Solved

How to convigure  VRF

Posted on 2013-10-25
23
278 Views
Last Modified: 2013-11-18
Hi All.

I  Have a cisco 6500 switch with Multible Layer 3 vlans.
Each VLAN has its own DHCP Scope.
I am having an  a 100mps Internet link will be terminated on this switch.
I have a ASA 5505  firewall which will protected the system.
My question is how do I configure the  firewall and switch to route traffic to to and from the internet.
0
Comment
Question by:thombie
  • 10
  • 9
  • 4
23 Comments
 
LVL 42

Expert Comment

by:kevinhsieh
ID: 39602267
I don't see a need for VRF unless you need a router outside of your firewall. If you want to terminate the Internet connection on your 6500 instead of directly on your firewall, just create a new layer 2 VLAN on the 6500, and assign a port for the internet feed and another for your firewall's outside interface to that VLAN. As long as you do not create a matching VLAN interface, traffic on that VLAN should be isolated. The idea is to make sure that the only way for traffic to flow from that VLAN to the rest of your network is through the firewall. If you can plug your Internet feed directly into the firewall, that is the most secure.

I would put the inside interface of the firewall on a dedicated L2/L3 VLAN interface.
0
 
LVL 28

Expert Comment

by:mikebernhardt
ID: 39606762
VRFs are configured when you need to have 2 separate routing tables that DO NOT interact in any way. It's like having 2 virtual Layer 3 devices in the same physical box. If you just want to make sure that the firewall is the router you can do this as Kevin suggested.

Perhaps you should explain why you think you need VRF configured, and we can see if Kevin's suggestion will suffice or not.
0
 

Author Comment

by:thombie
ID: 39611679
The reason for Lyer 3 is that the switch will be DHCP server for the  subnets
0
 
LVL 42

Expert Comment

by:kevinhsieh
ID: 39611704
You still don't need VRF unless you are assigning DHCP to the segment OUTSIDE your firewall. All of your L3 VLANs should be inside your firewall. Your firewall inside interface goes on an L3 VLAN. The firewall outside interface to the internet feed and and DMZ interfaces all go on separate L2 VLANs.
0
 
LVL 28

Expert Comment

by:mikebernhardt
ID: 39615164
Right, VRF has nothing directly to do with Layer 3. VRF basically creates 2 entrirely separate Layer 3 machines, each with its own independent and isolated routing tables. This NOT the same as 2 Layer 3 vlans or subnets sharing the same routing table, which is what you need.
0
 

Author Comment

by:thombie
ID: 39619349
so where sould the internet connection terminate. on the switch or the firewall ?
0
 
LVL 42

Expert Comment

by:kevinhsieh
ID: 39619429
As I said in the first comment, terminate the connection directly on your firewall if you can.
0
 
LVL 28

Expert Comment

by:mikebernhardt
ID: 39621961
And if you can't due to a media mismatch of some sort, simply create a layer 2 vlan on the switch specifically for this connection, and set up 2 ports in the vlan- one in and one out to the firewall.
0
 

Author Comment

by:thombie
ID: 39633582
I like this idead   " And if you can't due to a media mismatch of some sort, simply create a layer 2 vlan on the switch specifically for this connection, and set up 2 ports in the vlan- one in and one out to the firewall. " but I am not sure how to do it.
0
 
LVL 28

Expert Comment

by:mikebernhardt
ID: 39633677
conf t
vlan 100
 name ISP_Link
exit
int g1/1
 description ISP
 switchport
 switchport mode access
 switchport access vlan 100
 no shutdown
int g1/2
 description ASA
 switchport
 switchport mode access
 switchport access vlan 100
 no shutdown

That's all you need!
0
 

Author Comment

by:thombie
ID: 39633803
so I do  this on the switch  ?
below is my current config
.........        .........
broadband-core#h . .. .
broadband-core#
broadband-core#sh run
Building configuration...

Current configuration : 5269 bytes
!
version 12.1
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
service counters max age 10
!
hostname broadband-core
!
enable secret 5 $1$e.Bk$FPOof4GTex/N09A7Sa4tA0
!
vtp domain bb
vtp mode transparent
ip subnet-zero
!
!
ip dhcp excluded-address 172.16.3.1 172.16.3.2
ip dhcp excluded-address 172.16.4.1 172.16.4.2
!
ip dhcp pool 3NE
   network 172.16.3.0 255.255.255.0
  domain-name broadband.com
   dns-server 8.8.4.4
   default-router 172.16.3.1
!
ip dhcp pool 3SW
   network 172.16.4.0 255.255.255.0
   domain-name broadband.com
   dns-server 8.8.4.4
   default-router 172.16.4.1
!
!
ip vrf 3NE
!
ip vrf 3SW
!
ip vrf INTERNET
ip ssh time-out 120
ip ssh authentication-retries 3
mls flow ip destination
mls flow ipx destination
!
!
spanning-tree mode pvst
 --More-- .........        .........!
redundancy
 mode rpr-plus
 main-cpu
  auto-sync running-config
  auto-sync standard
!
!
vlan 2
 name 3NE
!
vlan 3
 name 3SW
!
vlan 4
 name INTERNET
!
!
interface GigabitEthernet1/1
 no ip address
 shutdown
!
interface GigabitEthernet1/2
 --More-- .........        ......... no ip address
 shutdown
!
interface GigabitEthernet2/1
 switchport
 switchport access vlan 2
 switchport mode access
!
interface GigabitEthernet2/2
 switchport
 switchport access vlan 3
 switchport mode access
!
interface GigabitEthernet4/1
 no ip address
 shutdown
!
interface GigabitEthernet4/2
 no ip address
 shutdown
!
interface GigabitEthernet4/3
 no ip address
 --More-- .........        ......... shutdown
!
interface GigabitEthernet4/4
 no ip address
 shutdown
!
interface GigabitEthernet4/5
 no ip address
 shutdown
!
interface GigabitEthernet4/6
 no ip address
 shutdown
!
interface GigabitEthernet4/7
 no ip address
 shutdown
!
interface GigabitEthernet4/8
 no ip address
 shutdown
!
interface GigabitEthernet4/9
 --More-- .........        ......... no ip address
 shutdown
!
interface GigabitEthernet4/10
 no ip address
 shutdown
!
interface GigabitEthernet4/11
 no ip address
 shutdown
!
interface GigabitEthernet4/12
 no ip address
 shutdown
!
interface GigabitEthernet4/13
 no ip address
 shutdown
!
interface GigabitEthernet4/14
 no ip address
 shutdown
!
 --More-- .........        .........interface GigabitEthernet4/15
 no ip address
 shutdown
!
interface GigabitEthernet4/16
 no ip address
 shutdown
!
interface GigabitEthernet7/1
 switchport
 switchport access vlan 2
!
interface GigabitEthernet7/2
 switchport
 switchport access vlan 3
!
interface GigabitEthernet7/3
 no ip address
 shutdown
!
interface GigabitEthernet7/4
 no ip address
 shutdown
 --More-- .........        .........!
interface GigabitEthernet7/5
 no ip address
 shutdown
!
interface GigabitEthernet7/6
 no ip address
 shutdown
!
interface GigabitEthernet7/7
 no ip address
 shutdown
!
interface GigabitEthernet7/8
 no ip address
 shutdown
!
interface GigabitEthernet7/9
 no ip address
 shutdown
!
interface GigabitEthernet7/10
 no ip address
 --More--
0
What Is Threat Intelligence?

Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

 
LVL 28

Accepted Solution

by:
mikebernhardt earned 500 total points
ID: 39634093
Correct. Obviously the vlan number, vlan name, and ports are up to you.
0
 

Author Closing Comment

by:thombie
ID: 39634768
this has worked
0
 

Author Comment

by:thombie
ID: 39634771
what about routing. ?
0
 
LVL 42

Expert Comment

by:kevinhsieh
ID: 39634949
Your ASA just needs default route to your ISP.
0
 
LVL 28

Expert Comment

by:mikebernhardt
ID: 39635000
1. ASA needs a default route to the ISP
2. ASA needs routes to the 6500 for any Layer 3 LANs that exist there.
3. 6500 needs a default route to the ASA.
0
 

Author Comment

by:thombie
ID: 39636041
Thanks
0
 

Author Comment

by:thombie
ID: 39638497
so how does the in and out ports work.
do plug both cables into the internal side of the firewall ?
0
 
LVL 28

Expert Comment

by:mikebernhardt
ID: 39643230
For that vlan we were talking about before? One goes to the ISP, the other goes to the outside of the firewall.

The inside of the firewall goes to a different port. You only probably need a point-to-point link between the 6500 and the firewall, so you could just make a layer 3 port on the 6500 and share a small subnet with the inside interface of the firewall. It's simpler than making a vlan.

So, route #s 2 and 3 above would point between those 2 interfaces.
0
 

Author Comment

by:thombie
ID: 39650899
Thanks. So this my cable layout. is this.
6500 switch

port  7/47 Vlan 100 cabled to outside inferface of the ASA
port  7/48  VLAN 100 Cabled to ISP equipment
should have a 7/46  cabled to Internal interface  for the ASA ?
0
 
LVL 28

Expert Comment

by:mikebernhardt
ID: 39651936
Yes, or your ASA won't be talking to anything on the inside. But it must be on a different VLAN than the outside stuff, and it has to have Layer 3 on the switch, not just Layer 2 like Vlan 100.
0
 

Author Comment

by:thombie
ID: 39655819
Ok So if I create a VLAN 30  with a small subnet it should work  ?
0
 
LVL 28

Expert Comment

by:mikebernhardt
ID: 39657323
Yes, or you could just put an IP address on the switch port in that small subnet and skip the VLAN altogether. Your choice.
0

Featured Post

What Security Threats Are You Missing?

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

Suggested Solutions

PRTG Network Monitor lets you monitor your bandwidth usage, so you know who is using up your bandwidth, and what they're using it for.
David Varnum recently wrote up his impressions of PRTG, based on a presentation by my colleague Christian at Tech Field Day at VMworld in Barcelona. Thanks David, for your detailed and honest evaluation!
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now