[c-nsp] VRF-Lite Question

Ray Burkholder ray at oneunified.net
Sun Feb 11 16:34:46 EST 2007 

Can you be more specific.  The answer might have to do with:
  * MPLS labels or it might have to with 
  * PIX Contexts or it might have to with 
  * further use of GRE tunnels or it might have to with 
  * inter-vrf static routes, or.... 
 
I picked up a lot of my inspiration through Cisco's two volume set:  MPLS
and VPN Architectures (mostly in the second volume)


  _____  

From: Shakeel Ahmad [mailto:shakeelahmad at gmail.com] 
Sent: Sunday, February 11, 2007 17:07
To: Ray Burkholder
Cc: [c-nsp]
Subject: Re: [c-nsp] VRF-Lite Question


Thanks, one more question,
 
In VRF-Lite, there's a case when 2 VRF Interfaced need to route traffic on a
single interface outside - how can the outside interface be part of two VRF.
What community should be exported or imported in which VRF. 
 
thanks,
SA

 
On 2/11/07, Ray Burkholder <ray at oneunified.net> wrote: 

I did a sample vrf config here:
http://www.oneunified.net/blog/Cisco/vrflite.article
<http://www.oneunified.net/blog/Cisco/vrflite.article> 

A couple of points:
A) I used GRE tunnels with the end points in the global routing table and
the tunnel content in a separate vrf (keeps routing out of core as you
required) when crossing routed boundaries, say between buildings and such 
where I use routed ports rather than trunked ports
B) Latest PIX's are vrf aware.  You should be able to do a search on Cisco
for these types of configs.  It is also known as  acontext-aware PIX config.


That is vrf's in a nutshell.  If anything is still unclear, I can fill in
the details.

Ray.

> -----Original Message-----
> From: cisco-nsp-bounces at puck.nether.net
<mailto:cisco-nsp-bounces at puck.nether.net> 
> [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Shakeel Ahmad
> Sent: Sunday, February 11, 2007 10:50
> To: [c-nsp]
> Subject: [c-nsp] VRF-Lite Question 
>
> Hello,
>
> I am in middle of solving a puzzle and needed advice from you
> guyz...thanks in advance...
>
> Diagram: *http://tinyurl.com/37fho6*  <http://tinyurl.com/37fho6*> 
> (A must see or question will be confusing)
>
> a client is following this topology and now wants to enable
> wireless access to all the users in all 3 buildings.
> Requirement is to use the physical 2950's in the building 
> which are connected to 3550's which are connected at
> L3 to the core 4507R. VLANs are not spanned out of one single
> building - major requirement is to terminate the wireless
> users directly on a Virtual/Physical interface on PIX 
> firewall while using the same infrastructure (without adding
> any extra hardware except wireless access points - LinkSys).
> Client do not want wireless users to share the routing table
> on core due to security reasons. 
>
> As PIX is involved GRE is out of question - My immeidate
> suggestion would be VRF-Lite but i am confused here, how will
> PIX act as CE and if we see the VRF path it's of only two
> hops 3550 (L3) -> 4507R (L3). besides 4057R & PIX are located 
> in a seperate building via fiber.
>
> any suggestion or possible solution will be appreciated.
>
> thanks,
> SA
> _______________________________________________
> cisco-nsp mailing list   cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
> --
> Scanned for viruses and dangerous content at
> http://www.oneunified.net and is believed to be clean. 
>
>


--
Scanned for viruses and dangerous content at
http://www.oneunified.net and is believed to be clean.





-- 
Scanned for viruses & dangerous content at One  <http://www.oneunified.net>
Unified and is believed to be clean. 


-- 
Scanned for viruses and dangerous content at 
http://www.oneunified.net and is believed to be clean.

More information about the cisco-nsp mailing list