07-10-2014 04:51 AM - edited 03-11-2019 09:27 PM
Hi Community
I need to find out whether the ASA 5500-X Series Next-Generation Firewalls are VRF-Aware using the latest IOS Version (9.1.x / 9.2.x). I have searched the Release Notes for the IOS Versions but not finding anything. I do believe that this is not a supported feature yet.
I look forward to any responses.
Regards
Steven
07-10-2014 05:04 AM
Hi,
Not to my knowledge. Seems the ASA just got BGP support in 9.2 which I was suprised about since people had been asking for it a long time.
The usual answer from one Cisco contact when asking for different capabilities on Cisco ASA that are present in Cisco Routers the answer usually was: "ASA is not a router" :)
I guess the question at this point would be what you are trying to achieve with the ASA? Maybe there is something that could be done despite lacking the support?
- Jouni
07-10-2014 05:13 AM
Hi Jouni
I am also not aware of them being VRF-Aware as yet and I do know that it has been a long time question - some dating back as far as 4 years back.
I already have a distinct solution in mind I was just wondering whether with the new release of 9.2.x they were VRF-Aware or not. If not it is not a major issue as I do have a workaround solution.
Thanks for your reply
Cheers
Steven
08-18-2014 07:12 AM
Hi Steven,
I also have this requirement for an ASA to be "VRF aware" as you put it. My take on this though is to map an ASA security context to each VRF. However, one thing I can't find out is whether I can run separate instances of OSPF in an ASA context ? According to the Cisco support docs OSPF is only supported in single context mode on the 5500 series but I'm not sure whether this has changed with the next generation 5500X series - can anyone help with this ?
Thanks
Ian
11-04-2014 07:12 AM
This is supported after 9.0
You can run separate dynamic routing protocols in each ASA Context, as well as use L2L VPN out of each context. Qos is one of the the only caveats left between single and multiple context mode.
Just have a transit vlan to each context in a seperate VRF, run vrf aware routing protocols on that vrf, and treat each context on the other end of the transit vlan / sub interface seperately, and form a neigborship with the Core switch/ router.
11-04-2014 07:35 AM
If what you are asking is MULTIPLE processes in the same context, the answer is - Here is it working in single context mode:
TESTERRRR# sh ospf interface
tomado is up, line protocol is up
Internet Address 10.1.1.1 mask 255.255.255.0, Area 0
Process ID 3, Router ID 195.162.122.130, Network Type BROADCAST, Cost: 10
Transmit Delay is 1 sec, State WAITING, Priority 1
No designated router on this network
No backup designated router on this network
Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5
Hello due in 0:00:04
Wait time before Designated router selection 0:00:34
Index 1/1, flood queue length 0
Next 0x0(0)/0x0(0)
Last flood scan length is 0, maximum is 0
Last flood scan time is 0 msec, maximum is 0 msec
Neighbor Count is 0, Adjacent neighbor count is 0
Suppress hello for 0 neighbor(s)
lettuce is up, line protocol is up
Internet Address 10.2.1.1 mask 255.255.255.0, Area 0
Process ID 4, Router ID 10.230.28.254, Network Type BROADCAST, Cost: 10
Transmit Delay is 1 sec, State DR, Priority 1
Designated Router (ID) 10.230.28.254, Interface address 10.2.1.1
No backup designated router on this network
Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5
Hello due in 0:00:02
Index 1/1, flood queue length 0
Next 0x0(0)/0x0(0)
Last flood scan length is 0, maximum is 0
Last flood scan time is 0 msec, maximum is 0 msec
Neighbor Count is 0, Adjacent neighbor count is 0
Suppress hello for 0 neighbor(s)
But I have not tried it in multiple context mode.
Better to have ONE process, and multiple Contexts, connected upstream to different VRFs
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide