Re: OT - vrf through asa

in transparent mode

CE dot1q vlan 3 ------- e0/1.3 vlan 3 ASA e0/2.2 vlan 2 -----
   dot1q trunk 3750 SVI 2
192.168.58.221 sec-level 0 sec-level 0
                                  192.168.58.222

all i get is

ciscoasa(config-if)# sh int e0/1.3
Interface Ethernet0/1.3 "vlan3to2transit", is up, line protocol is up
  Hardware is i82546GB rev03, BW 1000 Mbps, DLY 10 usec
        VLAN identifier 3
        MAC address 001e.13f0.33c7, MTU 1500
        IP address unassigned
  Traffic Statistics for "vlan3to2transit":
        1302 packets input, 150292 bytes
        0 packets output, 0 bytes
        1302 packets dropped

ciscoasa(config-if)# sh int e0/2.2
Interface Ethernet0/2.2 "vlan2to3transit", is up, line protocol is up
  Hardware is i82546GB rev03, BW 100 Mbps, DLY 100 usec
        VLAN identifier 2
        MAC address 001e.13f0.33c8, MTU 1500
        IP address unassigned
  Traffic Statistics for "vlan2to3transit":
        7443 packets input, 427744 bytes
        0 packets output, 0 bytes
        7443 packets dropped

8.4.3 code is running, i tried a different subnet at both end of vlan 2 and
vlan 3 - same

instead of vlans either side of the asa sub-interfaces I tried bridge-group
1 - same

ACLs not showing any hits

access-list vlan3to2transit extended permit ip 192.168.58.220
255.255.255.252 192.168.58.220 255.255.255.252
access-list vlan2to3transit extended permit ip 192.168.58.220
255.255.255.252 192.168.58.220 255.255.255.252

access-group vlan3to2transit in interface vlan3to2transit
access-group vlan2to3transit in interface vlan2to3transit

any kind recommendations to what im doing wrong

Tony

On 21 February 2013 19:26, Brian McGahan <bmcgahan_at_ine.com> wrote:

> Ah, layer 8 ;)
>
> Brian McGahan, CCIE #8593 (R&S/SP/Security), CCDE 2013::13
> bmcgahan_at_INE.com
>
> Internetwork Expert, Inc.
> http://www.INE.com
>
> On Feb 21, 2013, at 10:39 AM, "Tony Singh" <mothafungla_at_gmail.com> wrote:
>
> > Hi Brian
> >
> > I asked our senior security architect it is policy
> >
> > --
> > BR
> >
> > Tony
> >
> > Sent from my iPhone on 3
> >
> > On 21 Feb 2013, at 16:33, Brian McGahan <bmcgahan_at_ine.com> wrote:
> >
> >> Why does it need to be routed?
> >>
> >>
> >> Brian McGahan, CCIE #8593 (R&S/SP/Security), CCDE 2013::13
> >> bmcgahan_at_INE.com
> >>
> >> Internetwork Expert, Inc.
> >> http://www.INE.com
> >>
> >> On Feb 21, 2013, at 7:59 AM, "Tony Singh" <mothafungla_at_gmail.com>
> wrote:
> >>
> >>> Gilles
> >>>
> >>> Thought so cheers will check it out...
> >>>
> >>> If we do have contexts still the ASA has only max 2 ospf processes, not
> >>> scalable in that regard...?
> >>>
> >>> Ryan - need to have it routed bro
> >>>
> >>>
> >>> On 21 February 2013 13:40, Gilles Fabre <fabre.gilles_at_voila.fr> wrote:
> >>>
> >>>>
> >>>> If I remember well, dynamic rouiting support in multi-context was one
> >>>> major enhancement of 9.0 version
> >>>> ASA.8.x supported only static routing when configured with contexts
> >>>>
> >>>> RD/RT won't be transmitted except you use MP-BGP
> >>>> Contexts only allow segmentation of security domlains in relation
> with VRF
> >>>> routing domains (more to be used with VRF-lite setups in my mind)
> >>>>
> >>>>
> >>>>
> >>>>
> >>>>> Message du 21/02/13 ` 14h31
> >>>>> De : "Tony Singh"
> >>>>> A : "Carlos G Mendioroz"
> >>>>> Copie ` : "Cisco certification"
> >>>>> Objet : Re: OT - vrf through asa
> >>>>>
> >>>>> Hi Carlos
> >>>>>
> >>>>> The thought did cross my mind, im sure I did see something about
> dynamic
> >>>>> routing being supported in multi-context mode, I may have been
> dreaming
> >>>>> however as can't find nothing on this...
> >>>>>
> >>>>> It might not be required depending on the way you set the context's
> up,
> >>>>> will check Brian's video again..
> >>>>>
> >>>>> Question in vrf-lite how does the RD/RT get exported? is it within
> the
> >>>> ospf
> >>>>> multicast dbd? I know with MPBGP it is transported in the extended
> >>>>> communities value packet, confused on this bit..and would the ASA
> ignore
> >>>>> the RD/RT but look at the source/dest ipv4 addr
> >>>>>
> >>>>> Thanks bro!
> >>>>>
> >>>>> Tony
> >>>>>
> >>>>>
> >>>>> On 21 February 2013 12:34, Carlos G Mendioroz wrote:
> >>>>>
> >>>>>> You may try 2 contexts, and have different routing domains
> >>>>>> (inbound/outbound) in each ?
> >>>>>> -Carlos
> >>>>>>
> >>>>>> Tony Singh @ 21/02/2013 09:29 -0300 dixit:
> >>>>>>
> >>>>>>> can get this working from PE > CE > Switch > trunk > trunk >
> Switch >
> >>>> CE >
> >>>>>>> PE
> >>>>>>>
> >>>>>>> any solution available going through ASA say if I wanted to do IPS
> >>>> DPI and
> >>>>>>> other
> >>>>>>>
> >>>>>>>
> >>>>>>>
> >>>>>>>
> >>>>>>> On 21 February 2013 12:02, Tony Singh wrote:
> >>>>>>>
> >>>>>>>
> >>>>>>>> Hi
> >>>>>>>>
> >>>>>>>> I know ASA's are not vrf aware unless latest code supports this...
> >>>>>>>>
> >>>>>>>> I have customer routing tables separated by vrf's CE to PE is
> MPBGP,
> >>>> and
> >>>>>>>> IGP is OSPF vrf-lite on CE's
> >>>>>>>>
> >>>>>>>> Is there anyway to get the customer traffic through the ASA's
> >>>>>>>> dynamically,
> >>>>>>>> max OSPF processes the ASA's support is 2
> >>>>>>>>
> >>>>>>>> Is their any benefit in passing this traffic through the ASA's
> >>>>>>>>
> >>>>>>>> what would you guys do?
> >>>>>>>>
> >>>>>>>> Topology
> >>>>>>>>
> >>>>>>>> Site 1 PE > CE > ASA > Switch > trunk > trunk > Switch > ASA > CE
> >
> >>>> PE
> >>>>>>>> Site 2
> >>>>>>>>
> >>>>>>>> Thanks in advance
> >>>>>>>>
> >>>>>>>> Tony
> >>>>>>>>
> >>>>>>>
> >>>>>>>
> >>>>>>> Blogs and organic groups at http://www.ccie.net
> >>>>>>>
> >>>>>>> ______________________________**______________________________**
> >>>>>>> ___________
> >>>>>>> Subscription information may be found at:
> >>>>>>> http://www.groupstudy.com/**list/CCIELab.html
> >>>>>>>
> >>>>>>>
> >>>>>>>
> >>>>>>>
> >>>>>>>
> >>>>>>>
> >>>>>>>
> >>>>>>>
> >>>>>> --
> >>>>>> Carlos G Mendioroz LW7 EQI Argentina
> >>>>>
> >>>>>
> >>>>> Blogs and organic groups at http://www.ccie.net
> >>>>>
> >>>>>
> _______________________________________________________________________
> >>>>> Subscription information may be found at:
> >>>>> http://www.groupstudy.com/list/CCIELab.html
> >>>>>
> >>>>>
> >>>>>
> >>>>>
> >>>>>
> >>>>>
> >>>>>
> >>>>>
> >>>>
> >>>> ___________________________________________________________
> >>>> Qu'y a-t-il ce soir ` la tili ? D'un coup d' il, visualisez le
> programme
> >>>> sur Voila.fr http://tv.voila.fr/programmes/chaines-tnt/ce-soir.html
> >>>
> >>>
> >>> Blogs and organic groups at http://www.ccie.net
> >>>
> >>> _______________________________________________________________________
> >>> Subscription information may be found at:
> >>> http://www.groupstudy.com/list/CCIELab.html

Blogs and organic groups at http://www.ccie.net
Received on Sat Feb 23 2013 - 12:04:15 ART