Improve company productivity with a Business Account.Sign Up

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1502
  • Last Modified:

VRF Help

Hi Guys
I need help with securing Network using VRF Lite all switches are Cisco 3750 running IP Service IOS and configured with EIGRP for routing.
I need to configure those switches with VRF and to achieve what you can see on my table that attached in the VRF Design document.
I know that ASA firewall is not VRF aware! How to configure ACL on ASA to achieve this? Please I need help with configuration steps.
Everything explained in the VRF Design document attached. from Zone1 to Zone 6 and what should we allow and deny please refer to the attached VRF Design document.
Thanks in advance!
M

VRF-Design.doc
0
modathir
Asked:
modathir
1 Solution
 
jmeggersSr. Network and Security EngineerCommented:
I'll caveat this with the statement that I've never actually set this up, so it's entirely possible there's a flaw in my logic, but I would think you should be able to connect each VRF to its own ASA interface and treat them as separate DMZs.  You have a choice in whether to use the same or different security levels on the DMZ interfaces but either way you will want an ACL in-bound on each interface controlling what other DMZ that traffic is allowed to reach.  If you assign the same security level for each DMZ traffic is not allowed between those interfaces by default; you would have to use the "same-security-level permit inter-interface" command to permit that traffic, but then the traffic will flow regardless of an ACL.  If you use different security levels, then the default behavior of the ASA where traffic from a more-trusted interface is automatically allowed out a less-trusted interface will apply.  You will also need to have either enough physical interfaces to accommodate the DMZs, or use subinterfaces on the ASA and trunk from one of the VRF-aware 3750s.

I may try to mock this up to see if I'm missing anything major....
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Choose an Exciting Career in Cybersecurity

Help prevent cyber-threats and provide solutions to safeguard our global digital economy. Earn your MS in Cybersecurity. WGU’s MSCSIA degree program was designed in collaboration with national intelligence organizations and IT industry leaders.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now