Re: DMVPN VRF and ZBF

First things first: I like to think of this like this: a VRF is a superset
of a Zone. So we can have multiple zones within a VRF and not the other way
around. So you are on the right track there. The Tunnel, F0/0/0 and S0/0/0
are all inside the same VRF.

That said, I would design this based on my traffic flow pattern and relative
security of the respected interfaces. If I consider the Tunnel interface to
be in a somewhat independent routing/activity domain, then I would simply
create a seperate zone for it and configure my various inspection within the
different zones. Although this will make manageability more complex.

Otherwise, I could just make it simpler by collapsing this interface into
the DMZ interface.

How about that?

On Thu, Jul 8, 2010 at 10:37 PM, Patrick Saldou <psaldou_at_eplus.com> wrote:

> Hey Guys,
> OK I need help: I've got a DMVPN spoke router configured to use VRFs so
> that encrypted traffic is in vrf outside and the unencrypted traffic is in
> the global vrf. The WAN interface is serial0/0/0 and is in the outside vrf.
> Everything works. (Actually any tunnel interface will do fine for this
> question).
>
> interface Tunnel0
> ip address X.X.X.X 255.255.255.0
> ...
> tunnel source s0/0/0
> tunnel mode gre multipoint
> tunnel key 1
> tunnel vrf outside
> tunnel protection ipsec profile dmvpn_prof
>
> Now I add a new interface (f0/0/0) to the router and have placed it in the
> outside vrf. I'd like to protect traffic to and from the Internet from this
> interface using a Zone Based Firewall. I put the new interface in zone dmz
> and the S0/0/0 interface in zone outside.
>
> Question: What zone do I use for the Tunnel interface?
>
>
> Thank you in advance!!
> Patrick Saldou
> Enterprise Consultant
> ePlus Technology, inc.
> 1376 Borregas Ave
> Sunnyvale, CA 94089
> 408-220-1817
>
>
> -----Original Message-----
> From: nobody_at_groupstudy.com [mailto:nobody_at_groupstudy.com] On Behalf Of
> Edouard Zorrilla
> Sent: Thursday, July 08, 2010 7:59 AM
> To: ccielab_at_groupstudy.com
> Cc: security_at_groupstudy.com
> Subject: OT : Windows machine sending ICMP echo request (ping)
>
> Hi Guys,
>
> I have a windows machine which keeps sending pings to others. The
> destination are random, but valid IP Address (seems it query dns or wins).
> Do you know how can I track the .exe which sends that kind of ping packets
> to the network ?. I have tried with tcpview but this shows me tcp/udp
> connections, not icmp traffic. I had scan with antivirus/antimalware and all
> is clean.,
>
> Thanks in advance for your time,
>
> Regads
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
>
>
>
>
>
>
>

-- 
CCIE #19963
Blogs and organic groups at http://www.ccie.net