Re: OT - vrf through asa from Mark Cairns on 2013-02-23 (Ccielab archives 02/2013)

From: Mark Cairns <m.a.cairns_at_gmail.com>
Date: Sat, 23 Feb 2013 07:36:10 -0500

Can you include more configuration? When you created a bridge-group, did
you give it an IP address in the subnet? Try interfaces on same-security
and permit same-security traffic for testing, as a start.

http://www.cisco.com/en/US/docs/security/asa/asa84/configuration85/guide/interface_complete_transparent.html

Mark

On Sat, Feb 23, 2013 at 7:04 AM, Tony Singh <mothafungla_at_gmail.com> wrote:

> in transparent mode
>
> CE dot1q vlan 3 ------- e0/1.3 vlan 3 ASA e0/2.2 vlan 2 -----
> dot1q trunk 3750 SVI 2
> 192.168.58.221 sec-level 0 sec-level 0
> 192.168.58.222
>
> all i get is
>
> ciscoasa(config-if)# sh int e0/1.3
> Interface Ethernet0/1.3 "vlan3to2transit", is up, line protocol is up
> Hardware is i82546GB rev03, BW 1000 Mbps, DLY 10 usec
> VLAN identifier 3
> MAC address 001e.13f0.33c7, MTU 1500
> IP address unassigned
> Traffic Statistics for "vlan3to2transit":
> 1302 packets input, 150292 bytes
> 0 packets output, 0 bytes
> 1302 packets dropped
>
>
> ciscoasa(config-if)# sh int e0/2.2
> Interface Ethernet0/2.2 "vlan2to3transit", is up, line protocol is up
> Hardware is i82546GB rev03, BW 100 Mbps, DLY 100 usec
> VLAN identifier 2
> MAC address 001e.13f0.33c8, MTU 1500
> IP address unassigned
> Traffic Statistics for "vlan2to3transit":
> 7443 packets input, 427744 bytes
> 0 packets output, 0 bytes
> 7443 packets dropped
>
>
>
> 8.4.3 code is running, i tried a different subnet at both end of vlan 2 and
> vlan 3 - same
>
> instead of vlans either side of the asa sub-interfaces I tried bridge-group
> 1 - same
>
> ACLs not showing any hits
>
> access-list vlan3to2transit extended permit ip 192.168.58.220
> 255.255.255.252 192.168.58.220 255.255.255.252
> access-list vlan2to3transit extended permit ip 192.168.58.220
> 255.255.255.252 192.168.58.220 255.255.255.252
>
> access-group vlan3to2transit in interface vlan3to2transit
> access-group vlan2to3transit in interface vlan2to3transit
>
>
> any kind recommendations to what im doing wrong
>
>
> Tony
>
>
>
> On 21 February 2013 19:26, Brian McGahan <bmcgahan_at_ine.com> wrote:
>
> > Ah, layer 8 ;)
> >
> > Brian McGahan, CCIE #8593 (R&S/SP/Security), CCDE 2013::13
> > bmcgahan_at_INE.com
> >
> > Internetwork Expert, Inc.
> > http://www.INE.com
> >
> > On Feb 21, 2013, at 10:39 AM, "Tony Singh" <mothafungla_at_gmail.com>
> wrote:
> >
> > > Hi Brian
> > >
> > > I asked our senior security architect it is policy
> > >
> > > --
> > > BR
> > >
> > > Tony
> > >
> > > Sent from my iPhone on 3
> > >
> > > On 21 Feb 2013, at 16:33, Brian McGahan <bmcgahan_at_ine.com> wrote:
> > >
> > >> Why does it need to be routed?
> > >>
> > >>
> > >> Brian McGahan, CCIE #8593 (R&S/SP/Security), CCDE 2013::13
> > >> bmcgahan_at_INE.com
> > >>
> > >> Internetwork Expert, Inc.
> > >> http://www.INE.com
> > >>
> > >> On Feb 21, 2013, at 7:59 AM, "Tony Singh" <mothafungla_at_gmail.com>
> > wrote:
> > >>
> > >>> Gilles
> > >>>
> > >>> Thought so cheers will check it out...
> > >>>
> > >>> If we do have contexts still the ASA has only max 2 ospf processes,
> not
> > >>> scalable in that regard...?
> > >>>
> > >>> Ryan - need to have it routed bro
> > >>>
> > >>>
> > >>> On 21 February 2013 13:40, Gilles Fabre <fabre.gilles_at_voila.fr>
> wrote:
> > >>>
> > >>>>
> > >>>> If I remember well, dynamic rouiting support in multi-context was
> one
> > >>>> major enhancement of 9.0 version
> > >>>> ASA.8.x supported only static routing when configured with contexts
> > >>>>
> > >>>> RD/RT won't be transmitted except you use MP-BGP
> > >>>> Contexts only allow segmentation of security domlains in relation
> > with VRF
> > >>>> routing domains (more to be used with VRF-lite setups in my mind)
> > >>>>
> > >>>>
> > >>>>
> > >>>>
> > >>>>> Message du 21/02/13 ` 14h31
> > >>>>> De : "Tony Singh"
> > >>>>> A : "Carlos G Mendioroz"
> > >>>>> Copie ` : "Cisco certification"
> > >>>>> Objet : Re: OT - vrf through asa
> > >>>>>
> > >>>>> Hi Carlos
> > >>>>>
> > >>>>> The thought did cross my mind, im sure I did see something about
> > dynamic
> > >>>>> routing being supported in multi-context mode, I may have been
> > dreaming
> > >>>>> however as can't find nothing on this...
> > >>>>>
> > >>>>> It might not be required depending on the way you set the context's
> > up,
> > >>>>> will check Brian's video again..
> > >>>>>
> > >>>>> Question in vrf-lite how does the RD/RT get exported? is it within
> > the
> > >>>> ospf
> > >>>>> multicast dbd? I know with MPBGP it is transported in the extended
> > >>>>> communities value packet, confused on this bit..and would the ASA
> > ignore
> > >>>>> the RD/RT but look at the source/dest ipv4 addr
> > >>>>>
> > >>>>> Thanks bro!
> > >>>>>
> > >>>>> Tony
> > >>>>>
> > >>>>>
> > >>>>> On 21 February 2013 12:34, Carlos G Mendioroz wrote:
> > >>>>>
> > >>>>>> You may try 2 contexts, and have different routing domains
> > >>>>>> (inbound/outbound) in each ?
> > >>>>>> -Carlos
> > >>>>>>
> > >>>>>> Tony Singh @ 21/02/2013 09:29 -0300 dixit:
> > >>>>>>
> > >>>>>>> can get this working from PE > CE > Switch > trunk > trunk >
> > Switch >
> > >>>> CE >
> > >>>>>>> PE
> > >>>>>>>
> > >>>>>>> any solution available going through ASA say if I wanted to do
> IPS
> > >>>> DPI and
> > >>>>>>> other
> > >>>>>>>
> > >>>>>>>
> > >>>>>>>
> > >>>>>>>
> > >>>>>>> On 21 February 2013 12:02, Tony Singh wrote:
> > >>>>>>>
> > >>>>>>>
> > >>>>>>>> Hi
> > >>>>>>>>
> > >>>>>>>> I know ASA's are not vrf aware unless latest code supports
> this...
> > >>>>>>>>
> > >>>>>>>> I have customer routing tables separated by vrf's CE to PE is
> > MPBGP,
> > >>>> and
> > >>>>>>>> IGP is OSPF vrf-lite on CE's
> > >>>>>>>>
> > >>>>>>>> Is there anyway to get the customer traffic through the ASA's
> > >>>>>>>> dynamically,
> > >>>>>>>> max OSPF processes the ASA's support is 2
> > >>>>>>>>
> > >>>>>>>> Is their any benefit in passing this traffic through the ASA's
> > >>>>>>>>
> > >>>>>>>> what would you guys do?
> > >>>>>>>>
> > >>>>>>>> Topology
> > >>>>>>>>
> > >>>>>>>> Site 1 PE > CE > ASA > Switch > trunk > trunk > Switch > ASA >
> CE
> > >
> > >>>> PE
> > >>>>>>>> Site 2
> > >>>>>>>>
> > >>>>>>>> Thanks in advance
> > >>>>>>>>
> > >>>>>>>> Tony
> > >>>>>>>>
> > >>>>>>>
> > >>>>>>>
> > >>>>>>> Blogs and organic groups at http://www.ccie.net
> > >>>>>>>
> > >>>>>>> ______________________________**______________________________**
> > >>>>>>> ___________
> > >>>>>>> Subscription information may be found at:
> > >>>>>>> http://www.groupstudy.com/**list/CCIELab.html
> > >>>>>>>
> > >>>>>>>
> > >>>>>>>
> > >>>>>>>
> > >>>>>>>
> > >>>>>>>
> > >>>>>>>
> > >>>>>>>
> > >>>>>> --
> > >>>>>> Carlos G Mendioroz LW7 EQI Argentina
> > >>>>>
> > >>>>>
> > >>>>> Blogs and organic groups at http://www.ccie.net
> > >>>>>
> > >>>>>
> > _______________________________________________________________________
> > >>>>> Subscription information may be found at:
> > >>>>> http://www.groupstudy.com/list/CCIELab.html
> > >>>>>
> > >>>>>
> > >>>>>
> > >>>>>
> > >>>>>
> > >>>>>
> > >>>>>
> > >>>>>
> > >>>>
> > >>>> ___________________________________________________________
> > >>>> Qu'y a-t-il ce soir ` la tili ? D'un coup d' il, visualisez le
> > programme
> > >>>> sur Voila.fr http://tv.voila.fr/programmes/chaines-tnt/ce-soir.html
> > >>>
> > >>>
> > >>> Blogs and organic groups at http://www.ccie.net
> > >>>
> > >>>
> _______________________________________________________________________
> > >>> Subscription information may be found at:
> > >>> http://www.groupstudy.com/list/CCIELab.html
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html

Blogs and organic groups at http://www.ccie.net
Received on Sat Feb 23 2013 - 07:36:10 ART

This archive was generated by hypermail 2.2.0 : Fri Mar 01 2013 - 07:57:58 ART