Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
11842
Views
5
Helpful
2
Replies

ASR1001 change MAC address of DOT1Q Subinterface?

blazarov86
Level 1
Level 1

‎04-11-2014 07:47 AM - edited ‎03-07-2019 07:04 PM

Hello,

I ran into a situation where I need to connect 3 separate VRFs on a single ASR to a single firewall. Within those 3 VRFs are the branch VPN infrastructures of 3 separate tenants (subcompanies within a larger organization). The idea is that those 3 tenants have their own branch infrastructure (DMVPN on the ASR) and their own servers (separate security zones on the single firewall). Normally branches of each tenant talk only to their servers. But ofcourse it turned out that there is a need for inter-tenant communications - both branch<->servers and branch<->branch. And this traffic has to be strictly controlled on the firewall. And here comes the tricky part - If we setup 3 separate transport networks between the firewall and the ASR for each tenant, inter-tenant traffic might become asymmetric from firewall point of view. And we all know firewalls don't like this at all and normally drop this traffic.

This is the point where I came with the brilliant :) idea of bringing up 3 separate DOT1Q subinterfaces on the ASR (on the same physical) for each VRF within the same IP subnet - 10.0.0.0/24 and configure the firewall with a single interface for branch zone in the same zone like this:

 

10.0.0.0/24:

10.0.0.1/24 - Firewall - branches zone

10.0.0.101/24 - ASR Tenant 1 (dot1q 102)

10.0.0.102/24 - ASR Tenant 2 (dot1q 103)

10.0.0.103/24 - ASR Tenant 3 (dot1q 104)

 

Then somehow on the firewall (or on a switch in-between) bridge VLANs102-104 together. Bridging the VLANs is not a problem and is out of the scope of this discussion.

If I accomplish this traffic to and from all branches will go through the same interface and firewall will be happy.

The problem here is that by default all subinterfaces inherit the MAC address of the physical interface and it seems that it can not be changed. Or at least I can not find how on the ASR1001. Is that true?

 

Any Ideas?

Labels:
0 Helpful
2 Replies 2

blazarov86
Level 1
Level 1

‎04-24-2014 08:41 AM

Meanwhile I found the solution. The right way to go on ISR1k is  BDI. Looks like this:

interface GigabitEthernet0/0/1
 description === INSIDE ===
 no ip address
 negotiation auto
 service instance 1 ethernet
  encapsulation dot1q 102
  bridge-domain 102
 !
 service instance 2 ethernet
  encapsulation dot1q 103
  bridge-domain 103
 !
 service instance 3 ethernet
  encapsulation dot1q 104
  bridge-domain 104
 !
end

interface BDI102
 mac-address 6c41.6ac8.903a
 ip vrf forwarding vrf_tenant1
 ip address 10.0.0.101 255.255.255.0
 encapsulation dot1Q 102
!
interface BDI103
 mac-address 6c41.6ac8.903b
 ip vrf forwarding vrf_tenant2
 ip address 10.0.0.102 255.255.255.0
 encapsulation dot1Q 102
!
interface BDI104
 mac-address 6c41.6ac8.903c
 ip vrf forwarding vrf_tenant3
 ip address 10.0.0.103 255.255.255.0
 encapsulation dot1Q 102
!

 

 

The above configuration works stable and suits my needs perfectly fine. It's already in production. BTW there are few standard DOT1q subinterfaces on the same physical interface - no issues there as well. So ASR1k proves quite flexible once more.

Hope this helps someone else.

Samuraiaryan
Level 1
Level 1

‎09-24-2015 12:03 AM

Could you please post a diagram of the mentioned case? I know you got the solution and it's working, I suddenly bumped into this post and trying to figure out what was the case exactly? 

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card