[c-nsp] special routing (vrf?) with Cisco 3825
Stig Johansen
stig.johansen at ementor.no
Thu Jul 31 06:59:03 EDT 2008
Hi there,
Here are two different solutions to this (there may be more):
1) Request four different VPN's from the SP and terminate in four different VRF's on the central CE-router. Forward in four different VLANS/interfaces towards the firewall, which have to have four different interfaces to accept these. This way there will be "absolute" separation all the way up to the firewall.
2) Run policy-based routing (PBR) on the central CE-router and forward all incoming packets from the MPLS-VPN directly to the firewall. Ordinary routing-decisions should only occur on traffic coming *from* the firewall and into the MPLS-VPN. Be aware of any limitations concerning PIX/ASA/FWSM's in this configuration. The default ASA (adaptive security algorithm)-config doesn't allow routing packets out the same interface they arrived.
Best regards,
Stig Meireles Johansen
-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Horváth Szabolcs
Sent: 31. juli 2008 11:36
To: cisco-nsp at puck.nether.net
Subject: [c-nsp] special routing (vrf?) with Cisco 3825
Hello,
We'd like to set up a special routing between remote sites.
The network looks like the following:
<Site #1 LAN> <Site #2 LAN> <Site #3 LAN>
| | |
< Site #1 > < Site #2 > < Site #3 >
< CE router > < CE router > < CE router >
| | |
| | |
/---------------------------------------------------\
| |
| Service Provider's MPLS backbone |
| |
\---------------------------------------------------/
|
|
< Central Site >
< CE router >
|
< Firewall >
|
< Central LAN >
We have 4 sites over an IP VPN. All traffic is routed through the central CE router (the network is configured to "hub & spoke" mode).
Direct traffic between sites is not allowed, only through the central CE router.
In addition, we have to pass the traffic through the "Firewall" which is going to or coming from the "Site #3".
1. So the route from site #1 to site #3 should look like:
Site #1 LAN ---> Site #1 CE router ---> SP network ---> Central CE router ---> Firewall ---> Central CE router --->
SP network ---> Site #3 CE router ---> Site #3 LAN
2. The route from site #3 to site #2 should look like:
Site #3 LAN ---> Site #3 CE router ---> SP network ---> Central CE router ---> Firewall ---> Central CE router --->
SP network ---> Site #2 CE router ---> Site #2 LAN
The Central CE router is Cisco 3825.
Is this idea can be achieved with current Cisco technologies?
If yes, how does this technology called? I've read about VRF, it might help, but I'm not sure.
Could you please point out the main steps to configure this?
I have a few years Cisco experience, mostly with lan, but I have never ever used complex routing stuffs like this.
I just need a minimal info to start and I'll try to implement. In the first step, I'm just curious if this can be done or you know better solution to do this job.
Thanks in advance,
Szabolcs Horvath
_______________________________________________
cisco-nsp mailing list cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
More information about the cisco-nsp
mailing list