RE: OT - vrf through asa

Yes - running the IPS /SSM module in transparent mode is well documented on
CCO.

The only caveat I can think of with transparent mode is you lose the ability
to add vpn services and nat later - but It looks like you may not mind that in
your design with mpls and the ability to use private addressing end to end.

thanks

From: Tony Singh [mailto:mothafungla_at_gmail.com]
Sent: Thursday, February 21, 2013 12:04 PM
To: Joseph L. Brunner
Cc: Cisco certification
Subject: Re: OT - vrf through asa

Hi Joe

Thanks as many of you experts have mentioned this I will go back to our
architect and try to understand why it is required to be routed

For example can I run an IPS module with DPI in transparent mode?

What are the main drawbacks with either mode

Thanks

Tony

On 21 February 2013 15:47, Joseph L. Brunner
<joe_at_affirmedsystems.com<mailto:joe_at_affirmedsystems.com>> wrote:
I would agree with transparent mode as mentioned earlier as best way to do
this...

The ASA's level of routing doesn't get you much here.

If anything it's a silent "bump in the wire" with stateful inspection and
acl's so the routers can just "route".

thanks

-----Original Message-----
From: nobody_at_groupstudy.com<mailto:nobody_at_groupstudy.com>
[mailto:nobody_at_groupstudy.com<mailto:nobody_at_groupstudy.com>] On Behalf Of Tony
Singh
Sent: Thursday, February 21, 2013 7:03 AM
To: Cisco certification
Subject: OT - vrf through asa

Hi

I know ASA's are not vrf aware unless latest code supports this...

I have customer routing tables separated by vrf's CE to PE is MPBGP, and IGP
is OSPF vrf-lite on CE's

Is there anyway to get the customer traffic through the ASA's dynamically, max
OSPF processes the ASA's support is 2

Is their any benefit in passing this traffic through the ASA's

what would you guys do?

Topology

Site 1 PE > CE > ASA > Switch > trunk > trunk > Switch > ASA > CE > PE Site
2

Thanks in advance

Tony

Blogs and organic groups at http://www.ccie.net
Received on Thu Feb 21 2013 - 17:10:43 ART