Re: multi vrf-lite same switch (3750) - Page 2

yann.boulet · ‎10-12-2009

Hi all,

I am a new vrf-lite user, in my labs, i want to isolate traffic on the same routing equipment that is a C3750.

See below my network schema attached.

this is a new network so i have to create this, i have 3 security contexts and four areas on 2 contexts. I want to virtualize all the routers on the schema using only one 3750, i think vrf-lite is the best. My problem is how to create what i call in the schema "interco" network in AREA3, AREA4, AREA3 and AREA4B because 3 L3 interfaces should be in the same vlan ?

Thank you for your help

Giuseppe Larosa · ‎11-06-2009

Hello Yann,

I like your new network schema.

I think we are going to the following scenario:

the C3750 provides VRFs and separation of ip subnets.

A one to one corrispondence of a VRF and an ASA context is possible but using a single context can be easier.

A) single context and ASA performing inter-VRF communications

the ASA can be used for both:

internet connectivity

inter-VRF communication in a controlled way

the C3750 in each VRF has a default static route pointing to ASA address in the corresponding vlan subinterface.

something like:

ip route vrf vrf-name 0.0.0.0 0.0.0.0 next-hop-ip-address vlan 2202

The controlled inter-VRF communication if using a single context on ASA becomes a question of ACLs and nat or static commands.

B) ASA multicontext and C3750 performing inter VRF communication

The alternate way to do this is:

using the more complex configuration on C3750 as described in previous posts to perform inter-VRF communication without going to the ASA.

On the ASA a security context for each VRF is configured and they are separated from the point of view of ASA.

(actually also a single context using the same level of trust on interfaces to VRFs could be used)

so it is up to you to make a choice.

probably design A provides a better control because you can limit by using ACLs what type of traffic can be exchanged on the different VRFs.

design B moves all the complexity to C3750 and could be preferred for other reasons (like my lack of expertise on ASA..)

Hope to help

Giuseppe

yann.boulet · ‎11-06-2009

Hello Giuseppe,

my choice depends on you answer, if I take vlan 2270 and 2271 is it possible if I choose the A proposal to let those two networks communicate directly through the 3750 ? or do I have to implement all my slave networks at the same level in the ASA ?

My other question is if I use the B proposal how can I configure vlans 2271 and 2203 and vlan 2202 in the same equipment, there is something I miss understand for vlan 2203 on my schema I have the same equipment with same vlan id in the same ip network and I can't configure it ? so where is the problem or what do I need to configure well ?

thank you

yann.boulet · ‎11-08-2009

Hi Giuseppe,

can you just help me for the beginning ? I'm stuck at the moment for the vrf configuration and the interconnection between two routers in same vlan and same ip network how can they communicate ?

thank you

yann.boulet · ‎11-12-2009

Hi,

I know that Giuseppe is busy but somebody else can give some advices I wan to know if it's possible to have this configuration using cisco equipment without using physicables interfaces and physical wires ?

thank you

Giuseppe Larosa · ‎11-12-2009

Hello Yann,

sorry for your endless waiting.

in the option a) you just need to setup

L2 trunk from C3750 to ASA

over the link you permit one vlan per VRF,

the same is done on the ASA side.

you don't need dedicated per VRF links.

another reason I couldn't answer is that I wished to find a good config example to start with.

And we try to help here but each of us has his/her main job the one for which we are payed.

Hope to help

Giuseppe

yann.boulet · ‎11-12-2009

Hello Giuseppe,

I know that you don't have a lot of time and I know when I use this forum everybody take on his working time to help others people like me :) and I am very grateful about your help.

I understand your proposal but I think I miss something, can you confirm to me that I can't have in the same switch 2 IP interfaces in the same vlan and same IP network ?

because If I use ASA to manage the vrf all my networks will be at the same level and all the networks will be routed through the ASA, is it correct ?

regards,

Yann

Giuseppe Larosa · ‎11-12-2009

Hello Yann,

>> can you confirm to me that I can't have in the same switch 2 IP interfaces in the same vlan and same IP network ?

yes this is true

>> because If I use ASA to manage the vrf all my networks will be at the same level and all the networks will be routed through the ASA, is it correct ?

partially correct only inter-VRF communication will go through the ASA.

Hope to help

Giuseppe

yann.boulet · ‎11-12-2009

OK so I can't configure my network as in the schema with only one L3 switch ? because It will mean that 2 IP interfaces would be in the same ip network and it's not possible. so If you take my schema it means that I can use the ASA to route everyhting or I can't remove the vlan that interconnects my routers and I won't have any interfaces in the same IP network, I am right ?

Thanks once again giuseppe :)

Giuseppe Larosa · ‎11-12-2009

Hello Yann,

you can use a single L3 switch with VRFs but the neighbor on each VRF exit logical point is the ASA.

with option B you configure inter-VRF communication on the L3 switch itself as explained in first posts of this thread.

the drawback of option B design is that if you want to enable inter-VRF communication only for specific types of traffic or between subsets of hosts you need to configure ACLs on VRF interfaces pointing to client Vlans.

Actually, option A would require to configure ACLs and other firewall specific commands on the ASA.

if we make the case of single context to enable communication between different interfaces in same context you need commands for global, nat and static and also the ACLs.

to see this aspect you can read the following document taken from config guide 7.2 of ASA

http://www.cisco.com/en/US/docs/security/asa/asa72/configuration/guide/cfgnat.html#wp1043458

Hope to help

Giuseppe