[c-nsp] Multiple VRFs over site-to-site VPN? Possible?
Ge Moua
moua0100 at umn.edu
Thu Feb 3 09:19:06 EST 2011
If there were ISR on both end then I'd just do vrf-aware IPSec and plumb
L2TPv3 inside of this to transport the vlan; of course this doesn't
answer the original question of doing this with ASA
--
Regards,
Ge Moua
Network Design Engineer
University of Minnesota | OIT - NTS
--
On 02/03/2011 04:26 AM, John Kougoulos wrote:
>
> I believe that you can use ASA for the IPsec part and create GRE
> tunnels between the PE and CE (one for each VRF). You would need
> though something like ISR on both ends or switches that support GRE in
> hardware, so 3560/3750 should change.
>
> Regards,
> John
>
> On Tue, 1 Feb 2011, Jeff Kell wrote:
>
>> Ran across a new requirement where we would like to extend our campus
>> standard multi-VRF
>> "routed building" out to a remote site over the public Internet.
>>
>> Absent the ideal MPLS or multiple-vlan Metro-E, can you do this
>> site-to-site over a pair
>> of ASAs?
>>
>> Ideally it would be something along the lines of:
>>
>> VRF A vlan 123-->
>> VRF B vlan 456-->(terminating on ---> Site ASA ----> Campus ASA ---->
>> Campus PE (VRF A/B/C)
>> VRF C vlan 789--> 3560/3750 CE)
>>
>> Perhaps in simpler terms, bringing the 3 VRF vlans across the wire
>> onto similar VRF
>> vlans on the campus side.
>>
>> On-campus we just run a dot1Q trunk with a vlan for each VRF from CE
>> to PE.
>>
>> Can you trunk them into the ASA and do separate tunnels over the
>> public IP endpoints,
>> dropping them on separate vlans on the other end?
>>
>> Without meshing the routing / crossing the streams with respect to
>> the VRFs?
>>
> _______________________________________________
> cisco-nsp mailing list cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
More information about the cisco-nsp
mailing list