Solved

VRF Help

Posted on 2011-03-23
1
1,484 Views
Last Modified: 2012-05-11
Hi Guys
I need help with securing Network using VRF Lite all switches are Cisco 3750 running IP Service IOS and configured with EIGRP for routing.
I need to configure those switches with VRF and to achieve what you can see on my table that attached in the VRF Design document.
I know that ASA firewall is not VRF aware! How to configure ACL on ASA to achieve this? Please I need help with configuration steps.
Everything explained in the VRF Design document attached. from Zone1 to Zone 6 and what should we allow and deny please refer to the attached VRF Design document.
Thanks in advance!
M

VRF-Design.doc
0
Comment
Question by:modathir
1 Comment
 
LVL 18

Accepted Solution

by:
jmeggers earned 500 total points
Comment Utility
I'll caveat this with the statement that I've never actually set this up, so it's entirely possible there's a flaw in my logic, but I would think you should be able to connect each VRF to its own ASA interface and treat them as separate DMZs.  You have a choice in whether to use the same or different security levels on the DMZ interfaces but either way you will want an ACL in-bound on each interface controlling what other DMZ that traffic is allowed to reach.  If you assign the same security level for each DMZ traffic is not allowed between those interfaces by default; you would have to use the "same-security-level permit inter-interface" command to permit that traffic, but then the traffic will flow regardless of an ACL.  If you use different security levels, then the default behavior of the ASA where traffic from a more-trusted interface is automatically allowed out a less-trusted interface will apply.  You will also need to have either enough physical interfaces to accommodate the DMZs, or use subinterfaces on the ASA and trunk from one of the VRF-aware 3750s.

I may try to mock this up to see if I'm missing anything major....
0

Featured Post

Threat Intelligence Starter Resources

Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

Join & Write a Comment

Creating an OSPF network that automatically (dynamically) reroutes network traffic over other connections to prevent network downtime.
In the world of WAN, QoS is a pretty important topic for most, if not all, networks. Some WAN technologies have QoS mechanisms built in, but others, such as some L2 WAN's, don't have QoS control in the provider cloud.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now