Re: OT - vrf through asa from Brian McGahan on 2013-02-21 (Ccielab archives 02/2013)

From: Brian McGahan <bmcgahan_at_ine.com>
Date: Thu, 21 Feb 2013 13:26:36 -0600

Ah, layer 8 ;)

Brian McGahan, CCIE #8593 (R&S/SP/Security), CCDE 2013::13
bmcgahan_at_INE.com

Internetwork Expert, Inc.
http://www.INE.com

On Feb 21, 2013, at 10:39 AM, "Tony Singh" <mothafungla_at_gmail.com> wrote:

> Hi Brian
>
> I asked our senior security architect it is policy
>
> --
> BR
>
> Tony
>
> Sent from my iPhone on 3
>
> On 21 Feb 2013, at 16:33, Brian McGahan <bmcgahan_at_ine.com> wrote:
>
>> Why does it need to be routed?
>>
>>
>> Brian McGahan, CCIE #8593 (R&S/SP/Security), CCDE 2013::13
>> bmcgahan_at_INE.com
>>
>> Internetwork Expert, Inc.
>> http://www.INE.com
>>
>> On Feb 21, 2013, at 7:59 AM, "Tony Singh" <mothafungla_at_gmail.com> wrote:
>>
>>> Gilles
>>>
>>> Thought so cheers will check it out...
>>>
>>> If we do have contexts still the ASA has only max 2 ospf processes, not
>>> scalable in that regard...?
>>>
>>> Ryan - need to have it routed bro
>>>
>>>
>>> On 21 February 2013 13:40, Gilles Fabre <fabre.gilles_at_voila.fr> wrote:
>>>
>>>>
>>>> If I remember well, dynamic rouiting support in multi-context was one
>>>> major enhancement of 9.0 version
>>>> ASA.8.x supported only static routing when configured with contexts
>>>>
>>>> RD/RT won't be transmitted except you use MP-BGP
>>>> Contexts only allow segmentation of security domlains in relation with VRF
>>>> routing domains (more to be used with VRF-lite setups in my mind)
>>>>
>>>>
>>>>
>>>>
>>>>> Message du 21/02/13 ` 14h31
>>>>> De : "Tony Singh"
>>>>> A : "Carlos G Mendioroz"
>>>>> Copie ` : "Cisco certification"
>>>>> Objet : Re: OT - vrf through asa
>>>>>
>>>>> Hi Carlos
>>>>>
>>>>> The thought did cross my mind, im sure I did see something about dynamic
>>>>> routing being supported in multi-context mode, I may have been dreaming
>>>>> however as can't find nothing on this...
>>>>>
>>>>> It might not be required depending on the way you set the context's up,
>>>>> will check Brian's video again..
>>>>>
>>>>> Question in vrf-lite how does the RD/RT get exported? is it within the
>>>> ospf
>>>>> multicast dbd? I know with MPBGP it is transported in the extended
>>>>> communities value packet, confused on this bit..and would the ASA ignore
>>>>> the RD/RT but look at the source/dest ipv4 addr
>>>>>
>>>>> Thanks bro!
>>>>>
>>>>> Tony
>>>>>
>>>>>
>>>>> On 21 February 2013 12:34, Carlos G Mendioroz wrote:
>>>>>
>>>>>> You may try 2 contexts, and have different routing domains
>>>>>> (inbound/outbound) in each ?
>>>>>> -Carlos
>>>>>>
>>>>>> Tony Singh @ 21/02/2013 09:29 -0300 dixit:
>>>>>>
>>>>>>> can get this working from PE > CE > Switch > trunk > trunk > Switch >
>>>> CE >
>>>>>>> PE
>>>>>>>
>>>>>>> any solution available going through ASA say if I wanted to do IPS
>>>> DPI and
>>>>>>> other
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> On 21 February 2013 12:02, Tony Singh wrote:
>>>>>>>
>>>>>>>
>>>>>>>> Hi
>>>>>>>>
>>>>>>>> I know ASA's are not vrf aware unless latest code supports this...
>>>>>>>>
>>>>>>>> I have customer routing tables separated by vrf's CE to PE is MPBGP,
>>>> and
>>>>>>>> IGP is OSPF vrf-lite on CE's
>>>>>>>>
>>>>>>>> Is there anyway to get the customer traffic through the ASA's
>>>>>>>> dynamically,
>>>>>>>> max OSPF processes the ASA's support is 2
>>>>>>>>
>>>>>>>> Is their any benefit in passing this traffic through the ASA's
>>>>>>>>
>>>>>>>> what would you guys do?
>>>>>>>>
>>>>>>>> Topology
>>>>>>>>
>>>>>>>> Site 1 PE > CE > ASA > Switch > trunk > trunk > Switch > ASA > CE >
>>>> PE
>>>>>>>> Site 2
>>>>>>>>
>>>>>>>> Thanks in advance
>>>>>>>>
>>>>>>>> Tony
>>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> Blogs and organic groups at http://www.ccie.net
>>>>>>>
>>>>>>> ______________________________**______________________________**
>>>>>>> ___________
>>>>>>> Subscription information may be found at:
>>>>>>> http://www.groupstudy.com/**list/CCIELab.html
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>> --
>>>>>> Carlos G Mendioroz LW7 EQI Argentina
>>>>>
>>>>>
>>>>> Blogs and organic groups at http://www.ccie.net
>>>>>
>>>>> _______________________________________________________________________
>>>>> Subscription information may be found at:
>>>>> http://www.groupstudy.com/list/CCIELab.html
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>
>>>> ___________________________________________________________
>>>> Qu'y a-t-il ce soir ` la tili ? D'un coup d'il, visualisez le programme
>>>> sur Voila.fr http://tv.voila.fr/programmes/chaines-tnt/ce-soir.html
>>>
>>>
>>> Blogs and organic groups at http://www.ccie.net
>>>
>>> _______________________________________________________________________
>>> Subscription information may be found at:
>>> http://www.groupstudy.com/list/CCIELab.html

Blogs and organic groups at http://www.ccie.net
Received on Thu Feb 21 2013 - 13:26:36 ART

This archive was generated by hypermail 2.2.0 : Fri Mar 01 2013 - 07:57:58 ART