[c-nsp] Multiple VRFs over site-to-site VPN? Possible?

John Kougoulos koug at intracom.gr
Thu Feb 3 10:19:32 EST 2011


Hello,

On Thu, 3 Feb 2011, Ge Moua wrote:

> If there were ISR on both end then I'd just do vrf-aware IPSec and plumb 
> L2TPv3 inside of this to transport the vlan; of course this doesn't answer 
> the original question of doing this with ASA

>> 
>> I believe that you can use ASA for the IPsec part and create GRE tunnels 
>> between the PE and CE (one for each VRF). You would need though something 
>> like ISR on both ends or switches that support GRE in hardware, so 
>> 3560/3750 should change.
>>

I agree with you, it's just another option. GRE would give the ability to 
use eg 65xx as PE and also use eg "ip tcp adjust-mss" on the Tunnel 
interface, I don't know how this is handled with L2TPv3.

Of course I've assumed that the CE routes the VLANs on each VRF at the 
remote site...

Regards,
John


More information about the cisco-nsp mailing list