kyle.moses Tue, 08/04/2015 - 09:43
User Badges:

that would be a sub-interface, which isn't the same as VRF.

Vicente,

I was trying to figure this out as well, and VRF doesn't seem to be supported on my asa5585 running 9.2 and ADSM7.4

Marvin Rhoads Tue, 08/04/2015 - 13:29
User Badges:
  • Super Silver, 17500 points or more
  • Cisco Designated VIP,

    2017 Firewalling, Network Management, VPN

Way to revive a 7-year old thread!

The 5580 (and all ASA models) only has a single routing table (aka RIB or Routing Information Base). It does not support Virtual Routing and Forwarding (VRF) instances.

The latest ASA 9.4 software (for the X series only - not the 5580) did just introduce policy-based routing. Still not anywhere near the same as VRFs but it may help some folks who need some routing flexibility.

kyle.moses Wed, 08/05/2015 - 05:38
User Badges:

Thanks for the quick response Marvin.  I didn't see anything in the device documentation, but want to make sure I wasn't missing something.  Time to think about updating to 9.4!

Jon Marshall Wed, 08/05/2015 - 06:33
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Just to add that there is always the option of contexts.

To be fair Andrew's original answer isn't that bad. You are right that a subinterface is not a VRF obviously but I have seen designs where the VRFs are terminated on separate interfaces or subinterfaces on the firewall and because a firewall by definition is a security device you can then control inter VRF communication statefully.

In fact in a lot of cases it is easier to do this than to have to mess around with route leaking between VRFs on a L3 device.

No criticism intended, just thought I'd mention it.

Jon

Marvin Rhoads Wed, 08/05/2015 - 06:36
User Badges:
  • Super Silver, 17500 points or more
  • Cisco Designated VIP,

    2017 Firewalling, Network Management, VPN

Good point Jon.

You're right of course - using interfaces or subinterfaces on an ASA to manage communications between distinct VRFs on adjacent devices may even be in one of the CVDs. I have seen it done that way in more than one large data center design.

Personally I dislike contexts unless they're needed for multi-tenancy. But that's just my early bad experiences with them. :)

Actions

This Discussion