Re: sub-interfaces - VLAN - Multiple contexts.

Similar Messages

• 5540 and sub interfaces

  One of my client has a 5540 security appliance where I have configured DMZ and other few things . Currently it has 4 workable interfaces excluding management interface . 3 of them are used for data connectivity because 1 port is for failover .
  Now with 3 physical interface we have 4 zones using sub interfaces ( vlans ) . Recently there has been a change in network where they have introduced few other types of servers and now there is a request to make more zones
  Avaliable Data interfaces are 3
  Required Zones are 7
  Now this is possible using sub interfaces ( vlan ) but I want to know if this is a recommended solution to use subinterfaces at such large scale and dividing every possible interface . It is a company of 1000 users , other option could be to put an 4GE-SSM card but please let me know if the subinterfaces solution is recommended one for enterprizes ?

  Hello,
  Sub-interfaces will work fine for you, but just keep in mind that it is still a shared physical medium. Therefore, the sum of the aggregate traffic in all of the VLANs cannot exceed the capacity of the single physical interface. I would suggest ramping up the traffic slowly and monitoring for any performance issues, but otherwise you should be fine.
  -Mike

• Include multiple sub-interfaces in Cisco ASA for VPN tunnel

  I am trying to create a VPN tunnel between two Cisco ASAs where one ASA has multiple sub-interfaces.
  Say, In Cisco ASA 5550(in datacentre), I created multiple subinterfaces with VLAN ID as below:
  Inside, int0/1 : 10.1.1.0/24
  DMZ, int0/1.100: 10.1.100.0/24 (VLAN 100)
  Production, int 0/1.101 : 10.1.101.0/24 (VLAN 101)
  Management, int 0/1.102: 10.1.102.0/24 (VLAN 102)
  And another Cisco ASA 5505 is only configured with 1 x inside interface Inside, int 0/1: 192.168.1.0/24
  So far, I have only been able to provide outside access to one of the sub-interfaces as NAT rule on inside interface didn't work for VLANs. Hence had to issue Global NAT rule to be applied on Production subinterface so that production VLAN can have outside access. I have managed to establish VPN tunnel between two ASAs on Production sub-interface only, Source interface = Production subinterface
  Additional settings:
  Have ACL to allow all sub interfaces to access outsite ( lower security level)
  NAT rules is configured on Production subinterface with Source NAT Type as Dynamic PAT; when this was configured with source interface as inside, PCs behind various VLAN coun't access internet. 
  I want to establish a site-to-site VPN tunnel with multiple sub-interfaces of Cisco ASA 5550 to Cisco ASA 5505. Would you please suggest what I am missing in my configuration? I need to be able to access multiple VLANs of datacentre from remote site.

  I am trying to create a VPN tunnel between two Cisco ASAs where one ASA has multiple sub-interfaces.
  Say, In Cisco ASA 5550(in datacentre), I created multiple subinterfaces with VLAN ID as below:
  Inside, int0/1 : 10.1.1.0/24
  DMZ, int0/1.100: 10.1.100.0/24 (VLAN 100)
  Production, int 0/1.101 : 10.1.101.0/24 (VLAN 101)
  Management, int 0/1.102: 10.1.102.0/24 (VLAN 102)
  And another Cisco ASA 5505 is only configured with 1 x inside interface Inside, int 0/1: 192.168.1.0/24
  So far, I have only been able to provide outside access to one of the sub-interfaces as NAT rule on inside interface didn't work for VLANs. Hence had to issue Global NAT rule to be applied on Production subinterface so that production VLAN can have outside access. I have managed to establish VPN tunnel between two ASAs on Production sub-interface only, Source interface = Production subinterface
  Additional settings:
  Have ACL to allow all sub interfaces to access outsite ( lower security level)
  NAT rules is configured on Production subinterface with Source NAT Type as Dynamic PAT; when this was configured with source interface as inside, PCs behind various VLAN coun't access internet. 
  I want to establish a site-to-site VPN tunnel with multiple sub-interfaces of Cisco ASA 5550 to Cisco ASA 5505. Would you please suggest what I am missing in my configuration? I need to be able to access multiple VLANs of datacentre from remote site.

• The difference between IEEE802.1Q Native VLAN sub-interface and Physical interface?

  Hello
  I think the following topologies are supported for Cisco Routers
  And the Physical interface also can be using as Native VLAN interface right? 
  Topology 1.
   R1 Gi0.1 ------ IEEE802.1Q Tunneling  L2SW ------ Gi0 R2
  R1 - configuration
  interface GigabitEthernet0.1
   encapsulation dot1Q 1 native
   ip address 10.0.0.1 255.255.255.0
  Topology 2.
  R1 Gi0 ------ IEEE802.1Q Tunneling L2SW ------ Gi0 R2
  interface GigabitEthernet0
  ip address 10.0.0.1 255.255.255.0
   And is it ok to use the physical interface and sub-interface with dynamic routing such as EIGRP or OSPF etc?
  R1 Gi 0 ---- Point to Multipoint EIGRP or OSPF ---- Gi0 R2 / R3 
        Gi 0.20--- Point to Point EIGRP or OSPF --- Gi0.10 R4  (same VLAN-ID) 
  R1 - configuration
  interface GigabitEthernet0
   ip address 10.0.0.1 255.255.255.0
  interface GigabitEthernet8.20
   encapsulation dot1Q 20
   ip address 20.0.0.1 255.255.255.0
  Any information is very appreciated. but if there is any CCO document please let me know.
  Thank you very much and regards,
  Masanobu Hiyoshi

  Hello,
  The diagram is helpful.
  If I am getting you correctly, you have three routers interconnected by a switch, and you want them to operate in a hub-and-spoke fashion even though the switch is capable of allowing direct communication between any of these routers.
  Your first scenario is concerned with all three routers being in the same VLAN, and by using neighbor commands, you force these routers to establish targeted EIGRP adjacencies R1-R2 and R1-R3, with R1 being the hub.
  Your second scenario is concerned with creating one VLAN per spoke, having subinterfaces for each spoke VLAN created on R1 as the router, and putting each spoke just in its own VLAN.
  Your scenarios are not really concerned with the concept of native VLAN or the way it is configured, to be honest. Whether you use a native VLAN in either of your scenarios, or whether you configure the native VLAN on a subinterface or on the physical interface makes no difference. There is simply no difference to using or not using a native VLAN in any of your scenarios, and there is no difference to the native VLAN configuration being placed on a physical interface or a subinterface. It's as plain as that. Both your scenarios will work.
  My personal opinion, though, is that forcing routers on a broadcast multi-access segment such as Ethernet to operate in a hub-and-spoke fashion is somewhat artificial. Why would you want to do this? Both scenarios have drawbacks: in the first scenario, you need to add a neighbor statement for each spoke to the hub, limiting the scalability. In the second scenario, you waste VLANs and IP subnets if there are many spokes. The primary question is, though: why would you want an Ethernet segment to operate as a hub-and-spoke network? Sure, these things are done but they are motivated by specific needs so I would like to know if you have any.
  Even if you needed your network to operate in a hub-and-spoke mode, there are more efficient means of achieving that: Cisco switches support so-called protected ports that are prevented from talking to each other. By configuring the switch ports to spokes as protected, you will prevent the spokes from seeing each other. You would not need, then, to configure static neighbors in EIGRP, or to waste VLANs for individual spokes. What you would need to do would be deactivating the split horizon on R1's interface, and using the ip next-hop-self eigrp command on R1 to tweak the next hop information to point to R1 so that the spokes do not attempt to route packets to each other directly but rather route them over R1.
  I do not believe I have seen any special CCO documents regarding the use of physical interfaces or subinterfaces for native VLAN or for your scenarios.
  Best regards,
  Peter

• Disable BFD in multiple Router Sub interfaces that participates in OSPF

  Hi team,
  Please help me on this. Here is the scenario:
  We are on an enterprise set up and running on 100+ routers.
  We have 200 to 300+ sub interfaces for virtual circuits
  Our protocol is OSPF over MPLS
  One of our provider in LA encountered link flaps on SONET causing our LA router that is directly connected to that link to recalculate multiple times.
  Recalculation of OSPF routes caused disconnection of users in LA VM's.
  We were advised by our provider in LA to disable BFD so minor link flaps will no affect recalculation of routes.
  We are now tasked by our design team to Disable BFD in multiple Router Sub interfaces that participates in OSPF.
  My questions are:
  What is the implication in disabling all BFD in routers' interface and sub interface?
  Will this improve recalculation of OSPF routes in cause of link flaps or it will totally ignore the link flaps?
  Will the routers only recognize a "full down" status of the interface?
  How can we Disable BFD in multiple Router Sub interfaces that participates in OSPF in a faster way? Or do we have to do this one by one?
  Please advise before we present this to the CAB and implementation. Thank you.

  My questions are:
  What is the implication in disabling all BFD in routers' interface and sub interface?
  Answer:  the implication would be eliminating sub-second millisecond convergence.
  BFD detect failure at the link layer very fast , once detected it informs the upper layer protocol about the failure causing it to converge immediately. 
  Will this improve recalculation of OSPF routes in cause of link flaps or it will totally ignore the link flaps?
  Answer: if your Provider experiencing intermittent flaps, then yes it will be advisable to turn BFD off. this however doesn't totally ignore the link flaps, once the upper protocol detect the failure based on the dead interval parameter on OSPF, it will recalculate OSPF routes again.  Keep in mind, if you have redundant or more links to your provider , then I wouldn't recommend disabling BFD , as it should improve Convergence and you shouldn't notice the failure. 
  Will the routers only recognize a "full down" status of the interface?
  Answer: disabling BFD allows the router recognize a full down status once the upper protocol dead interval occurs or full down status of interface. which ever occurs the earliest.
  How can we Disable BFD in multiple Router Sub interfaces that participates in OSPF in a faster way? Or do we have to do this one by one?
  You can disable it one by one. or if you have configuration management software, it allows you to do it for all nodes at a time. but this depends if you have it or not.
  Please consider not to disable BFD if you have multiple OSPF links towards your provider from any branch, as it shouldn't impact your VMs, it should rather improve Convergence at milliseconds which is absolutely not noticeable.
  BR,
  Mohamed 

• Are VPN Clients supported in multiple context mode?

  Hi,
  Recently our company has bought two Cisco ASA 5515-X firewalls for at our datacenter. I am new on configuring a Cisco ASA but sofar things are looking good. I have configured them both with HA (active/active) in multiple context mode. Currently they host two security contexts.
  I want to configure VPN Client functionallity for Remote Access. As far as I know they come with two user licenses. But there is no VPN Client wizard available and I can't find a way to enable it.
  - Is VPN Client supported in Multiple Context mode?
  - What is AnyWhere Essentials vs Premium Peers?
  Boudewijn
  Here is some additional output fromt he current configuration:
  Cisco Adaptive Security Appliance Software Version 9.1(2) <context>
  Device Manager Version 7.1(3)
  Encryption hardware device : Cisco ASA-55xx on-board accelerator (revision 0x1)
                               Boot microcode        : CNPx-MC-BOOT-2.00
                               SSL/IKE microcode     : CNPx-MC-SSL-PLUS-T020
                               IPSec microcode       : CNPx-MC-IPSEC-MAIN-0024
                               Number of accelerators: 1
  Baseboard Management Controller (revision 0x1) Firmware Version: 2.4
  Licensed features for this platform:
  Maximum Physical Interfaces       : Unlimited      perpetual
  Maximum VLANs                     : 100            perpetual
  Inside Hosts                      : Unlimited      perpetual
  Failover                          : Active/Active  perpetual
  Encryption-DES                    : Enabled        perpetual
  Encryption-3DES-AES               : Enabled        perpetual
  Security Contexts                 : 2              perpetual
  GTP/GPRS                          : Disabled       perpetual
  AnyConnect Premium Peers          : 2              perpetual
  AnyConnect Essentials             : Disabled       perpetual
  Other VPN Peers                   : 250            perpetual
  Total VPN Peers                   : 250            perpetual
  Shared License                    : Disabled       perpetual
  AnyConnect for Mobile             : Disabled       perpetual
  AnyConnect for Cisco VPN Phone    : Disabled       perpetual
  Advanced Endpoint Assessment      : Disabled       perpetual
  UC Phone Proxy Sessions           : 2              perpetual
  Total UC Proxy Sessions           : 2              perpetual
  Botnet Traffic Filter             : Disabled       perpetual
  Intercompany Media Engine         : Disabled       perpetual
  IPS Module                        : Disabled       perpetual
  Cluster                           : Disabled       perpetual
  This platform has an ASA 5515 Security Plus license.

  Hi,
  No form of VPN Client is supported when you are using an ASA in Multiple Context mode.
  The only type of VPN supported in the newer 9.x softwares is L2L VPN / Site to Site VPN
  This might answer the VPN Licensing related question
  http://packetpushers.net/cisco-asa-licensing-explained/
  I never seem to remember it exactly myself even.
  - Jouni

• Configure subinterfaces on a multiple context ASA.

  hello,
  i was just confuse. When do we need to configure subinterfaces on a multiple context ASA.
  thanks

  whenever you need to trunk to a switch and be able to have more than the limit of physical interfaces. For instance an ASA 5510 allows you to have 100 VLAN interfaces.
  Whenever you need to setup more than on DMZ.

• Cable Sub-Interface in VRF - DHCP Intermittent Problem

  I've configured multiple VRF's to support third party access to our cable infrastructure.
  Of the 15 CMTS' I have configured, all of them work fine except for one which happens to be a UBR10K running 12.2.15.BC1b. The other CMTS' (7200's and 7100's) are running fine with an older IOS revision but I need the latest IOS on the 10K to support VLAN sub-interfaces.
  The problem is occasionally, DHCP clients will obtain an IP address/netmask from within the proper VRF subnet, but the client is unreachable from the CMTS.
  If we disable the IP address in question from CNR and have the client renew their IP, service is restored.
  This is a big problem. Even though this only happens occasionally, when you have 8000+ users on a CMTS, 'occasionally' still works out to quite a few problem calls.
  Sub-interfaces set up to use static IP addressing on the client experience no problems.
  Any advice would be appreciated.
  = K

  More information may be require to understand the problem, mean while you can go through link :
  http://www.cisco.com/en/US/netsol/ns341/ns396/ns172/ns126/networking_solutions_design_guide_chapter09186a00800eeee8.html

• Asa 5505 sub interface plus ports

  I have never used 5505 I gave used higher firewalls and all of them can do sub interfaces normally we make sub interfaces and vlans are assigned to them I m trying to config 5505 can someone tell me how I can create sub interfaces ? As I saw few config and it seems that you config vlans like switch ??? Secondly all interfaces have to b part of vlan ? Ie outside which is g0/0 ....can I config it as normall routed port ?

  The 5505 is configured nearly the same a a L3-switch. You configure the Vlan-interfaces and assign these to your switch-ports. The switch ports can be configured as access- or as trunk-ports (if you have a SecPlus license).
  You find more on this topic on the Config-Guide:
  http://www.cisco.com/c/en/us/td/docs/security/asa/asa84/configuration/guide/asa_84_cli_config/interface_start_5505.html

• How to make ASR9000 bridge domain forward traffic between sub interfaces of same physical interface?

  Hi,
  I regularly use bridge domains to connect sub interfaces on different vlans using this sort of configuration:
  interface GigabitEthernet0/0/0/5.21 l2transport
  description CUSTOMER A WAN
  encapsulation dot1q 21
  rewrite ingress tag pop 1 symmetric
  interface GigabitEthernet0/0/0/10.3122 l2transport
  description CUSTOMER A CORE
  encapsulation dot1q 3122
  rewrite ingress tag pop 1 symmetric
  l2vpn
  bridge group WANLINKS
    bridge-domain CUSTOMERA
     interface GigabitEthernet0/0/0/5.21
     interface GigabitEthernet0/0/0/10.3122
  When I try to use the same method to bridge two sub interfaces on the same physical interface so as to create a L2 VPN no data flows:
  interface GigabitEthernet0/0/0/5.21 l2transport
  description CUSTOMER A WAN
  encapsulation dot1q 21
  rewrite ingress tag pop 1 symmetric
  interface GigabitEthernet0/0/0/5.22 l2transport
  description CUSTOMER A WAN2
  encapsulation dot1q 22
  rewrite ingress tag pop 1 symmetric
  l2vpn
  bridge group WANLINKS
    bridge-domain CUSTOMERA
     interface GigabitEthernet0/0/0/5.21
     interface GigabitEthernet0/0/0/5.22
  If I add a BVI interface to the bridge domain then the CE devices at the remote end of the WAN interface can both ping the BVI IP but they remain unable to ping each other.
  Is this because tag rewrites are not happening since packets don't leave the physical interface?
  How can I work around this and establish a L2 connection between the two subinterfaces?
  Thank you

  a vlan is usually the equivalent of an l3 subnet, so linking 2 vlans together in the same bridge domain, likely needs to come with some sort of routing (eg a BVI interface).
  If these 2 vlans are still in the same subnet, then there is still arp going on, from one host to the other that traverses the bD.
  you will need to verify the state of the AC, the forwarding in the BD and see if something gets dropped somewhere and follow the generic packet troubleshooting guides (see support forums for that also).
  that might give a hint to what the precise issue in your forwarding is.
  regards
  xander

• ASA5540 in multiple-context SNMP/icmp doesn´t work

  Hi there,
       I need some help in order to understante what´s going on with an asa540 configure in multiple-context mode.
       I Have a cacti server on my lan and now I´m try to monitoring the interface with snmp. When I try to get this information returns the error message:
       CISCOASA/CONTEXTA#
       JUN 11 2013 01:52:00: %ASA-1-1-6021: Deny UDP reverse path check from 10.6.6.6 to IP_SRV_CACTI on interface inside
      JUN 11 2013 01:52:01: %ASA-1-1-6021: Deny UDP reverve path check from 10.6.6.6 to IP_SRV_CACTI on interface inside
       If I try to ping returns the same error:
       CISCOASA/CONTEXTA#
       JUN 11 2013 01:56:09: %ASA-1-1-6021: Deny icmp  reverse path check from 10.6.6.6 to IP_SRV_CACTI on interface inside
      Following attached the conf of my asa
    My question is Why I can´t ping or even use snmp ???  
     If anyone could me help with a tip or a document about it ...
     My best regards
     Adriano    

  CISCOASA/CONTEXT# packet-tracer input inside icmp 10.132.0.25 8 0 10.6.72.2
  Phase: 1
  Type: ACCESS-LIST
  Subtype:
  Result: ALLOW
  Config:
  Implicit Rule
  Additional Information:
  MAC Access list
  Phase: 2
  Type: FLOW-LOOKUP
  Subtype:
  Result: ALLOW
  Config:
  Additional Information:
  Found no matching flow, creating a new flow
  Phase: 3
  Type: ROUTE-LOOKUP
  Subtype: input
  Result: ALLOW
  Config:
  Additional Information:
  in   10.6.72.2       255.255.255.255 identity
  Phase: 4
  Type: ROUTE-LOOKUP
  Subtype: input
  Result: ALLOW
  Config:
  Additional Information:
  in   IP_SRV_HSLCACTIP01 255.255.255.255 inside
  Phase: 5
  Type: ACCESS-LIST
  Subtype:
  Result: ALLOW
  Config:
  Implicit Rule
  Additional Information:
  Phase: 6
  Type: IP-OPTIONS
  Subtype:
  Result: ALLOW
  Config:
  Additional Information:
  Phase: 7
  Type: INSPECT
  Subtype: np-inspect
  Result: ALLOW
  Config:
  Additional Information:
  Phase: 8
  Type: INSPECT
  Subtype: np-inspect
  Result: ALLOW
  Config:
  Additional Information:
  Phase: 9
  Type: FLOW-CREATION
  Subtype:
  Result: ALLOW
  Config:
  Additional Information:
  New flow created with id 453866627, packet dispatched to next module
  Phase: 10
  Type: ROUTE-LOOKUP
  Subtype: output and adjacency
  Result: ALLOW
  Config:
  Additional Information:
  found next-hop 0.0.0.0 using egress ifc identity
  adjacency Active
  next-hop mac address 0000.0000.0000 hits 22196
  Result:
  input-interface: inside
  input-status: up
  input-line-status: up
  output-interface: inside
  output-status: up
  output-line-status: up
  Action: allow
  Route information:
  route inside 10.132.0.0 255.255.252.0 10.6.72.1 1
  route inside IP_SRV_HSLCACTIP01 255.255.255.255 10.6.72.1 1
  CISCOASA/CONTEXT# sh route
  Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
         D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
         N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
         E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
         i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
         * - candidate default, U - per-user static route, o - ODR
         P - periodic downloaded static route
  Gateway of last resort is 200.206.50.233 to network 0.0.0.0
  C    200.206.50.232 255.255.255.248 is directly connected, outside
  S    10.132.0.0 255.255.252.0 [1/0] via 10.6.72.1, inside
  S    IP_SRV_HSLCACTIP01 255.255.255.255 [1/0] via 10.6.72.1, inside
  S*   0.0.0.0 0.0.0.0 [1/0] via 200.206.50.233, outside
  Regards,

• Remote Access VPN Support in Multiple Context Mode (9.1(2))?

  Hi Guys,
  I am currently running two Cisco ASA5520 (ASA Version: 9.1(2)) firewalls in Active/Standby failover and was contemplating the option of migrating my remote access VPN to these firewalls. However seeing that the new IOS now support mixed multiple context mode and dynamic routing. Is it safe to ask whether or not Remote Access VPN is now support in this IOS upgrade?
  Multiple Context Mode New Features:
  Site-to-Site VPN in multiple context mode | Site-to-site VPN tunnels are now supported in multiple context mode.
  New resource type for site-to-site VPN tunnels | New resource types, vpn other and vpn burst other, were created to set the maximum number of site-to-site VPN tunnels in each context.
  Dynamic routing in Security Contexts | EIGRP and OSPFv2 dynamic routing protocols are now supported in multiple context mode. OSPFv3, RIP, and multicast routing are not supported.
  New resource type for routing table entries | A new resource class, routes, was created to set the maximum number of routing table entries in each context. We modified the following commands: limit-resource, show resource types, show resource usage, show resource allocation. We modified the following screen: Configuration > Context Management > Resource Class > Add Resource Class.
  Mixed firewall mode support in multiple context mode | You can set the firewall mode independently for each security context in multiple context mode, so some can run in transparent mode while others run in routed mode. We modified the following command: firewall transparent. You cannot set the firewall mode in ASDM; you must use the command-line interface. Also available in Version 8.5(1).
  Regards,
  Leon

  Hey Leon,
  According to the ASA 9.1 Configuration Guide, Remote Access VPN is not yet supported with version 9.1(2). Only Site-to-Site VPN support in multiple context was introduced with release ASA 9.0(x). This was mentioned in the 9.0(x) release notes.
  Regards,
  Dennis

• Explain about transparent mode, single mode, multiple context mode

  You can explain about the differents of transparent mode, single mode, multiple context mode in ASA 5500? Thank you very much.

  Great question. Hope the below helps:
  Transparent Mode: In this mode, the ASA will filter traffic without requiring L3 on the ASA. This means that in your config you will not put IPs on the interfaces to be used for traffic filtering. Thus, filtering is transparent to the traffic as the traffic isn't directly routed to the firewall. Think of it like you have a server plugged into a switch. In transparent mode, you place the ASA between the server and the switch and no configuration change is required to the server. In routed mode, you place the ASA in the same physical location between the server and switch, but have to change the server to use the ASA as a default gateway.
  Single Mode: Default mode of an ASA. The ASA acts as a single firewall and all interfaces are provisioned to be managed through a single firewall configuration.
  Multiple Context Mode: The ASA is split into multiple virtual configurations. With the ASA now virtualized, you provision the physical interfaces on the ASA to the virtual firewall configured. Each context has it's own configuration seperate from the rest of the firewall. Multi-context is meant for enterprises to invest in a single piece of hardware and scale it for use as multiple security devices.
  Hope this helps. Let me know if you have anymore questions!
  -Mike
  http://cs-mars.blogspot.com

• SSLVPN/webvpn in multiple context mode?

  We already know that ASA 9.0 supports site-to-site VPN in multiple context mode. But remote access VPN isn't supported. Obviously, SSL-VPN is a very important feature for most multi-tenant deployment scenarios where each context acts as a border firewall towards the Internet for each tenant. The alternative to terminate all tenant remote-access VPNs in one context means that each tenant would have to be routable from the ASA, which of course isn't a reasonable requirement in most cases.
  So, what I'd like to do is to deploy an ASA cluster, and provide remote access VPNs for each tenant, where the connectivity for each remote access group can be addressed with whatever IP address space, and that goes into it's own VRF in the back-end.
  As far as I can tell, this isn't doable with the ASA, since multiple context mode prohibits the use of remote access VPN, and I can't think of any other work-around than either having individual firewalls running in single context mode for each tenant, or demand that all tenants are interoperable routing-wise and configure a separate ip address pool in a single context mode for each tenant.
  Essentially, there's no good way to implement this with multiple virtual firewalls, using cisco firewalls? Or am I missing something?

  If you set up a pair of single-context ASAs for VPN termination, configure a group policy per customer and use the 'Restrict access to VLAN' feature, you could separate customers' traffic and still just use one FW pair for all customers. This pair would connect to the same switch infrastructure as your multi-context edge firewall and thus allow a consolidated solution.
  Sent from Cisco Technical Support iPad App

• WLC 5508 , AP client dhcp address different from WLAN interface VLAN subnet?

  Hope the title makes sense, here's my situation: I have multiple businesses on 1 WLC 5508, there's a LAG to my core switch with seperate interfaces for each, broken up by vlans.
  My question is: if i have a WLAN setup to use interface "Company A" which is vlan 10 with an ip of 10.0.1.5 which then points to 10.0.1.10 for dhcp.
  Can the WLAN client connecting to the Company A WLAN use an IP in a different IP range?(192.168.1.10?) can the wlc route? from the perspective of the DHCP server where doers the request come from? (10.0.1.5?)
  Can the DHCP server 10.0.10.10 on vlan 10 respond back with and ip on a different subnet to assign to the client to use and still be fully fonctioning? would the default gateway for the client need to be 10.0.1.5?  So the clients ip would be 192.168.1.10 /24 with a gateway of 10.0.1.5 (ip adress fo vlan10 interface on WLC) And if multiple clients on the same subnet wanted to talk to each other woudl the WLC know how to route them to each other without passing through the default gateway?
  Sorry if this is confusing I'm having a bit of a hard time explaining it in works, i can try and draw somethign up if it makes more sense.
  thanks
  Eric

  I think if you want these clients to stick to a WLAN configured on a VLAN that has a different IP addressing you could configure your VLAN with the normal IP addressing then add on the SVI the 2nd IP_Class_default_gateway.
  E.G.
  Vlan 10
  interface vlan 10
  ip address 10.0.10.1 255.255.255.0
  ip address 192.168.1.1 255.255.255.0 secondary
  Clients that receive IP address from 192.168.1.0/24 network will be able to reach 192.168.1.1 and all traffic will pass right.