I ran into a situation where I need to connect 3 separate VRFs on a single ASR to a single firewall. Within those 3 VRFs are the branch VPN infrastructures of 3 separate tenants (subcompanies within a larger organization). The idea is that those 3 tenants have their own branch infrastructure (DMVPN on the ASR) and their own servers (separate security zones on the single firewall). Normally branches of each tenant talk only to their servers. But ofcourse it turned out that there is a need for inter-tenant communications - both branch<->servers and branch<->branch. And this traffic has to be strictly controlled on the firewall. And here comes the tricky part - If we setup 3 separate transport networks between the firewall and the ASR for each tenant, inter-tenant traffic might become asymmetric from firewall point of view. And we all know firewalls don't like this at all and normally drop this traffic.
This is the point where I came with the brilliant :) idea of bringing up 3 separate DOT1Q subinterfaces on the ASR (on the same physical) for each VRF within the same IP subnet - 10.0.0.0/24 and configure the firewall with a single interface for branch zone in the same zone like this:
10.0.0.1/24 - Firewall - branches zone
10.0.0.101/24 - ASR Tenant 1 (dot1q 102)
10.0.0.102/24 - ASR Tenant 2 (dot1q 103)
10.0.0.103/24 - ASR Tenant 3 (dot1q 104)
Then somehow on the firewall (or on a switch in-between) bridge VLANs102-104 together. Bridging the VLANs is not a problem and is out of the scope of this discussion.
If I accomplish this traffic to and from all branches will go through the same interface and firewall will be happy.
The problem here is that by default all subinterfaces inherit the MAC address of the physical interface and it seems that it can not be changed. Or at least I can not find how on the ASR1001. Is that true?
Meanwhile I found the solution. The right way to go on ISR1k is BDI. Looks like this:
interface GigabitEthernet0/0/1 description === INSIDE === no ip address negotiation auto service instance 1 ethernet encapsulation dot1q 102 bridge-domain 102 ! service instance 2 ethernet encapsulation dot1q 103 bridge-domain 103 ! service instance 3 ethernet encapsulation dot1q 104 bridge-domain 104 ! end
interface BDI102 mac-address 6c41.6ac8.903a ip vrf forwarding vrf_tenant1 ip address 10.0.0.101 255.255.255.0 encapsulation dot1Q 102 ! interface BDI103 mac-address 6c41.6ac8.903b ip vrf forwarding vrf_tenant2 ip address 10.0.0.102 255.255.255.0 encapsulation dot1Q 102 ! interface BDI104 mac-address 6c41.6ac8.903c ip vrf forwarding vrf_tenant3 ip address 10.0.0.103 255.255.255.0 encapsulation dot1Q 102 !
The above configuration works stable and suits my needs perfectly fine. It's already in production. BTW there are few standard DOT1q subinterfaces on the same physical interface - no issues there as well. So ASR1k proves quite flexible once more.
Question We run asr9001 with XR 6.1.3, and we have a very long delay to
login w/ SSH 1 or 2 to the device compare to IOS device. After
investigation, the there is 1s delay between the client KEXDH_INIT and
the server (XR) KEXDH_REPLY. After debug ssh serv...
Introduction The purpose of this document is to demonstrate the Open
Shortest Path First (OSPF) behavior when the V-bit (Virtual-link bit) is
present in a non-backbone area. The V-bit is signaled in Type-1 LSA only
if the router is the endpoint of one or ...
Hi, I am seeing quite a few issues with patch install and wanted to
share my experience and workaround to this. Login to admin via CLI, then
access root with the “shell” command Issue “df –h” and you’ll probably
see the following directory full or nearly ...