.com]
> *Sent:* Thursday, July 08, 2010 2:59 PM
> *To:* Patrick Saldou
> *Cc:* ccielab_at_groupstudy.com; security_at_groupstudy.com
> *Subject:* Re: DMVPN VRF and ZBF
>
>
>
> First things first: I like to think of this like this: a VRF is a superset
> of a Zone. So we can have multiple zones within a VRF and not the other way
> around. So you are on the right track there. The Tunnel, F0/0/0 and S0/0/0
> are all inside the same VRF.
>
> That said, I would design this based on my traffic flow pattern and
> relative security of the respected interfaces. If I consider the Tunnel
> interface to be in a somewhat independent routing/activity domain, then I
> would simply create a seperate zone for it and configure my various
> inspection within the different zones. Although this will make
manageability
> more complex.
>
> Otherwise, I could just make it simpler by collapsing this interface into
> the DMZ interface.
>
> How about that?
>
> On Thu, Jul 8, 2010 at 10:37 PM, Patrick Saldou <psaldou_at_eplus.com> wrote:
>
> Hey Guys,
> OK I need help: I've got a DMVPN spoke router configured to use VRFs so
> that encrypted traffic is in vrf outside and the unencrypted traffic is in
> the global vrf. The WAN interface is serial0/0/0 and is in the outside
vrf.
> Everything works. (Actually any tunnel interface will do fine for this
> question).
>
> interface Tunnel0
> ip address X.X.X.X 255.255.255.0
> ...
> tunnel source s0/0/0
> tunnel mode gre multipoint
> tunnel key 1
> tunnel vrf outside
> tunnel protection ipsec profile dmvpn_prof
>
> Now I add a new interface (f0/0/0) to the router and have placed it in the
> outside vrf. I'd like to protect traffic to and from the Internet from
this
> interface using a Zone Based Firewall. I put the new interface in zone dmz
> and the S0/0/0 interface in zone outside.
>
> Question: What zone do I use for the Tunnel interface?
>
>
> Thank you in advance!!
> Patrick Saldou
> Enterprise Consultant
> ePlus Technology, inc.
> 1376 Borregas Ave
> Sunnyvale, CA 94089
> 408-220-1817
>
>
> -----Original Message-----
> From: nobody_at_groupstudy.com [mailto:nobody_at_groupstudy.com] On Behalf Of
> Edouard Zorrilla
> Sent: Thursday, July 08, 2010 7:59 AM
> To: ccielab_at_groupstudy.com
> Cc: security_at_groupstudy.com
> Subject: OT : Windows machine sending ICMP echo request (ping)
>
> Hi Guys,
>
> I have a windows machine which keeps sending pings to others. The
> destination are random, but valid IP Address (seems it query dns or wins).
> Do you know how can I track the .exe which sends that kind of ping packets
> to the network ?. I have tried with tcpview but this shows me tcp/udp
> connections, not icmp traffic. I had scan with antivirus/antimalware and
all
> is clean.,
>
> Thanks in advance for your time,
>
> Regads
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
>
>
>
>
>
>
>
> --
> CCIE #19963
>
>
>
>
> --
> CCIE #19963
>

--
CCIE #19963
Blogs and organic groups at http://www.ccie.net