01-02-2010 08:23 AM - edited 03-04-2019 07:05 AM
Dear Experts,
I expect your help by giving clue how to achieve the traffic as described below: (Also find the attached Diagram)
It is a Hub & Spoke topology. Branch office-1 is able to communicate with Branch office -2 thru Hub Router. Now I want to change the traffic flow such a way that if Branch office-1 wants to communicate with Branch office -2 traffic should go to Firewall which is placed behind the Hub Router (Pl. find the attached Diagram) do all the security check and then allowed to reach Branch office -2 .The same is applicable vice versa.
Putting in simple words, Inter Branch office traffic should pass only thru Firewall and not directly using Hub Router itself. I have an Idea of using VRFlite to achieve this. But I am not sure
Hope you will share your valuable ideas and discuss
regards
sairam
01-02-2010 08:41 AM
snarayanaraju wrote:
Dear Experts,
I expect your help by giving clue how to achieve the traffic as described below: (Also find the attached Diagram)
It is a Hub & Spoke topology. Branch office-1 is able to communicate with Branch office -2 thru Hub Router. Now I want to change the traffic flow such a way that if Branch office-1 wants to communicate with Branch office -2 traffic should go to Firewall which is placed behind the Hub Router (Pl. find the attached Diagram) do all the security check and then allowed to reach Branch office -2 .The same is applicable vice versa.
Putting in simple words, Inter Branch office traffic should pass only thru Firewall and not directly using Hub Router itself. I have an Idea of using VRFlite to achieve this. But I am not sure
Hope you will share your valuable ideas and discuss
regards
sairam
Sairam
Some questions.
1) What is the firewall ie. make and if cisco version of code it is running
2) Are you running a dynamic routing protocol between the branch sites and the hub
3) Are the branch sites subnet summarisable
4) Are you planning on using subinterfaces on the firewall or just one physical interface for all traffic
Jon
01-02-2010 10:27 AM
Hello Jon,
Thanks for your interest. Here is the clari for your queries
1) What is the firewall ie. make and if cisco version of code it is running
CISCO ASA 8.0
2) Are you running a dynamic routing protocol between the branch sites and the hub
STATIC
3) Are the branch sites subnet summarisable
YES
4) Are you planning on using subinterfaces on the firewall or just one physical interface for all traffic
AT THIS POINT I DONT HAVE ANY IDEA. IF SUBINTERFACE IS THE ONLY SOLUTION, THEN I HAVE TO DO THAT
Hope this info is sufficient for further discussion. Please note, This is in design stage. Based on your solution the Low level design will be done
sairam
01-02-2010 11:22 AM
Hello Sairam,
this kind of constrained connectivity can be achieved using VRFs:
each branch site will be in a VRF.
Traffic coming from branch1 is routed to an ASA subinterface that is mapped to a vlan subinterface in same VRF on the router.
Another VRF is used for the second branch office.
ip VRF branchA
rd 100:101
int ser0/0
ip vrf forwarding branchA
ip address x1.y1.z1.k1 255.255.255.252
int fas0/0.n1
enc dot1q n1
ip vrf forwarding branchA
ip address l1.m1.n1.o1 255.255.255.252
ip route vrf branchA remote-siteA summary mask ser0/0
ip route vrf branchA 0.0.0.0 0.0.0.0 l1.m1.n1.asa1
ip VRF branchB
rd 100:102
int ser0/1
ip vrf forwarding branchB
ip address x2.y2.z2.k2 255.255.255.252
int fas0/0.n2
enc dot1q n2
ip vrf forwarding branchB
ip address l2.m2.n2.o2 255.255.255.252
ip route vrf branchB remote-siteB summary mask ser0/1
ip route vrf branchB 0.0.0.0 0.0.0.0 l2.m2.n2.asa2
A more classic solution would involve the usage of multiple PBR.
Hope to help
Giuseppe
01-02-2010 12:42 PM
Hello Sairam,
In addition to Giuseppe's VRF example, here is an example for PBR solution:
1-Create an access list that matches your internal network
T-1(config)#ip access-list extended 111
T-1(config-ext-nacl)#permit ip 172.16.0.0 0.0.255.255 any
2-Create a route map and specify your match and set clause
T-1(config)#route-map test-pbr
T-1(config-route-map)#match ip address 111
T-1(config-route-map)#set ip next-hop 192.168.1.2
3-Apply the route map to the interface of the router facing the FW
T-1(config-if)#ip policy route-map test-pbr
HTH
Reza
01-02-2010 12:46 PM
snarayanaraju wrote:
Hello Jon,
Thanks for your interest. Here is the clari for your queries
1) What is the firewall ie. make and if cisco version of code it is running
CISCO ASA 8.0
2) Are you running a dynamic routing protocol between the branch sites and the hub
STATIC
3) Are the branch sites subnet summarisable
YES
4) Are you planning on using subinterfaces on the firewall or just one physical interface for all traffic
AT THIS POINT I DONT HAVE ANY IDEA. IF SUBINTERFACE IS THE ONLY SOLUTION, THEN I HAVE TO DO THAT
Hope this info is sufficient for further discussion. Please note, This is in design stage. Based on your solution the Low level design will be done
sairam
Sairam
As Giuseppe says you can use VRFs as a a solution. There are a couple of other solutions that you may want to think about -
1) Again as Giuseppe mentioned PBR (Policy Based Routing) could be used to send the traffic to the ASA firewall
2) However, as you use static routing an even easier way is simply on your HQ router have routes for the branch sites pointing to the ASA. This is why i asked about the routing between each site. Between the HQ router and the ASA have 2 subinterfaces and route the branch traffic via the subinterfaces.
All 3 would work for you. Using VRFs is the modern approach to segregating traffic across the same physical infrastructure but if your kit cannot support it or you do not want the complexity there are alternative approaches.
Jon
01-02-2010 06:27 PM
Hi Jon
i m only wondering if we use :
"2) However, as you use static routing an even easier way is simply on your HQ router have routes for the branch sites pointing to the ASA"
i think this will form a route loop because traffic will come from banchA to branchB going through the hub, the hub will have the route to branchB point to the ASA and then the ASA will route it back the hub router and the router will route back to the ASA !!!
am i right or i misundersood your point !!
i think VRFs will be the best even better than PBR because it will put less CPU utilization
thank you
01-03-2010 01:42 AM
Thanks to Giuseppe, Jon, marwanshawi
Your suggestion are very useful. Jon suggested to use PBR. But I expect It will create route loop between ASA and HUB Router. So I am going to use VRFs.
Each Branch office will be in different VRF. Instead of sub-interface in ASA I am going to use dedicated physical interface itself. Each Interface in HUB Router which is connected to ASA will also be in different interface.I will use BGP to route between VRFs (Route Leak between VRF).
I will update this post after testing this in Lab. Before that if you have any comments please let me know
Thanks again
sairam
01-03-2010 02:03 AM
Hello Sairam,
>> I will use BGP to route between VRFs (Route Leak between VRF).
if you do so the risk is that the firewall can be bypassed and the advantage of VRFs would be lost, an additional VRF for central site itself may be needed I was thinking of this, this depends if central site is behind the ASA or connected to another interface of the router.
Also I would use a logical interface for each branch/VRF in connecting to the ASA it should help.
Edit:
However, in the lab you can test the scenario. Keep us updated.
Hope to help
Giuseppe
01-03-2010 04:25 AM
i think if you just do the configurations posted by Giuseppe above your life will be easier as with static routing and two VRFs your goal will be achieve without any complexity
also i don't think you need any route leaking because any sort of leaking that mean bypassing the firewall which is not your requirment unless you want to excluded some traffic from being firewalled in this case route leaking will be an option
thank you
01-04-2010 03:59 AM
marwanshawi wrote:
Hi Jon
i m only wondering if we use :
"2) However, as you use static routing an even easier way is simply on your HQ router have routes for the branch sites pointing to the ASA"
i think this will form a route loop because traffic will come from banchA to branchB going through the hub, the hub will have the route to branchB point to the ASA and then the ASA will route it back the hub router and the router will route back to the ASA !!!
am i right or i misundersood your point !!
i think VRFs will be the best even better than PBR because it will put less CPU utilization
thank you
Marwan
I am hanging my head in shame
You are of course quite right and i should have thought that one through a bit more. No excuses, just very basic mistake. Thanks for correcting.
Sairam - apologies for the answer.
Jon
01-04-2010 04:56 AM
no problem Jon
it happens, especially when there are many posts to answer
01-04-2010 11:05 PM
Hi Friends,
I tested this. It is working perfectly when VRFlite is used. Let me just brief the config logic.
I have used 2 interfaces of the firewall connected to HUB Router. Each Branch offices will be in different VRFs. Similarly Each interface connected to Firewall will also be in different VRFs.
Spoke 1 : VRF Name=S1
Spoke 2: VRF Name=S2
Interface 1 to Firewall =FW1
Interface 2 to Firewall=FW2
I am importing FW1 routes to S1 and S2. Importing S1 & S2 Routes to FW2. Hope it is not confusing.
If required I am happy to post the config also
HTH
sairam
01-04-2010 11:13 PM
as long as it working that's fin
but i think you can achieve same goal with two VRFs only
in the hub assign S1 to site 1 and interface FW1 to FW interface in VRF1
assign S2 and FW2 interface to VRF2
this way your troubleshooting in the future or any additional site to be added will be easier
can post the hub config i want to see it how its configured with 4 VRFs
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: