Solved

VRF Help

Posted on 2011-03-23
1
1,489 Views
Last Modified: 2012-05-11
Hi Guys
I need help with securing Network using VRF Lite all switches are Cisco 3750 running IP Service IOS and configured with EIGRP for routing.
I need to configure those switches with VRF and to achieve what you can see on my table that attached in the VRF Design document.
I know that ASA firewall is not VRF aware! How to configure ACL on ASA to achieve this? Please I need help with configuration steps.
Everything explained in the VRF Design document attached. from Zone1 to Zone 6 and what should we allow and deny please refer to the attached VRF Design document.
Thanks in advance!
M

VRF-Design.doc
0
Comment
Question by:modathir
1 Comment
 
LVL 18

Accepted Solution

by:
jmeggers earned 500 total points
ID: 35203231
I'll caveat this with the statement that I've never actually set this up, so it's entirely possible there's a flaw in my logic, but I would think you should be able to connect each VRF to its own ASA interface and treat them as separate DMZs.  You have a choice in whether to use the same or different security levels on the DMZ interfaces but either way you will want an ACL in-bound on each interface controlling what other DMZ that traffic is allowed to reach.  If you assign the same security level for each DMZ traffic is not allowed between those interfaces by default; you would have to use the "same-security-level permit inter-interface" command to permit that traffic, but then the traffic will flow regardless of an ACL.  If you use different security levels, then the default behavior of the ASA where traffic from a more-trusted interface is automatically allowed out a less-trusted interface will apply.  You will also need to have either enough physical interfaces to accommodate the DMZs, or use subinterfaces on the ASA and trunk from one of the VRF-aware 3750s.

I may try to mock this up to see if I'm missing anything major....
0

Featured Post

Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

There are two basic ways to configure a static route for Cisco IOS devices. I've written this article to highlight a case study comparing the configuration of a static route using the next-hop IP and the configuration of a static route using an outg…
Use of TCL script on Cisco devices:  - create file and merge it with running configuration to apply configuration changes
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…

810 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question