07-09-2013 01:44 PM - edited 03-11-2019 07:10 PM
Hello,
I am preparing a zbfw design with 400+ ISR/ASR remote routers, Flexvpn and 1 vrf. Each router has a tunnel for visitors and another tunnel for normal users. Config below. In the documentation, I read "All interfaces in a zone must belong to the same Virtual Routing and Forwarding (VRF) instance"
There is no need to communicate between vrf visitor and the GRT, but both use the common wan zone on gigibit 0/0 and gigabit 0/2 to communicate to central.
My question: Can I put all 4 tunnel interfaces below in the same zone :vpn ?
ip vrf Visitors
interface Tunnel1111
description === FlexVPN to nrtc102 (DC1 AVC - primary line) ===
ip unnumbered Loopback1
ip mtu 1380
ip tcp adjust-mss 1340
tunnel source GigabitEthernet0/0
tunnel destination 10.255.117.104
tunnel protection ipsec profile Primary-line
!
interface Tunnel1112
description === FlexVPN to nrtc102 (DC1 AVC - Secondary line) ===
ip unnumbered Loopback2
ip mtu 1380
ip tcp adjust-mss 1340
tunnel source GigabitEthernet0/2
tunnel destination 10.255.117.105
tunnel protection ipsec profile Secondary-line
!
interface Tunnel1113
description === FlexVPN to nrtcDMZ (DC1 - visitors - primary line) ===
ip vrf forwarding Visitors
ip unnumbered Loopback3
ip mtu 1380
ip tcp adjust-mss 1340
tunnel source GigabitEthernet0/0
tunnel destination 10.255.112.104
tunnel protection ipsec profile Primary-line-visitors
!
interface Tunnel1114
description === FlexVPN to nrtcDMZ (DC1 - visitors - Secondary line) ===
ip vrf forwarding Visitors
ip unnumbered Loopback4
ip mtu 1380
ip tcp adjust-mss 1340
tunnel source GigabitEthernet0/2
tunnel destination 10.255.112.105
tunnel protection ipsec profile Secondary-line-visitorsinterface
Many thanks Karien
07-09-2013 10:58 PM
Hello Karien,
Not sure I get the question..
The definition you are looking I guess is this one:
A router can only inspect inter-VRF traffic if traffic must enter or leave a VRF through an interface to cross to a different VRF. If traffic is routed directly to another VRF, there is no physical interface where a firewall policy can inspect traffic, so the router is unable to apply inspection.
Based on that I would say that on each VRF there will need to be a dedicated security zone applied,
I will try to run a lab real quick tomorrow and get back to u,
Remember to rate all of the helpful posts. That's as important as a Thanks. 
Julio Carvajal Segura
07-10-2013 02:28 PM
Hello Julio,
Goal is not to inspect inter-VRF traffic, there is no traffic necessary between the GRT and vrf visitors. (visitors separated from the normal users) . Goal is to have 1 (vpn) instead of 2 (vpn and vpn-visitors) vpn zones if possible.
I hope i can configure the 2 normal (GRT) tunnels and the 2 visitor-vrf tunnels in the same zone: vpn.
But if I read the documentation "All interfaces in a zone must belong to the same Virtual Routing and Forwarding (VRF) instance", i am not sure this will work...
Thanks a lot !
Karien
07-10-2013 02:47 PM
"All interfaces in a zone must belong to the same Virtual Routing and Forwarding (VRF) instance"
All that means is:
If you have 2 VRFs and u have 2 zones Inside Outside, you will need to create Inside1 and Outside1 for VRF 1 and Inside2 and Outside2 for VRF2.
So as you can see a zone must be dedicated to one VRF,
Remember to rate all of the helpful posts. That's as important as a Thanks. 
Julio Carvajal Segura
 
					
				
				
			
		
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide