Re: [c-nsp] Multiple VRFs over site-to-site VPN? Possible?
I believe that you can use ASA for the IPsec part and create GRE tunnels between the PE and CE (one for each VRF). You would need though something like ISR on both ends or switches that support GRE in hardware, so 3560/3750 should change. Regards, John On Tue, 1 Feb 2011, Jeff Kell wrote: Ran across a new requirement where we would like to extend our campus standard multi-VRF routed building out to a remote site over the public Internet. Absent the ideal MPLS or multiple-vlan Metro-E, can you do this site-to-site over a pair of ASAs? Ideally it would be something along the lines of: VRF A vlan 123-- VRF B vlan 456--(terminating on --- Site ASA Campus ASA Campus PE (VRF A/B/C) VRF C vlan 789-- 3560/3750 CE) Perhaps in simpler terms, bringing the 3 VRF vlans across the wire onto similar VRF vlans on the campus side. On-campus we just run a dot1Q trunk with a vlan for each VRF from CE to PE. Can you trunk them into the ASA and do separate tunnels over the public IP endpoints, dropping them on separate vlans on the other end? Without meshing the routing / crossing the streams with respect to the VRFs? ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Multiple VRFs over site-to-site VPN? Possible?
I have seen a similar idea, using MPLS inside DMVPN - see Ivan's blog http://blog.ioshints.info/2011/02/end-to-end-qos-marking-in-mplsvpn-over.html http://blog.ioshints.info/2011/02/end-to-end-qos-marking-in-mplsvpn-over.htmlBut you would need ISR for this, DMVPN (and MPLS) is not possible on ASA. -pavel On Wed, Feb 2, 2011 at 12:20 AM, Jeff Kell jeff-k...@utc.edu wrote: Ran across a new requirement where we would like to extend our campus standard multi-VRF routed building out to a remote site over the public Internet. Absent the ideal MPLS or multiple-vlan Metro-E, can you do this site-to-site over a pair of ASAs? Ideally it would be something along the lines of: VRF A vlan 123-- VRF B vlan 456--(terminating on --- Site ASA Campus ASA Campus PE (VRF A/B/C) VRF C vlan 789-- 3560/3750 CE) Perhaps in simpler terms, bringing the 3 VRF vlans across the wire onto similar VRF vlans on the campus side. On-campus we just run a dot1Q trunk with a vlan for each VRF from CE to PE. Can you trunk them into the ASA and do separate tunnels over the public IP endpoints, dropping them on separate vlans on the other end? Without meshing the routing / crossing the streams with respect to the VRFs? Jeff ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Multiple VRFs over site-to-site VPN? Possible?
If there were ISR on both end then I'd just do vrf-aware IPSec and plumb L2TPv3 inside of this to transport the vlan; of course this doesn't answer the original question of doing this with ASA -- Regards, Ge Moua Network Design Engineer University of Minnesota | OIT - NTS -- On 02/03/2011 04:26 AM, John Kougoulos wrote: I believe that you can use ASA for the IPsec part and create GRE tunnels between the PE and CE (one for each VRF). You would need though something like ISR on both ends or switches that support GRE in hardware, so 3560/3750 should change. Regards, John On Tue, 1 Feb 2011, Jeff Kell wrote: Ran across a new requirement where we would like to extend our campus standard multi-VRF routed building out to a remote site over the public Internet. Absent the ideal MPLS or multiple-vlan Metro-E, can you do this site-to-site over a pair of ASAs? Ideally it would be something along the lines of: VRF A vlan 123-- VRF B vlan 456--(terminating on --- Site ASA Campus ASA Campus PE (VRF A/B/C) VRF C vlan 789-- 3560/3750 CE) Perhaps in simpler terms, bringing the 3 VRF vlans across the wire onto similar VRF vlans on the campus side. On-campus we just run a dot1Q trunk with a vlan for each VRF from CE to PE. Can you trunk them into the ASA and do separate tunnels over the public IP endpoints, dropping them on separate vlans on the other end? Without meshing the routing / crossing the streams with respect to the VRFs? ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Multiple VRFs over site-to-site VPN? Possible?
Hello, On Thu, 3 Feb 2011, Ge Moua wrote: If there were ISR on both end then I'd just do vrf-aware IPSec and plumb L2TPv3 inside of this to transport the vlan; of course this doesn't answer the original question of doing this with ASA I believe that you can use ASA for the IPsec part and create GRE tunnels between the PE and CE (one for each VRF). You would need though something like ISR on both ends or switches that support GRE in hardware, so 3560/3750 should change. I agree with you, it's just another option. GRE would give the ability to use eg 65xx as PE and also use eg ip tcp adjust-mss on the Tunnel interface, I don't know how this is handled with L2TPv3. Of course I've assumed that the CE routes the VLANs on each VRF at the remote site... Regards, John ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Multiple VRFs over site-to-site VPN? Possible?
we are doing a similar setup with l2tpv3 inside vrf-aware ipsec (on IOS); my preference would be to do this w EoMPLS/Atom (again on IOS) which also maintains the vlan/mpls vrf integrity; of course this doesn't answer your question about do this on the asa; i'd be interested too in knowing how you'd solve this with an ASA setup (as a mental exercise). -- Regards, Ge Moua Network Design Engineer University of Minnesota | OIT - NTS -- On 2/1/11 5:20 PM, Jeff Kell wrote: Ran across a new requirement where we would like to extend our campus standard multi-VRF routed building out to a remote site over the public Internet. Absent the ideal MPLS or multiple-vlan Metro-E, can you do this site-to-site over a pair of ASAs? Ideally it would be something along the lines of: VRF A vlan 123-- VRF B vlan 456--(terminating on --- Site ASA Campus ASA Campus PE (VRF A/B/C) VRF C vlan 789-- 3560/3750 CE) Perhaps in simpler terms, bringing the 3 VRF vlans across the wire onto similar VRF vlans on the campus side. On-campus we just run a dot1Q trunk with a vlan for each VRF from CE to PE. Can you trunk them into the ASA and do separate tunnels over the public IP endpoints, dropping them on separate vlans on the other end? Without meshing the routing / crossing the streams with respect to the VRFs? Jeff ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
