Re: DMVPN VRF and ZBF

hmm, I am getting abit lost here.

When you make reference to "inside" and "outside" there, what exactly are do
you mean? I may be missing something here.

I have just read your first post and still have the impression that all 3
interfaces (tun, s0/0/0 and f0/0/0) are in the "outside" VRF. Although the
post does not show the tunnel source and destination for the interface.....
could you clarify please?

Thanks!

On Thu, Jul 8, 2010 at 11:07 PM, Patrick Saldou <psaldou_at_eplus.com> wrote:

> Thank you so much for the response. Where I get twisted is that the
> outside of the tunnel is in the outside VRF and the inside is in the global
> vrf. I can assign the tunnel to one zone. If I assign it to the dmz
> security zone, is this zone bridging VRFs? Will my inside interface still
> be able to reach the tunnel (unencrypted)?
>
>
>
>
>
> *Patrick Saldou*
>
> Enterprise Consultant
>
> ePlus Technology, inc.
>
> 1376 Borregas Ave
>
> Sunnyvale, CA 94089
>
> 408-220-1817
>
>
>
> *From:* Sadiq Yakasai [mailto:sadiqtanko_at_gmail.com]
> *Sent:* Thursday, July 08, 2010 2:59 PM
> *To:* Patrick Saldou
> *Cc:* ccielab_at_groupstudy.com; security_at_groupstudy.com
> *Subject:* Re: DMVPN VRF and ZBF
>
>
>
> First things first: I like to think of this like this: a VRF is a superset
> of a Zone. So we can have multiple zones within a VRF and not the other way
> around. So you are on the right track there. The Tunnel, F0/0/0 and S0/0/0
> are all inside the same VRF.
>
> That said, I would design this based on my traffic flow pattern and
> relative security of the respected interfaces. If I consider the Tunnel
> interface to be in a somewhat independent routing/activity domain, then I
> would simply create a seperate zone for it and configure my various
> inspection within the different zones. Although this will make manageability
> more complex.
>
> Otherwise, I could just make it simpler by collapsing this interface into
> the DMZ interface.
>
> How about that?
>
> On Thu, Jul 8, 2010 at 10:37 PM, Patrick Saldou <psaldou_at_eplus.com> wrote:
>
> Hey Guys,
> OK I need help: I've got a DMVPN spoke router configured to use VRFs so
> that encrypted traffic is in vrf outside and the unencrypted traffic is in
> the global vrf. The WAN interface is serial0/0/0 and is in the outside vrf.
> Everything works. (Actually any tunnel interface will do fine for this
> question).
>
> interface Tunnel0
> ip address X.X.X.X 255.255.255.0
> ...
> tunnel source s0/0/0
> tunnel mode gre multipoint
> tunnel key 1
> tunnel vrf outside
> tunnel protection ipsec profile dmvpn_prof
>
> Now I add a new interface (f0/0/0) to the router and have placed it in the
> outside vrf. I'd like to protect traffic to and from the Internet from this
> interface using a Zone Based Firewall. I put the new interface in zone dmz
> and the S0/0/0 interface in zone outside.
>
> Question: What zone do I use for the Tunnel interface?
>
>
> Thank you in advance!!
> Patrick Saldou
> Enterprise Consultant
> ePlus Technology, inc.
> 1376 Borregas Ave
> Sunnyvale, CA 94089
> 408-220-1817
>
>
> -----Original Message-----
> From: nobody_at_groupstudy.com [mailto:nobody_at_groupstudy.com] On Behalf Of
> Edouard Zorrilla
> Sent: Thursday, July 08, 2010 7:59 AM
> To: ccielab_at_groupstudy.com
> Cc: security_at_groupstudy.com
> Subject: OT : Windows machine sending ICMP echo request (ping)
>
> Hi Guys,
>
> I have a windows machine which keeps sending pings to others. The
> destination are random, but valid IP Address (seems it query dns or wins).
> Do you know how can I track the .exe which sends that kind of ping packets
> to the network ?. I have tried with tcpview but this shows me tcp/udp
> connections, not icmp traffic. I had scan with antivirus/antimalware and all
> is clean.,
>
> Thanks in advance for your time,
>
> Regads
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
>
>
>
>
>
>
>
>
> --
> CCIE #19963
>

-- 
CCIE #19963
Blogs and organic groups at http://www.ccie.net