[c-nsp] Multiple VRFs over site-to-site VPN? Possible?

Ge Moua moua0100 at umn.edu
Thu Feb 3 09:19:06 EST 2011


If there were ISR on both end then I'd just do vrf-aware IPSec and plumb 
L2TPv3 inside of this to transport the vlan; of course this doesn't 
answer the original question of doing this with ASA

--
Regards,
Ge Moua
Network Design Engineer

University of Minnesota | OIT - NTS
--


On 02/03/2011 04:26 AM, John Kougoulos wrote:
>
> I believe that you can use ASA for the IPsec part and create GRE 
> tunnels between the PE and CE (one for each VRF). You would need 
> though something like ISR on both ends or switches that support GRE in 
> hardware, so 3560/3750 should change.
>
> Regards,
> John
>
> On Tue, 1 Feb 2011, Jeff Kell wrote:
>
>> Ran across a new requirement where we would like to extend our campus 
>> standard multi-VRF
>> "routed building" out to a remote site over the public Internet.
>>
>> Absent the ideal MPLS or multiple-vlan Metro-E, can you do this 
>> site-to-site over a pair
>> of ASAs?
>>
>> Ideally it would be something along the lines of:
>>
>> VRF A vlan 123-->
>> VRF B vlan 456-->(terminating on ---> Site ASA ----> Campus ASA ----> 
>> Campus PE (VRF A/B/C)
>> VRF C vlan 789-->  3560/3750 CE)
>>
>> Perhaps in simpler terms, bringing the 3 VRF vlans across the wire 
>> onto similar VRF
>> vlans on the campus side.
>>
>> On-campus we just run a dot1Q trunk with a vlan for each VRF from CE 
>> to PE.
>>
>> Can you trunk them into the ASA and do separate tunnels over the 
>> public IP endpoints,
>> dropping them on separate vlans on the other end?
>>
>> Without meshing the routing / crossing the streams with respect to 
>> the VRFs?
>>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/


More information about the cisco-nsp mailing list