- Cisco Community
- Technology and Support
- Networking
- Switching
- KemalSorry to keep posting
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-18-2015 08:34 AM - edited 03-07-2019 10:43 PM
Hi All,
We are testing a new design for our new Data Center refresh project. In my current LAB I have 1 Cisco 3750e Layer 3 switch, one ASA 5520.
The ASA and the Cisco 3750 connect on a stick. I am using transit VRF's to connect the two together. As my routing protocol I am using EIGRP to establish connection between the two. The reason I have VRF's on the L3 switch is because I want the switch to be the gateway for all workstations, and there are multiple zones so to say.
DMZ network - 172.16.0.0/23
Inside Netework - 172.16.2.0/23
F5 Front Porch- 172.16.12.0/23
F5 Back porch (hosts behind the F5) - 172.16.13.0/24
I have attached a little diagram as well
The idea #1 behind all this is to have the DMZ and the Inside Networks be able to get to one another by being inspected by the ASA. That works
The #2 is that all hosts behind the F5 can get to DMZ and Inside hosts the same way (being inspected by ASA) That is also working
and the #3 is that DMZ and Inside hoists can get to the hosts behind the F5. That is NOT working.
As far as the confioguration here is what I have currently
---- SWITCH ----
Switch1# sh run
Building configuration...
version 15.0
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Switch1
!
boot-start-marker
boot-end-marker
!
!
!
no aaa new-model
switch 1 provision ws-c3750x-48p
system mtu routing 1500
ip routing
!
ip vrf DMZ
description DMZ Users
!
ip vrf F5_Front
description Front-Porch-of-F5
!
ip vrf Inside
description Inside users
!
!
!
!
no ip domain-lookup
!
!
spanning-tree mode pvst
spanning-tree extend system-id
!
!
!
vlan internal allocation policy ascending
!
!
interface FastEthernet0
no ip address
no ip route-cache
!
interface GigabitEthernet1/0/1
description To ASA
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 450-454
switchport mode trunk
!
interface GigabitEthernet1/0/2
description Uplink to F5
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 120,122
switchport mode trunk
!
interface GigabitEthernet1/0/3
!
interface GigabitEthernet1/0/10
!
interface GigabitEthernet1/0/11
description Uplink to Node-Behind-F5
switchport access vlan 122
switchport mode access
!
interface GigabitEthernet1/0/12
!
interface GigabitEthernet1/0/47
switchport access vlan 162
spanning-tree portfast
!
interface GigabitEthernet1/0/48
switchport access vlan 160
spanning-tree portfast
!
interface Vlan1
no ip address
!
!
interface Vlan120
ip vrf forwarding F5_Front
ip address 172.16.12.1 255.255.255.0
!
interface Vlan160
ip vrf forwarding DMZ
ip address 172.16.0.1 255.255.254.0
!
interface Vlan162
description Inside
ip vrf forwarding Inside
ip address 172.16.2.1 255.255.254.0
!
interface Vlan450
description VRF_DMZ_P2P
ip vrf forwarding DMZ
ip address 172.16.250.1 255.255.255.248
!
interface Vlan451
description VRF_Inside_P2P
ip vrf forwarding Inside
ip address 172.16.250.9 255.255.255.248
!
interface Vlan454
description P2P_F5_Front
ip vrf forwarding F5_Front
ip address 172.16.250.33 255.255.255.248
!
!
router eigrp 99
!
address-family ipv4 vrf DMZ autonomous-system 99
network 172.16.0.0 0.0.1.255
network 172.16.250.0 0.0.0.7
passive-interface default
no passive-interface Vlan450
eigrp router-id 172.16.250.1
exit-address-family
!
address-family ipv4 vrf Inside autonomous-system 99
network 172.16.2.0 0.0.1.255
network 172.16.250.8 0.0.0.7
passive-interface default
no passive-interface Vlan451
eigrp router-id 172.16.250.9
exit-address-family
!
address-family ipv4 vrf F5_Front autonomous-system 99
redistribute static
network 172.16.12.0 0.0.0.255
network 172.16.13.0 0.0.0.255
network 172.16.250.32 0.0.0.7
passive-interface default
no passive-interface Vlan454
eigrp router-id 172.16.250.33
exit-address-family
network 172.16.0.0
eigrp router-id 172.16.0.1
!
!
ip http server
ip http secure-server
!
ip route vrf F5_Front 172.16.13.0 255.255.255.0 172.16.12.3
!
!
!
!
!
line con 0
logging synchronous
line vty 0 4
login
line vty 5 15
login
!
end
Switch1#
Switch1#sh ip route vrf DMZ
Routing Table: DMZ
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
+ - replicated route, % - next hop override
Gateway of last resort is not set
172.16.0.0/16 is variably subnetted, 8 subnets, 4 masks
C 172.16.0.0/23 is directly connected, Vlan160
L 172.16.0.1/32 is directly connected, Vlan160
D 172.16.2.0/23 [90/3328] via 172.16.250.2, 00:37:43, Vlan450
D 172.16.12.0/24 [90/3328] via 172.16.250.2, 00:37:42, Vlan450
C 172.16.250.0/29 is directly connected, Vlan450
L 172.16.250.1/32 is directly connected, Vlan450
D 172.16.250.8/29 [90/3072] via 172.16.250.2, 00:37:43, Vlan450
D 172.16.250.32/29 [90/3072] via 172.16.250.2, 00:37:43, Vlan450
Switch1#sh ip route vrf Inside
Routing Table: Inside
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
+ - replicated route, % - next hop override
Gateway of last resort is not set
172.16.0.0/16 is variably subnetted, 8 subnets, 4 masks
D 172.16.0.0/23 [90/3328] via 172.16.250.10, 00:37:49, Vlan451
C 172.16.2.0/23 is directly connected, Vlan162
L 172.16.2.1/32 is directly connected, Vlan162
D 172.16.12.0/24 [90/3328] via 172.16.250.10, 00:37:48, Vlan451
D 172.16.250.0/29 [90/3072] via 172.16.250.10, 00:37:49, Vlan451
C 172.16.250.8/29 is directly connected, Vlan451
L 172.16.250.9/32 is directly connected, Vlan451
D 172.16.250.32/29 [90/3072] via 172.16.250.10, 00:37:49, Vlan451
Switch1#sh ip route vrf F5_Front
Routing Table: F5_Front
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
+ - replicated route, % - next hop override
Gateway of last resort is not set
172.16.0.0/16 is variably subnetted, 9 subnets, 4 masks
D 172.16.0.0/23 [90/3328] via 172.16.250.34, 00:38:01, Vlan454
D 172.16.2.0/23 [90/3328] via 172.16.250.34, 00:38:01, Vlan454
C 172.16.12.0/24 is directly connected, Vlan120
L 172.16.12.1/32 is directly connected, Vlan120
S 172.16.13.0/24 [1/0] via 172.16.12.3
D 172.16.250.0/29 [90/3072] via 172.16.250.34, 00:38:01, Vlan454
D 172.16.250.8/29 [90/3072] via 172.16.250.34, 00:38:01, Vlan454
C 172.16.250.32/29 is directly connected, Vlan454
L 172.16.250.33/32 is directly connected, Vlan454
Switch1#
Switch1#sh ip eigrp vrf DMZ topology
EIGRP-IPv4 Topology Table for AS(99)/ID(172.16.250.1) VRF(DMZ)
Codes: P - Passive, A - Active, U - Update, Q - Query, R - Reply,
r - reply Status, s - sia Status
P 172.16.250.32/29, 1 successors, FD is 3072
via 172.16.250.2 (3072/2816), Vlan450
P 172.16.250.0/29, 1 successors, FD is 2816
via Connected, Vlan450
P 172.16.2.0/23, 1 successors, FD is 3328
via 172.16.250.2 (3328/3072), Vlan450
P 172.16.250.8/29, 1 successors, FD is 3072
via 172.16.250.2 (3072/2816), Vlan450
P 172.16.0.0/23, 1 successors, FD is 2816
via Connected, Vlan160
P 172.16.12.0/24, 1 successors, FD is 3328
via 172.16.250.2 (3328/3072), Vlan450
Switch1#sh ip eigrp vrf Inside topology
EIGRP-IPv4 Topology Table for AS(99)/ID(172.16.250.9) VRF(Inside)
Codes: P - Passive, A - Active, U - Update, Q - Query, R - Reply,
r - reply Status, s - sia Status
P 172.16.250.32/29, 1 successors, FD is 3072
via 172.16.250.10 (3072/2816), Vlan451
P 172.16.250.0/29, 1 successors, FD is 3072
via 172.16.250.10 (3072/2816), Vlan451
P 172.16.2.0/23, 1 successors, FD is 2816
via Connected, Vlan162
P 172.16.250.8/29, 1 successors, FD is 2816
via Connected, Vlan451
P 172.16.0.0/23, 1 successors, FD is 3328
via 172.16.250.10 (3328/3072), Vlan451
P 172.16.12.0/24, 1 successors, FD is 3328
via 172.16.250.10 (3328/3072), Vlan451
Switch1#
Switch1#sh ip eigrp vrf F5_Front topology
EIGRP-IPv4 Topology Table for AS(99)/ID(172.16.250.33) VRF(F5_Front)
Codes: P - Passive, A - Active, U - Update, Q - Query, R - Reply,
r - reply Status, s - sia Status
P 172.16.250.32/29, 1 successors, FD is 2816
via Connected, Vlan454
P 172.16.250.0/29, 1 successors, FD is 3072
via 172.16.250.34 (3072/2816), Vlan454
P 172.16.2.0/23, 1 successors, FD is 3328
via 172.16.250.34 (3328/3072), Vlan454
P 172.16.250.8/29, 1 successors, FD is 3072
via 172.16.250.34 (3072/2816), Vlan454
P 172.16.0.0/23, 1 successors, FD is 3328
via 172.16.250.34 (3328/3072), Vlan454
P 172.16.12.0/24, 1 successors, FD is 2816
via Connected, Vlan120
Switch1#
Switch1# sh ip eigrp vrf DMZ neighbors
EIGRP-IPv4 Neighbors for AS(99) VRF(DMZ)
H Address Interface Hold Uptime SRTT RTO Q Seq
(sec) (ms) Cnt Num
0 172.16.250.2 Vl450 11 00:39:57 1 100 0 93
Switch1#
Switch1# sh ip eigrp vrf Inside neighbors
EIGRP-IPv4 Neighbors for AS(99) VRF(Inside)
H Address Interface Hold Uptime SRTT RTO Q Seq
(sec) (ms) Cnt Num
0 172.16.250.10 Vl451 12 00:40:22 1 100 0 92
Switch1#
Switch1# sh ip eigrp vrf F5_Front neighbors
EIGRP-IPv4 Neighbors for AS(99) VRF(F5_Front)
H Address Interface Hold Uptime SRTT RTO Q Seq
(sec) (ms) Cnt Num
0 172.16.250.34 Vl454 11 00:40:35 1 100 0 94
Switch1#
---- ASA ----
ciscoasa# sh run
: Saved
:
ASA Version 9.1(2)
!
hostname ciscoasa
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
names
!
interface GigabitEthernet0/0
description N/A
speed 1000
duplex full
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/0.450
description DMZ VRF Transit
vlan 450
nameif DMZ_P2P
security-level 80
ip address 172.16.250.2 255.255.255.248
!
interface GigabitEthernet0/0.451
description Inside VRF Transit
vlan 451
nameif Inside_P2P
security-level 100
ip address 172.16.250.10 255.255.255.248
!
interface GigabitEthernet0/0.454
vlan 454
nameif F5_Front
security-level 100
ip address 172.16.250.34 255.255.255.248
!
interface GigabitEthernet0/1
shutdown
no nameif
security-level 0
no ip address
!
interface GigabitEthernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
!
interface GigabitEthernet1/0
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/1
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/2
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/3
nameif outside
security-level 0
ip address dhcp setroute
!
ftp mode passive
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network DMZ
subnet 172.16.0.0 255.255.254.0
description 255.255.254.0
object network Inside
subnet 172.16.2.0 255.255.254.0
description 255.255.254.0
object network F5_Front
subnet 172.16.12.0 255.255.255.0
description Front Porch
object-group icmp-type DM_INLINE_ICMP_4
icmp-object echo
icmp-object echo-reply
icmp-object time-exceeded
icmp-object traceroute
access-list Inside_access_in extended permit tcp host 172.16.2.3 host 172.16.13.10 eq 3389
access-list Inside_access_in extended permit tcp host 172.16.2.3 host 172.16.0.3 eq 3389
access-list Inside_access_in extended permit ip any any
access-list DMZ_access_in extended permit tcp host 172.16.0.3 host 172.16.13.10 eq 3389
access-list DMZ_access_in extended permit ip any any
access-list F5_Front_access_in extended permit tcp host 172.16.13.10 host 172.16.0.3 eq 3389
access-list F5_Front_access_in extended permit ip any any
access-list P2P_Transient_F5_Behind_access_in extended permit icmp any any time-exceeded
access-list P2P_Transient_F5_Behind_access_in extended permit ip any any
pager lines 24
logging enable
logging buffered debugging
logging asdm informational
mtu DMZ_P2P 1500
mtu Inside_P2P 1500
mtu VPN_DMZ_P2P 1500
mtu DD_P2P 1500
mtu F5_Front 1500
mtu MGMT 1500
mtu outside 1500
no failover
icmp unreachable rate-limit 10 burst-size 5
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (F5_Front,Inside_P2P) source static F5_Front F5_Front destination static F5_Front F5_Front
nat (F5_Front,DMZ_P2P) source static F5_Front F5_Front destination static F5_Front F5_Front
access-group DMZ_access_in in interface DMZ_P2P
access-group Inside_access_in in interface Inside_P2P
access-group F5_Front_access_in in interface F5_Front
!
router eigrp 99
no auto-summary
eigrp router-id 172.18.36.3
network 172.16.250.0 255.255.255.248
network 172.16.250.8 255.255.255.248
network 172.16.250.32 255.255.255.248
!
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpool policy
ssh key-exchange group dh-group1-sha1
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
!
class-map Trace
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect icmp
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:181ea09181ebdcc95538aa0421ed7630
: end
ciscoasa#
ciscoasa# sh eigrp topology
EIGRP-IPv4 Topology Table for AS(99)/ID(172.18.36.3)
Codes: P - Passive, A - Active, U - Update, Q - Query, R - Reply,
r - reply Status, s - sia Status
P 172.16.250.0 255.255.255.248, 1 successors, FD is 2816
via Connected, GigabitEthernet0/0.450
P 172.16.250.8 255.255.255.248, 1 successors, FD is 2816
via Connected, GigabitEthernet0/0.451
P 172.16.250.32 255.255.255.248, 1 successors, FD is 2816
via Connected, GigabitEthernet0/0.454
P 172.16.12.0 255.255.255.0, 1 successors, FD is 3072
via 172.16.250.33 (3072/2816), GigabitEthernet0/0.454
P 172.16.0.0 255.255.254.0, 1 successors, FD is 3072
via 172.16.250.1 (3072/2816), GigabitEthernet0/0.450
P 172.16.2.0 255.255.254.0, 1 successors, FD is 3072
via 172.16.250.9 (3072/2816), GigabitEthernet0/0.451
ciscoasa#
ciscoasa# sh eigrp neighbors
EIGRP-IPv4 neighbors for process 99
H Address Interface Hold Uptime SRTT RTO Q Seq
(sec) (ms) Cnt Num
2 172.16.250.33 Gi0/0.454 11 00:44:10 10 200 0 17
0 172.16.250.9 Gi0/0.451 14 00:44:11 13 200 0 22
1 172.16.250.1 Gi0/0.450 11 00:44:11 14 200 0 27
ciscoasa#
ciscoasa# sh route
Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default, U - per-user static route, o - ODR
P - periodic downloaded static route
Gateway of last resort is 99.27.124.1 to network 0.0.0.0
C 1.1.1.0 255.255.252.0 is directly connected, outside
C 172.16.250.0 255.255.255.248 is directly connected, DMZ_P2P
C 172.16.250.8 255.255.255.248 is directly connected, Inside_P2P
C 172.16.250.16 255.255.255.248 is directly connected, VPN_DMZ_P2P
C 172.16.250.24 255.255.255.248 is directly connected, DD_P2P
C 172.16.250.32 255.255.255.248 is directly connected, F5_Front
D 172.16.12.0 255.255.255.0 [90/3072] via 172.16.250.33, 0:44:15, F5_Front
D 172.16.0.0 255.255.254.0 [90/3072] via 172.16.250.1, 0:44:16, DMZ_P2P
D 172.16.2.0 255.255.254.0 [90/3072] via 172.16.250.9, 0:44:16, Inside_P2P
C 172.18.36.0 255.255.255.0 is directly connected, MGMT
S 172.22.36.0 255.255.255.0 [1/0] via 172.18.36.1, MGMT
d* 0.0.0.0 0.0.0.0 [1/0] via 1.1.1.1, outside
ciscoasa#
----------- END ---------
When I do a traceroute from DMZ network (workstation 172.16.0.3) to Host behind the F5 172.16.13.10 my traceroute dies at the gateway of the Workstation 172.16.0.1.
I have never attempted this VRF design with EIGRP and a device that is not supporting EIGRP in my case the F5 load balancer.
All traffic from DMZ and Inside network should be forced to 172.16.12.3 which is the F5 Front side. From there the F5 knows hot to handle that traffic.
My packets are not getting out of the gateway so it never reaches the Front of the F5.
What am I missing here? Is this even possible?
Thanks in Advance
Solved! Go to Solution.
- Labels:
-
Other Switching
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-18-2015 12:48 PM
Kemal
Just out of interest when you say it did not work well what happened and are you seeing the same symptoms now ?
I only ask as you have used a bandwidth of 56 in your metric which is very low considering everything is gigabit within your LAN.
Even though you have used subinterfaces on the ASA that is still low.
Jon
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-18-2015 12:56 PM
Jon,
When I said it didn't work I was referring the to the following config:
access-list 10 permit 172.16.13.0 0.0.0.255 log
!
route-map STATIC permit 10
match ip address 10
set metric 56 100 255 1 1500
set tag 2
address-family ipv4 vrf F5_Front autonomous-system 1
redistribute static route-map STATIC
The symptoms I was seeing were same, I was not able to get behind the F5 from DMZ or Inside. I did made some changes now that I think about it to the F5 and the Routing on the switch. I wonder if it would work now...
I agree the metric on that should be way higher 1000
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-18-2015 01:01 PM
Ahh okay, thanks for clarifying that.
Jon
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-18-2015 01:11 PM
Kemal
Sorry to keep posting and please feel free to ignore the suggestion but would it not simplify your configuration without the P2P VRFs ie. why can't you just not have SVIs on the 3750 for these vlans and simply use the ASA subinterfaces as the routed interfaces.
You would only need SVIs on he 3750 if you had multiple vlans in the same VRFs but you don't.
Well you do but only because of the P2P VRFs which aren't really needed.
You also wouldn't then need EIGRP at all because everything would be directly connected on the ASA except the 172.16.13.0/24 subnet which you would still need a static route for on the ASA.
You may have a reason so please feel free to ignore.
Jon
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-18-2015 01:24 PM
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-18-2015 02:07 PM
Kemal
If you intend to have multiple vlans using the same VRF on the Nexus switches then no your aren't overcomplicating it at all.
It was simply from your lab you only really had one vlan per VRF (apart from the P2P VRFs obviously) which is why I couldn't see what you were gaining from the way you had it and having to run EIGRP.
But yes from your description of what you are going to have in production your design makes perfect sense.
Jon
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-18-2015 02:10 PM
Hi Jon,
Good to hear that I am not over-complicating this :)
Thank you again for your help
Kemal
- « Previous
-
- 1
- 2
- Next »
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide