Cisco VRF-Lite Guest Network and OpenDNS

My basic goal of doing this was to create a branded/managed OpenDNS enabled guest network on VRF-Lite. I didn't want to put any dependencies on the global routing process, I also wanted to avoid using any kind of OpenDNS Update Client for my cheapo adsl drop.

In case anyone is curious this is a working config on c2900-universalk9-mz.SPA.153-3.M1.bin.
Not sure why anyone else would ever try to do this, but this may be helpful if you do.
ip vrf GUEST_VRF
ip dhcp excluded-address 192.168.124.1
ip dhcp pool GUEST_NETWORK
 vrf GUEST_VRF
 network 192.168.124.0 255.255.255.0
 dns-server 208.67.222.222 208.67.220.220
 default-router 192.168.124.1
Create a vrf and guest network dhcp pool.
ip domain lookup source-interface FastEthernet0/0/0
ip domain name guestvrf.net
ip name-server 208.67.222.222
ip name-server 208.67.220.220
ip ddns update method DDNS_OPENDNS
 HTTP
  add https://USERNAME:PASSWORD@updates.opendns.com/nic/update?hostname=SITECODE
  interval maximum 0 1 0 0
I wanted to make sure the dns queries egress from the internet facing interface of the guest vrf, however this is only part of the puzzle. For the query to actually function as intended I needed policy based routing to make it work (see below). The ddns update method used is https to OpenDNS's url. The url includes login information and the site I am attempting to dynamically update (careful with that question mark).
ip http client source-interface FastEthernet0/0/0
Just as with dns queries, I needed to make sure that the router will egress the https traffic from the internet facing interface in the guest vrf.
crypto pki trustpoint GEOTRUST
enrollment terminal pem
revocation-check none

crypto pki certificate chain GEOTRUST
certificate ca 023456
30820354 3082023C A0030201 02020302 3456300D 06092A86 4886F70D 01010505
00304231 0B300906 03550406 13025553 31163014 06035504 0A130D47 656F5472
75737420 496E632E 311B3019 06035504 03131247 656F5472 75737420 476C6F62
616C2043 41301E17 0D303230 35323130 34303030 305A170D 32323035 32313034
30303030 5A304231 0B300906 03550406 13025553 31163014 06035504 0A130D47
656F5472 75737420 496E632E 311B3019 06035504 03131247 656F5472 75737420
476C6F62 616C2043 41308201 22300D06 092A8648 86F70D01 01010500 0382010F
00308201 0A028201 0100DACC 186330FD F417231A 567E5BDF 3C6C38E4 71B77891
D4BCA1D8 4CF8A843 B603E94D 21070888 DA582F66 3929BD05 788B9D38 E805B76A
7E71A4E6 C460A6B0 EF80E489 280F9E25 D6ED83F3 ADA691C7 98C94218 35149DAD
9846922E 4FCAF187 43C11695 572D50EF 892D807A 57ADF2EE 5F6BD200 8DB914F8
141535D9 C046A37B 72C891BF C9552BCD D0973E9C 2664CCDF CE831971 CA4EE6D4
D57BA919 CD55DEC8 ECD25E38 53E55C4F 8C2DFE50 2336FC66 E6CB8EA4 391900B7
95023991 0B0EFE38 2ED11D05 9AF64D3E 6F0F071D AF2C1E8F 6039E2FA 36531339
D45E262B DB3DA814 BD32EB18 03285204 71E5AB33 3DE138BB 07368462 9C79EA16
30F45FC0 2BE8716B E4F90203 010001A3 53305130 0F060355 1D130101 FF040530
030101FF 301D0603 551D0E04 160414C0 7A98688D 89FBAB05 640C117D AA7D65B8
CACC4E30 1F060355 1D230418 30168014 C07A9868 8D89FBAB 05640C11 7DAA7D65
B8CACC4E 300D0609 2A864886 F70D0101 05050003 82010100 35E3296A E52F5D54
8E295094 9F991A14 E48F782A 6294A227 679ED0CF 1A5E47E9 C1B2A4CF DD411A05
4E9B4BEE 4A6F5552 B324A137 0AEB6476 2A2E2CF3 FD3B7590 BFFA71D8 C73D37D2
B5059562 B9A6DE89 3D367B38 774897AC A6208F2E A6C90CC2 B2994500 C7CE1151
2222E0A5 EAB61548 0964EA5E 4F74F705 3EC78A52 0CDB15B4 BD6D9BE5 C6B15468
A9E36990 B69AA50F B8B93F20 7DAE4AB5 B89CE41D B6ABE694 A5C1C783 ADDBF527
870E046C D5FFDDA0 5DED8752 B72B1502 AE39A66A 74E9DAC4 E7BC4D34 1EA95C4D
335F9209 2F88665D 7797C71D 7613A9D5 E5F11609 1135D5AC DB247170 2C98560B
D917B4D1 E3512B5E 75E8D5D0 DC4F34ED C2056680 A1CBE633
quit
The https call to OpenDNS's update servers require that my router trust OpenDNS's root CA.
ip access-list extended ACL_FROM_OPENDNS_DNS
 permit udp host 208.67.222.222 eq domain any
 permit udp host 208.67.220.220 eq domain any
ip access-list extended ACL_FROM_OPENDNS_HTTPS
 permit tcp any eq 443 any
ip access-list extended ACL_TO_OPENDNS_DNS
 permit udp any host 208.67.222.222 eq domain
 permit udp any host 208.67.220.220 eq domain
ACL's used in the various class maps and route maps. You are probably asking yourself why would I have the ACL_FROM rules. The reason they were required is because the router model/ios code base doesn't allow inspect rules for "self" in the ZBF config. Here was the outcome:
%Protocol configured in class-map MATCH_SELF_TRAFFIC cannot be configured for the self zone with inspect action. Please remove the protocol and retry --- Oh Joy.
class-map type inspect match-any MATCH_INTERNET_TRAFFIC
 match access-group name ACL_FROM_OPENDNS_DNS
 match access-group name ACL_FROM_OPENDNS_HTTPS
 match protocol icmp
 match protocol bootpc

class-map type inspect match-any MATCH_GUEST_TRAFFIC
 match protocol http
 match protocol https
 match protocol icmp
 match access-group name ACL_TO_OPENDNS_DNS

policy-map type inspect GUEST_to_INTERNET
 class type inspect MATCH_GUEST_TRAFFIC
  inspect
class class-default
 drop
policy-map type inspect INTERNET_to_self
 class type inspect MATCH_INTERNET_TRAFFIC
  pass
 class class-default
  drop

zone security INTERNET
zone security GUEST
zone-pair security INTERNET->self source INTERNET destination self
 service-policy type inspect INTERNET_to_self
zone-pair security GUEST->INTERNET source GUEST destination INTERNET
 service-policy type inspect GUEST_to_INTERNET
The basic ZBF stuff.
ip local policy route-map RM_OPENDNS_DNS
 route-map RM_OPENDNS_DNS permit 10
 match ip address ACL_TO_OPENDNS_DNS
 set vrf GUEST_VRF
 set ip next-hop dynamic dhcp
The fix I mentioned previously to force "self" originated dns queries out the guest vrf.
ip access-list extended ACL_GUEST_NAT
 permit ip any any
ip nat inside source list ACL_GUEST_NAT interface FastEthernet0/0/0 vrf GUEST_VRF overload

interface GigabitEthernet0/2.901
encapsulation dot1Q 901
ip vrf forwarding GUEST_VRF
ip address 192.168.124.1 255.255.255.0
no ip redirects
no ip proxy-arp
ip nat inside
ip virtual-reassembly in
zone-member security GUEST

interface FastEthernet0/0/0
ip vrf forwarding GUEST_VRF
no ip dhcp client request dns-nameserver
ip ddns update DDNS_OPENDNS
ip address dhcp
no ip redirects
no ip proxy-arp
ip nat outside
ip virtual-reassembly in
zone-member security INTERNET
duplex auto
speed auto
Basic nat and interface config.

Comments

Post a Comment

Popular posts from this blog

Work Folders, Folder Redirection, Symbolic Links, Oh My!

Image
Roaming profiles are torture for admins, but users want their files and settings, and old habits die hard as they say. This is my dilemma. Roaming profiles have created legions of users who can't do basic configuration of many desktop applications, as they only had to tough it out once four years ago. Don't even get me started on the large mass of files and yo-yo copy pattern. Enter folder redirection, sure as long as you have good connectivity. A small branch of 10 users with a 10Mbps circuit and 10ms latency is enough to cause user revolt. Okay then, how bout we add in offline files? Get ready to cry  and  don't just take my word.... Along comes Work Folders , which i must say is something that can deal with many scenarios. Sure it is a blatant copy of Dropbox et al., but that is a good thing! Now back to dealing with my dilemma. How can I give a roaming profile like experience with good performance, while maintaining most if not all application configurations. ...
Read more

Ansible: Good Things Come to Those Who Wait

I have been a windows admin for many years. This tenure has much to do with local job opportunities and less so about a staunch love of one side. As a person who attempts to stay current in both worlds, I am currently dabbling with Configuration Management or Desired State Configuration (MS Speak). Because my place of employment doesn't have a decent sized GNU/Linux deployment I am really only able to go it alone in lab environments, but hey, I still enjoy it! CM is not new, the Chef and Puppet camps have been around for quite some time. I simply never started the journey with either product, thus I won't comment on them, other than to say it was probably because I was too lazy. :) Fast forward to today and there are several in the CM space. Salt, Ansible, Puppet, Chef, etc. I did some basic research and landed on Ansible. There isn't a ton of thought that went into this conclusion, but as a long time windows admin with a disdain for agents... well you get my point. ...
Read more