I am preparing a zbfw design with 400+ ISR/ASR remote routers, Flexvpn and 1 vrf. Each router has a tunnel for visitors and another tunnel for normal users. Config below. In the documentation, I read "All interfaces in a zone must belong to the same Virtual Routing and Forwarding (VRF) instance"
There is no need to communicate between vrf visitor and the GRT, but both use the common wan zone on gigibit 0/0 and gigabit 0/2 to communicate to central.
My question: Can I put all 4 tunnel interfaces below in the same zone :vpn ?
The definition you are looking I guess is this one:
A router can only inspect inter-VRF traffic if traffic must enter or leave a VRF through an interface to cross to a different VRF. If traffic is routed directly to another VRF, there is no physical interface where a firewall policy can inspect traffic, so the router is unable to apply inspection.
Based on that I would say that on each VRF there will need to be a dedicated security zone applied,
I will try to run a lab real quick tomorrow and get back to u,
Remember to rate all of the helpful posts. That's as important as a Thanks. Julio Carvajal Segura
Julio Carvajal Senior Network Security and Core Specialist CCIE #42930, 2xCCNP, JNCIP-SEC
Goal is not to inspect inter-VRF traffic, there is no traffic necessary between the GRT and vrf visitors. (visitors separated from the normal users) . Goal is to have 1 (vpn) instead of 2 (vpn and vpn-visitors) vpn zones if possible.
I hope i can configure the 2 normal (GRT) tunnels and the 2 visitor-vrf tunnels in the same zone: vpn.
But if I read the documentation "All interfaces in a zone must belong to the same Virtual Routing and Forwarding (VRF) instance", i am not sure this will work...
Login to the FXOS chassis manager.
Direct your browser to https://hostname/, and log-in using the user-name and password.
Go to Help > About and check the current version:
Check the current version availa...
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...