Solved: Hi,Each ASA context/VRF is a

babai1981 · ‎11-22-2014

Hi

Could you please help me understand Multi VRF CE with Content Filtering using Cisco ASA Multiple Context. I am looking for a sample config on how to achieve this.

PE ---> Vrf Lite CE Switch with svi --> Uplink Vlan

|

Multi Context ASA filtering VRFs to Uplink Vlan

Thanks

Reza Sharifi · ‎11-22-2014

Hi,

Each ASA context/VRF is a separate instance. If for example you have 2 vlans and one vlan is in one context and the other vlan is in a different context, these vlans can't talk to each other. Think of each context being a separate ASA. Context provide logical separation.

HTH

View solution in original post

Reza Sharifi · ‎11-22-2014

Hi,

Each ASA context/VRF is a separate instance. If for example you have 2 vlans and one vlan is in one context and the other vlan is in a different context, these vlans can't talk to each other. Think of each context being a separate ASA. Context provide logical separation.

HTH

babai1981 · ‎11-22-2014

Thanks Reza. So how would the switch config look especially the interface connecting to the firewall.

Could you please share a sample config so that I can understand how the switch config is performed.

Reza Sharifi · ‎11-22-2014

Hi,

Is the switch going to have multiple VRFs as well or just the firewall? If so what type of switch is that and do you have the proper image/license for that switch to do VRFs?

if the switch is ready to do VRF than you create an SVI and add it to the proper VRF. Than you create a second and thired and so on SVIs and add them to the proper VRFs. You would need the same thing on the firewall.

Can you explain what you are trying to do?

Also if you can post a diagram of your network it would be very helpful.

HTH

babai1981 · ‎11-22-2014

Hi Reza

Yes the Switch would be the VRF Lite CE. I understand the SVI and adding the VRF but how can I ensure that the inter vlan routing is done by the multi context ASA.

What would the config on switch port going to the asa.

Thanks

Reza Sharifi · ‎11-22-2014

The question is, what is that you are trying to accomplish? If you are planning to put vlan 10 in vrf test10 and vlan20 in vrf test20 than these vlans can't communicate with each other. If you want them to communicate than put both in the same vrf.

The purpose vrf is to separate organizations from each other and provide path isolation. If this is not the goal, you don't need vrfs. If you don't have clear goals, it can get very messy.

HTH

babai1981 · ‎11-22-2014

Hi Reza

Thanks for your response. I am trying to filter the VRFs coming onto the CE Switch (VRF Lite) before it enters the Uplink Vlan. So as an example the PE Router will have multiple vrfs coming to vrf lite ce switch where each vrfs would have an svi created and i want to run ospf instances as well. But i am thinking before it goes beyond I want to control the vrf traffic using a multi context firewall where each vrf would be on a separate context which would then be filtered to the outside interface of the firewall(uplink vlan).

I am just creating a test lab based on the cisco best practice design guide for vrf lite ce only for my understanding.

So I am thinking if I use an access port for every vrf (vlan) and map the the connecting port of the firewall to a context. But then I thought if it finds an SVI for the uplink vlan on the switch it would bypass the firewall rather than going through it. So I was trying to find a way how I can direct it to the firewall interface address from that switch for all traffic for a specific vrf.

Thanks

Multi VRF Lite CE with Multi Context ASA