[c-nsp] Multiple VRFs over site-to-site VPN? Possible?

John Kougoulos koug at intracom.gr
Thu Feb 3 05:26:51 EST 2011


I believe that you can use ASA for the IPsec part and create GRE tunnels 
between the PE and CE (one for each VRF). You would need though something 
like ISR on both ends or switches that support GRE in hardware, so 
3560/3750 should change.

Regards,
John

On Tue, 1 Feb 2011, Jeff Kell wrote:

> Ran across a new requirement where we would like to extend our campus standard multi-VRF
> "routed building" out to a remote site over the public Internet.
>
> Absent the ideal MPLS or multiple-vlan Metro-E, can you do this site-to-site over a pair
> of ASAs?
>
> Ideally it would be something along the lines of:
>
> VRF A vlan 123-->
> VRF B vlan 456-->(terminating on ---> Site ASA ----> Campus ASA ----> Campus PE (VRF A/B/C)
> VRF C vlan 789-->  3560/3750 CE)
>
> Perhaps in simpler terms, bringing the 3 VRF vlans across the wire onto similar VRF
> vlans on the campus side.
>
> On-campus we just run a dot1Q trunk with a vlan for each VRF from CE to PE.
>
> Can you trunk them into the ASA and do separate tunnels over the public IP endpoints,
> dropping them on separate vlans on the other end?
>
> Without meshing the routing / crossing the streams with respect to the VRFs?
>


More information about the cisco-nsp mailing list