Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
642
Views
0
Helpful
3
Replies

GRE over VRF

tachyon05
Level 1
Level 1

‎07-16-2020 01:29 PM

I have an ASA at the edge that connects to an internal layer 3 switch. The switch also connects to a router. The switch, where SVIs are configured, act as the core switch, and is the gateway for guest and other internal VLANs. Guest VLAN needs to be segregated from other VLANs and only gets internet access, and they do so through a VRF between the switch and ASA. Now, there is a requirement for these guest devices to communicate with a vendor over a GRE tunnel while still maintaining the segregation on the LAN. GRE is not supported on this switch, but is supported on the router. How can this GRE be configured?

 
guest devices ---- L3 switch  ---- ASA ---- INTERNET ---- Vendor Network
                                        |                   
                                        |                   
                                    router
Labels:
0 Helpful
3 Replies 3

Francesco Molino
VIP Alumni
VIP Alumni

‎07-16-2020 08:08 PM

Hi

This GRE is to connect to a vendor, so you can route traffic from your guest to this vendor using the GRE.
I would add an interco vlan between SW and router in this Guest VRF, so a new sub interface on the router. Then build your GRE on your router and add a route on your switch into the guest VRF to route traffic to your vendor going through the new interco subnet on your switch and then through the GRE on your router.
This GRE will be sitting on the router in the Guest VRF you'll need to create. The GRE can use any interface as tunnel source to be able to reach vendor remote end devices.

Guest --- L3 SW (VRF Guest)----new interco--- (VRF Guest) Router ---- GRE (VRF guest)

Hope this is clear otherwise let me know and I can give you a config example

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
0 Helpful

tachyon05
Level 1
Level 1
In response to Francesco Molino

‎07-16-2020 11:00 PM

Thanks for the reply.  What you describe makes sense but appears to require a physical connection between the router and the ASA.  However, the router is not directly connected to the ASA in my environment.  Router is connected to the switch physically as shown below. 

 

Router interface used to connect to switch

interface GigabitEthernet0/0
ip address 10.12.251.10 255.255.255.252

 

Switch interface used to connect to router

interface GigabitEthernet2/0
no switchport
ip address 10.12.251.9 255.255.255.252

 

The switch has the existing guest VRF configured as shown below, and it works today by allowing guest devices internet access through the ASA while keeping the guest VLAN completely isolated from the rest of the VLANs.

 

ip vrf guest

 

interface Vlan370
description guest for devices
ip vrf forwarding guest
ip dhcp relay information trusted
ip address 172.18.72.1 255.255.255.0
ip access-group GUEST in
end

 

interface Vlan379
description Guest to ASA5505
ip vrf forwarding guest
ip address 172.18.73.2 255.255.255.252
end

 

ASA is configured to send return traffic from the internet back to the switch

route guest 172.18.72.0 255.255.255.0 172.18.73.2

 

Can you elaborate if your suggestion still applies?

 

0 Helpful

Francesco Molino
VIP Alumni
VIP Alumni
In response to tachyon05

‎07-18-2020 07:20 PM

You don’t require a physical connection just another vlan.
Instead of having a routed interface facing the router, you can go with a trunk and a svi on the switch or add a routed sub-interface facing the router. On router no matter which solution you choose for the switch, it will be a sub interface. On both side, this new subnet will be into your guest vrf.

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card