Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1577
Views
0
Helpful
5
Replies

SD WAN - ZBFW routing between zones

Go to solution
jgardner150
Level 4
Level 4

‎01-02-2019 09:58 AM - edited ‎03-08-2019 05:32 PM

In my deployment I have a production VPN (VPN1) and a guest VPN (VPN2). I want to allow my guest network to talk to specific devices on my production network for the purposes of wireless screen casting. My preference is to keep the traffic local in each branch office (not route across the WAN and hairpin back). 

 

When I read the zone based firewall documentation I get the understanding that "zones" are tied to VPNs. But I also understand that by default VPNs are designed to not communicate with one another, similar to VRF. I feel like I am missing something on how this is meant to allow/deny traffic between VPNs/Zones without something else needing configured for the routing component. 

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
ekhabaro
Cisco Employee
Cisco Employee

‎01-03-2019 11:16 AM

You need to create vSmart policy to leak routes between VPN, something like this:

 

policy

 lists

  vpn-list vpn1-list

   vpn 1

  !

  vpn-list vpn2-list

   vpn 2

  !

  prefix-list 154

   ip-prefix 172.16.154.0/24

  !

  prefix-list 155

   ip-prefix 172.16.155.0/24

  !

 !

 control-policy route-leak

  sequence 1

   match route

    prefix-list 155

    vpn-list    vpn1-list

   !

   action accept

    export-to

     vpn-list vpn2-list

    !

   !

  !

  sequence 11

   match route

    prefix-list 154

    vpn-list    vpn2-list

   !

   action accept

    export-to

     vpn-list vpn1-list

    !

   !

  !

  default-action accept

 !

!

apply-policy

 site-list branch-152

  control-policy route-leak in

 !

!

View solution in original post

0 Helpful
5 Replies 5

Go to solution
ekhabaro
Cisco Employee
Cisco Employee

‎01-03-2019 11:16 AM

You need to create vSmart policy to leak routes between VPN, something like this:

 

policy

 lists

  vpn-list vpn1-list

   vpn 1

  !

  vpn-list vpn2-list

   vpn 2

  !

  prefix-list 154

   ip-prefix 172.16.154.0/24

  !

  prefix-list 155

   ip-prefix 172.16.155.0/24

  !

 !

 control-policy route-leak

  sequence 1

   match route

    prefix-list 155

    vpn-list    vpn1-list

   !

   action accept

    export-to

     vpn-list vpn2-list

    !

   !

  !

  sequence 11

   match route

    prefix-list 154

    vpn-list    vpn2-list

   !

   action accept

    export-to

     vpn-list vpn1-list

    !

   !

  !

  default-action accept

 !

!

apply-policy

 site-list branch-152

  control-policy route-leak in

 !

!
0 Helpful

Go to solution
jgardner150
Level 4
Level 4
In response to ekhabaro

‎01-03-2019 11:46 AM

OK, that makes sense to me. I wish something like this would be called out in the ZBFW documentation: here

 

 

 

 

0 Helpful

Go to solution
ekhabaro
Cisco Employee
Cisco Employee
In response to jgardner150

‎01-03-2019 12:42 PM

Well... you can always leave feedback to documentation, see "Leave feedback" button at the bottom of the page.

 

HTH.

Cheers.

0 Helpful

Go to solution
jgardner150
Level 4
Level 4
In response to ekhabaro

‎01-03-2019 12:57 PM

Good recommendation! I just submitted that feedback.

0 Helpful

Go to solution
John Telford
Level 1
Level 1
In response to jgardner150

‎10-21-2019 05:55 PM

Even in October 2019 a simple explanation of how to route traffic between 2 VPN's is hard find in official Cisco docs.

This youtube video covers in less than 6 minutes what you could spend a day searching for.

https://youtu.be/TJZe8DjvPQs

 

0 Helpful
Customers Also Viewed These Support Documents