Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
613
Views
0
Helpful
5
Replies

Avoid using connected network using vrf

Go to solution
danbowencisco
Level 1
Level 1

‎04-20-2012 06:59 AM - edited ‎03-07-2019 06:15 AM

Hi Everyone,

I have a 3560G connected to an ASA FW, both running layer 3 and hosting 6 or so VLANs. The switch is the default gateway for all VLANs (client request) and therefore see's all networks as connected. I used route maps to push the traffic from the switch to the FW so that it got firewalled before being delivered, but I cannot use one of the commands for failover should the FW fail (I wanted to route locally should the FW fail).

So, my question is this. If I placed all VLANs in their own vrf, NETA would not longer see NETB as a connected network and would follow the route to the FW's NETA interface. I could then inject the connecteds into each vrf but adjust theirf metric so that they are less preferable than the route to the FW. Should the FW route die, the next route would become active and traffic would route internally to the switch.

Can anyone see a problem with this idea?

Dan

PS - thanks in advance.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Edison Ortiz
Hall of Fame
Hall of Fame

‎04-20-2012 07:26 AM

How are you planning to inject the routes?

To leak routes between VRFs, you use static routing in the 3560 but you must point the gateway to an external device.

Ideally, you can use the FW as the gateway for those static routes but if the FW is down, the failover static routing approach won't work as expected.

View solution in original post

0 Helpful
5 Replies 5

Go to solution
Edison Ortiz
Hall of Fame
Hall of Fame

‎04-20-2012 07:26 AM

How are you planning to inject the routes?

To leak routes between VRFs, you use static routing in the 3560 but you must point the gateway to an external device.

Ideally, you can use the FW as the gateway for those static routes but if the FW is down, the failover static routing approach won't work as expected.

0 Helpful

Go to solution
danbowencisco
Level 1
Level 1
In response to Edison Ortiz

‎04-20-2012 07:39 AM

thanks Edison.

Im trying to find a workaround for my previous question, but the route map statement isnt supported on 3560G. Any ideas on how I could get around this?

Dan

0 Helpful

Go to solution
Edison Ortiz
Hall of Fame
Hall of Fame
In response to danbowencisco

‎04-20-2012 07:45 AM

Implementing redundancy at the FWs and only use the switches for Layer2?

0 Helpful

Go to solution
danbowencisco
Level 1
Level 1
In response to Edison Ortiz

‎04-20-2012 07:50 AM

we only have a single FW and a single switch, unfortunately.

Dan

0 Helpful

Go to solution
Edison Ortiz
Hall of Fame
Hall of Fame
In response to danbowencisco

‎04-20-2012 07:52 AM

No way around it...

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card