cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1031
Views
0
Helpful
3
Replies

ZBFW design with vrf

karien.depyper
Level 1
Level 1

Hello,

I am preparing a zbfw design with 400+ ISR/ASR remote  routers, Flexvpn and 1 vrf.  Each router has a tunnel for visitors and another tunnel for normal users. Config below. In the documentation, I read "All interfaces in a zone must belong to the same Virtual Routing and Forwarding (VRF) instance"

There is no need to communicate between vrf visitor and the GRT, but both use the common wan zone on gigibit 0/0 and gigabit 0/2  to communicate to central.

My question: Can I put all 4 tunnel interfaces below in the same zone :vpn ?

ip vrf Visitors

interface Tunnel1111

description === FlexVPN to nrtc102 (DC1 AVC - primary line) ===

ip unnumbered Loopback1

ip mtu 1380

ip tcp adjust-mss 1340

tunnel source GigabitEthernet0/0

tunnel destination 10.255.117.104

tunnel protection ipsec profile Primary-line

!

interface Tunnel1112

description === FlexVPN to nrtc102 (DC1 AVC - Secondary line) ===

ip unnumbered Loopback2

ip mtu 1380

ip tcp adjust-mss 1340

tunnel source GigabitEthernet0/2

tunnel destination 10.255.117.105

tunnel protection ipsec profile Secondary-line

!

interface Tunnel1113

description === FlexVPN to nrtcDMZ (DC1 - visitors - primary line) ===

ip vrf forwarding Visitors

ip unnumbered Loopback3

ip mtu 1380

ip tcp adjust-mss 1340

tunnel source GigabitEthernet0/0

tunnel destination 10.255.112.104

tunnel protection ipsec profile Primary-line-visitors

!

interface Tunnel1114

description === FlexVPN to nrtcDMZ (DC1 - visitors - Secondary line) ===

ip vrf forwarding Visitors

ip unnumbered Loopback4

ip mtu 1380

ip tcp adjust-mss 1340

tunnel source GigabitEthernet0/2

tunnel destination 10.255.112.105

tunnel protection ipsec profile Secondary-line-visitorsinterface

Many thanks Karien

3 Replies 3

Julio Carvajal
VIP Alumni
VIP Alumni

Hello Karien,

Not sure I get the question..

The definition you are looking I guess is this one:

A router can only inspect inter-VRF traffic if traffic must enter or leave a VRF through an interface to cross to a different VRF. If traffic is routed directly to another VRF, there is no physical interface where a firewall policy can inspect traffic, so the router is unable to apply inspection.

Based on that I would say that on each VRF there will need to be a dedicated security zone applied,

I will try to run a lab real quick tomorrow and get back to u,

Remember to rate all of the helpful posts. That's as important as a Thanks.
Julio Carvajal Segura

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Hello Julio,

Goal is not to inspect inter-VRF traffic, there is no traffic necessary between the GRT and vrf visitors. (visitors separated from the normal users) . Goal is to have 1 (vpn) instead of 2 (vpn and vpn-visitors) vpn zones  if possible.

I hope i can configure the 2 normal (GRT) tunnels and the 2 visitor-vrf tunnels in the same zone: vpn.

But if I read the documentation "All interfaces in a zone  must belong to the same Virtual Routing and Forwarding (VRF) instance", i am not sure this will work...

Thanks a lot !

Karien

"All interfaces in a zone  must belong to the same Virtual Routing and Forwarding (VRF) instance"

All that means is:

If you have 2 VRFs and u have 2 zones Inside Outside, you will need to create Inside1 and Outside1 for VRF 1 and Inside2 and Outside2 for VRF2.

So as you can see a zone must be dedicated to one VRF,

Remember to rate all of the helpful posts. That's as important as a Thanks.
Julio Carvajal Segura

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
Review Cisco Networking for a $25 gift card