Link to home
Create AccountLog in
Avatar of daryldavies
daryldavies

asked on

VRF, OSPF Routing and Firewall Help Request

I have a Cisco network with Cisco 4948 switch, 3800 router, and ASA5520 firewall.

I would like to build all my SVI's on the Cisco 4948 switch and do internal routing on the 4948 switch. Would like to build several VRF's per network and utilize ospf to route traffic to the firewall in order for traffic to be filtered.

Would like to use the router only for external routing and would still want these traffic to traverse the firewall.

I have the following two network for testing:

Network 1 - 10.10.10.0/28 - WEB NETWORK  (TEST SERVER 10.10.10.8)
Network 2 - 10.10.11.0/28-APP_DB NETWORK    (TEST SERVER 10.10.11.8)

I tried a telnet from 10.10.10.8 to 10.10.11.8 on port TCP139 and no answer.

SEE CONFIG BELOW:

!
****** CIS4948 **********
!
vlan 255
name WEB
!
!
vlan 256
name APP_DB
!
ip vrf WEB
 description WEB VRF
 rd 1:255
!
!
!
!
ip vrf APP_DB
 description APP_DB VRF
 rd 1:256
!
!
interface Vlan255
 description WEB Subnet
 ip vrf forwarding WEB
 ip address 10.10.10.2 255.255.255.240
 no ip redirects
 no ip proxy-arp
 standby 1 ip 10.10.10.1
 standby 1 priority 110
 standby 1 preempt
!
!
!
interface Vlan256
 description APP_DB Subnet
 ip vrf forwarding APP_DB
 ip address 10.10.11.2 255.255.255.240
 no ip redirects
 no ip proxy-arp
 standby 1 ip 10.10.11.1
 standby 1 priority 110
 standby 1 preempt
!
!
router ospf 11 vrf WEB
 router-id 10.10.12.5
 log-adjacency-changes
 auto-cost reference-bandwidth 100000
 capability vrf-lite
 area 16 nssa
 passive-interface Vlan255
 network 10.10.10.0 0.0.0.15 area 16
!
!
!
router ospf 12 vrf APP_DB
 router-id 10.10.12.5
 log-adjacency-changes
 auto-cost reference-bandwidth 100000
 capability vrf-lite
 area 16 nssa
 passive-interface Vlan256
 network 10.10.11.0 0.0.0.15 area 16
!
!
!
!
****** CIS5520 **********


interface vlan

!
interface GI0/1.255
 description WEB
 vlan 255
 nameif WEB#255
 security-level 61
 ip address 10.10.10.4 255.255.255.240
 ospf cost 1
 ospf priority 2
!
!
!
interface GI0/1.256
 description APP_DB
 vlan 256
 nameif APP_DB#256
 security-level 61
 ip address 10.10.11.4
 ospf cost 1
 ospf priority 2
!
!
object-group service WEB_PORT
description WEBPORT
service-object tcp 80
service-object tcp 8080
!
!
object-group service WEB_PORT
description WEBPORT
service-object tcp 8442
service-object tcp 443
service-object tcp 22
!
!
object-group network WEB
description WEB
network-object 10.10.10.0 255.255.255.240
!
object-group network APP_DB
description APP_DB
network-object 10.10.11.0 255.255.255.240
!
!
!
object-group service DB_PORT
 description DB_PORT
 service-object icmp6 echo
 service-object icmp6 echo-reply
 service-object tcp eq 445
 service-object tcp eq 8080
 service-object tcp eq https
 service-object tcp eq netbios-ssn
!
!
!
object-group service WEB_PORT
 description WEBPORT
 service-object tcp eq www
 service-object tcp eq 8442
 service-object tcp eq ssh
 service-object tcp eq 8080
 service-object tcp eq https
!
access-list WEB#255_access_in extended permit object-group DB_PORT object-group WEB object-group APP_DB
access-list APP_DB#256_access_in extended permit object-group WEB_PORT 10.0.0.0 255.0.0.0 10.10.10.0 255.255.255.240
!
!
router ospf 11
network 10.10.10.0 255.255.255.255 area 16
area 16 nssa
router-id 10.10.10.5
log-adj-changes
!
!
router ospf 12
network 10.10.11.0 255.255.255.255 area 16
area 16 nssa
router-id 10.10.11.5
log-adj-changes
!
Avatar of keakathleen
keakathleen

Hello,

If you want to do SVI's then your physical ports (Gi0/1) should most likely be setup in a trunk format without IPs. You will be able to trunk VLAN 255 and 256 on the same physical port. You will need to switch them to a switch mode instead of a routing mode to do this.

In the end, you want to trunk VLAN 255 and 256 and then after being trunked in on the VLAN they will be routed through your virtual VLAN interfaces with IPs. I also noticed that your Gi0/1 port is subinterfaced so you will need to use another physical port to try converting over to SVIs.
Avatar of rauenpc
I'm confused. You say you want to use the 4948 to do internal routing, but by setting up vrf you are splitting the routing function of the 4948 into pieces which would then require you to use the firewall for any routing between the vrf's.

Am I misunderstanding your intentions?
Avatar of daryldavies

ASKER

Internal routes are going through the 4948 and I am doing external routes on a cisco 3800 router. That's the split.
keakathleen, it is not possible for me to build a trunk on a Cisco 5520 firewall. Same with vlans, I cannot  build a vlan on a Cisco 5520. This is why I used sub interfaces.
I see. I missed the segmentation between your configs.

Do you have connectivity established on your interface vlans? From your VLAN/subnet 255 or 256, can you ping your gateway? Can you ping your interface VLANs within the 4948? Are they up/up?

I do not understand the masking on the 5520 for OSPF. Why is the mask set to 255.255.255.255? I would think a mask might create some odd routing factors.

Finally, there is not a mask listed for subinterface Gi0/1.256 but perhaps that was just truncated when copied.
Thanks for your response.

I am able to ping the gateway from a server on VLAN 255 and a server on 256. I cannot ping out of these subnets meaning I can ping a gateway from a server on VLAN 255 but on that server I cannot ping the gateway for VLAN 256.

The interfaces are up/up.

I have changed mask on ospf and still cannot telnet across the firewall.


!
router ospf 11
network 10.10.10.0 255.255.255.240 area 16
area 16 nssa
router-id 10.10.10.5
log-adj-changes
!
!
router ospf 12
network 10.10.11.0 255.255.255.240 area 16
area 16 nssa
router-id 10.10.11.5
log-adj-changes
!
I still do not have a solution for this. Can someone help please?
I think your masks should be wild cards 0.0.0.15
ASKER CERTIFIED SOLUTION
Avatar of keakathleen
keakathleen

Link to home
membership
Create an account to see this answer
Signing up is free. No credit card required.
Create Account
I've requested that this question be deleted for the following reason:

delete