Solved

VRF Help

Posted on 2011-03-23
1
1,493 Views
Last Modified: 2012-05-11
Hi Guys
I need help with securing Network using VRF Lite all switches are Cisco 3750 running IP Service IOS and configured with EIGRP for routing.
I need to configure those switches with VRF and to achieve what you can see on my table that attached in the VRF Design document.
I know that ASA firewall is not VRF aware! How to configure ACL on ASA to achieve this? Please I need help with configuration steps.
Everything explained in the VRF Design document attached. from Zone1 to Zone 6 and what should we allow and deny please refer to the attached VRF Design document.
Thanks in advance!
M

VRF-Design.doc
0
Comment
Question by:modathir
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
1 Comment
 
LVL 18

Accepted Solution

by:
jmeggers earned 500 total points
ID: 35203231
I'll caveat this with the statement that I've never actually set this up, so it's entirely possible there's a flaw in my logic, but I would think you should be able to connect each VRF to its own ASA interface and treat them as separate DMZs.  You have a choice in whether to use the same or different security levels on the DMZ interfaces but either way you will want an ACL in-bound on each interface controlling what other DMZ that traffic is allowed to reach.  If you assign the same security level for each DMZ traffic is not allowed between those interfaces by default; you would have to use the "same-security-level permit inter-interface" command to permit that traffic, but then the traffic will flow regardless of an ACL.  If you use different security levels, then the default behavior of the ASA where traffic from a more-trusted interface is automatically allowed out a less-trusted interface will apply.  You will also need to have either enough physical interfaces to accommodate the DMZs, or use subinterfaces on the ASA and trunk from one of the VRF-aware 3750s.

I may try to mock this up to see if I'm missing anything major....
0

Featured Post

Is your NGFW recommended by NSS Labs?

Ours is! NSS Labs Next Generation Firewall Test gives the WatchGuard Firebox M4600 a "Recommended" rating! Curious where your NGFW landed on the  Security Value Map? See the map and download the full report today!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Exchange server is not supported in any cloud-hosted platform (other than Azure with Azure Premium Storage).
You deserve ‘straight talk’ from your cloud provider about your risk, your costs, security, uptime and the processes that are in place to protect your mission-critical applications.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …

726 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question