ZBFW design with vrf

Similar Messages

• Transparent design with router on both sides?

  I am looking to solve a design which has to work in two scenarios. Preferably with an in-line solution.
  1. Transparent design with VRF on both sides:
  FW-VRF (Subnet A)
        |
        | (VLAN 11)      | ACE (Subnet A)
        |
        | (VLAN 12)
        |
  LAN-VRF
        |
        |  (VLAN 13)
        |
  Real servers (Subnet B)
  2. Transparent design in plain bridge mode
  FW-VRF (Subnet A)
        |
        | (VLAN 11)      |
     ACE (Subnet A)
        |
        | (VLAN 12)
        |
  Real servers (Subnet A)
  As mentioned, I am aiming for a single design for both scenarios. A routed design will not pass in the first scenario and a one-arm solution will be inefficient in the second scenario. (both due to existing infrastructure) Is it possible to solve this with a transparent solution in both scenarios? I can't seem to get it to work.
  Thanks in advance for any help!

  I'm gonna expand my question a bit as I can not seem to get a working config in scenario 1. From the ACE I can ping the VRFs on both side of the ACE. I can on the other hand not ping neither the bvi-address of the ACE nor one VRF from the other. Can anyone notice any immediate errors in my config? Thanks in advance for any help!
  Addresses:
  10.3.66.1 - FW_VRF on client side
  10.3.66.6 - LAN_VRF on server side
  10.3.66.7 - BVI if on ACE
  ===Admin===
  resource-class TEST_res
  limit-resource all minimum 10.00 maximum unlimited
  boot system image:c4710ace-mz.A3_2_0.bin
  hostname 4710Appl
  interface gigabitEthernet 1/1
  description Management port
  switchport access vlan 752
  no shutdown
  interface gigabitEthernet 1/2
  description Client side LAN
  switchport trunk allowed vlan 2522
  no shutdown
  interface gigabitEthernet 1/3
  description Server side LAN
  switchport trunk allowed vlan 2524
  no shutdown
  interface gigabitEthernet 1/4
  shutdown
  access-list BPDU ethertype permit bpdu
  access-list ALL line 8 extended permit ip any any
  access-list everyone line 8 extended permit ip any any
  access-list everyone line 16 extended permit icmp any any
  class-map type management match-any REMOTE_ACCESS
  description Remote access traffic match
  2 match protocol ssh any
  3 match protocol icmp any
  4 match protocol snmp any
  policy-map type management first-match REMOTE_MGMT_ALLOW_POLICY
  class REMOTE_ACCESS
  permit
  interface vlan 752
  description Management VLAN
  ip address 10.7.52.63 255.255.255.0
  service-policy input REMOTE_MGMT_ALLOW_POLICY
  no shutdown
  ip route 0.0.0.0 0.0.0.0 10.3.66.1
  context TEST_context
  allocate-interface vlan 752
  allocate-interface vlan 2522
  allocate-interface vlan 2524
  member TEST_res
  context TEST_context_routed
  username admin password 5 $1$bale5EiS$bEdquz.bbcW3wRcfeSzbu/  role Admin domain
  default-domain
  username www password 5 $1$bsOdgxav$1uywtkwFEj3QalKaOTrkZ1  role Admin domain de
  fault-domain
  ssh key rsa 1024 force
  ===Application context===
  access-list ALL line 8 extended permit ip any any
  access-list ALL line 16 extended permit icmp any any
  class-map type management match-any REMOTE_ACCESS
  description Remote access traffic match
  2 match protocol ssh any
  3 match protocol icmp any
  policy-map type management first-match REMOTE_MGMT_ALLOW_POLICY
  class REMOTE_ACCESS
  permit
  interface vlan 752
  ip address 10.7.52.64 255.255.255.0
  service-policy input REMOTE_MGMT_ALLOW_POLICY
  no shutdown
  interface vlan 2522
  description Client side VLAN
  bridge-group 1
  access-group input ALL
  access-group output ALL
  no shutdown
  interface vlan 2524
  description Server side VLAN
  bridge-group 1
  access-group input ALL
  access-group output ALL
  no shutdown
  interface bvi 1
  ip address 10.3.66.7 255.255.255.240
  no shutdown
  ip route 0.0.0.0 0.0.0.0 10.3.66.1

• Native Multi-VRF-Lite Design with EIGRP Question

  Hello,
  we think about to implement a VRF-Lite design (no MPLS and MBGP) in our campus network (10,000 ports, 20x 6500Sup720, 400x L2-Switches). MPLS is from our point of view oversized for our requirements. We need only a segmentation from different departments. Our IGP is eigrp.
  In the latest IOS-Release for the cat6500 (12.2.18SXD) is finally a VRF-Lite support for EIGRP inside.
  We could test successful a design with different VRFs in our lab, the division workes fine. But we didn't found a way to implement shared service. These are in our case DHCP, DNS, InternerAccess and some others. We thought about a redistribution between our global EIGRP routing table and the EIGRP-vrf tables, but we didn't found a way to do this.
  How can we do this?
  Thanks

  Use a crossover cable to connect a port belonging to the global routing table to a port belonging to a VRF. This way you can leak EIGRP routes from the global routing table into the VRF (through that physical connection). The drawback is that you use 2 ports (that could instead be used for other things...).
  Another way to this, would be to use static routing; use ip route vrf VRF x.x.x.x m.m.m.m n.n.n.n global to allow traffic to go from the VRF into the global routing table.
  Hope that helps...

• Dual-DMVPN Design with Dual Hubs on a single router ??

  Hi All,
  In DMVPN, in Dual-DMVPN Design with Dual Hubs , can a single router perform the role of dual hubs.
  The router has two different internet links. It is intended that when one link goes down, spokes shud connect to the same router onto the other active internet connection. Is this possible ?

  Since no one has answered yet, I'll give you the practical answer.
  You'll have issues with IPSec and static routing. "DMVPN" itself probably wouldn't have an issue, but it would depend on IPSec and routing to work.
  It is easier, by far, to put in a second router. And when you factor in your time to try to make it work (and it may not work), the second router is less expensive.
  Rob

• I have tried everything I know to retrieve the iPhoto Library app.  I detest this new Photo app, which obviously wasn't designed with photographers in mind.  I desperately need help in retrieving the old app and have not been able to do it so far.

  I have tried everything I know to retrieve the iPhoto Library app.  I detest this new Photo app, which obviously wasn't designed with photographers in mind.  I desperately need help in retrieving the old app and have not been able to do it so far.  I have gone to my app folder and tried to update my iPhoto Library.  I have gone to my trash and brought it over to my desktop and still cannot use it.  Please help!

  Try this fix discovered by User photosb189:
  From Finder, hold down the option key on your keyboard and click on the Go menu at the top of the screen
  Select Library from the drop down menu
  Then navigate to Application Support > iLifeAssetManagement > assets
  Right click on the 'sub' folder and choose Compress
  Drag the resulting zip file to your Desktop (as a backup)
  Go to your System Preferences and choose iCloud
  Turn OFF the iCloud Photos option
  Go back to Library > Application Support and DELETE the iLifeAssetManagement folder
  Now, in System Preferences, turn the iCloud Photos option ON
  iPhoto should now be able to launch. Give it enough time to re-download your Photo Stream content. if you are missing any of your My Photo Stream photos (more than 30 days old), unzip the sub folder on your desktop and drag that into iPhoto.

• How to master good design with EJB and JSP?

  I use JSP to calling EJB. But the .jsp file is complex and it's difficult to maintain...I just want to work higher efficent with EJB,JSP and JavaBean. I want to know is there a good design with EJB and JSP? and is there any good material about MVC for EJB,JSP and JavaBean?

  You should read the J2EE blueprint available on this website. Better download the PDF, and print it for yourself so you can read it anytime.

• Designing with CSS in Design View

  Hey guys, I'm working on learning CSS. One problem I'm having
  is that while I'm working on the code, what shows in the design
  view in dreamweaver isn't the same, (not even close), to what it
  looks like in any browser. For example the location of a div will
  be totally different.
  It seems like it would be very hard to design this way. Why
  doesn't dreamweaver attempt to reflect what it looks like in one of
  the browsers. Is this just the way it is when designing with css?
  If so, how the heck do people do it? Do you just have to keep
  previewing the site every time you change the css?
  Using dreamweaver MX
  thanks, mike

  > Using dreamweaver MX
  Sadly, that's the dullest knife in the drawer. Is it DMX6.0
  or 6.1?
  Murray --- ICQ 71997575
  Adobe Community Expert
  (If you *MUST* email me, don't LAUGH when you do so!)
  ==================
  http://www.dreamweavermx-templates.com
  - Template Triage!
  http://www.projectseven.com/go
  - DW FAQs, Tutorials & Resources
  http://www.dwfaq.com - DW FAQs,
  Tutorials & Resources
  http://www.macromedia.com/support/search/
  - Macromedia (MM) Technotes
  ==================
  "southdaytona" <[email protected]> wrote in
  message
  news:f08qoq$bed$[email protected]..
  > Hey guys, I'm working on learning CSS. One problem I'm
  having is that
  > while
  > I'm working on the code, what shows in the design view
  in dreamweaver
  > isn't the
  > same, (not even close), to what it looks like in any
  browser. For
  > example the
  > location of a div will be totally different.
  >
  > It seems like it would be very hard to design this way.
  Why doesn't
  > dreamweaver attempt to reflect what it looks like in one
  of the browsers.
  > Is
  > this just the way it is when designing with css? If so,
  how the heck do
  > people
  > do it? Do you just have to keep previewing the site
  every time you change
  > the
  > css?
  >
  > Using dreamweaver MX
  >
  > thanks, mike
  >

• Looking for a designer with experience working on Motorsport projects

  I am looking for a web designer with specific experience working on Motorsport websites.  The project will be to design a BC site for a racing team which we will implement.  If you believe you are qualified for a project like this please send me details of your portfolio and your rate.  Note I am looking for someone who has actually worked on motorsport website, so will need to see evidence of this experience.  If you do not have this experience please do not apply.  Please PM me if you are qualified.

  Hi Sir/Madam,
  I recently Completed my PG Diploma Graduate in Industrial Automation and System Design from National Institute of Electronics and Information Technology (NIELIT) Calicut with 72.2%.I am good labVIEW Programmer and I am seeking job in labVIEW Sector, please help me where i could get the job in labview Sector.
  Please find the attached resume.
  Thanks & Regards,
  Ravi Kumar
  +91-9000324146
  E-mail: [email protected]
  Attachments:
  resume ravi new formetpdf.pdf ‏65 KB

• Sharing global routing table with vrf for intra-as traffic

  We have a network block of 10.201.0.0/16 which is divided into two subnet 10.201.0.0/18 and 10.201.192.0/18. We are getting a internet feed for each subnet.
  10.201.192.0/18 is in global routing table, and 10.201.0.0/18 is in a vrf-lite green.
  I am thinking doing the following:
  ...........HUB
  VL199/....\VL198
  SPOKE1 SPOKE2
  Hub and spoke are from perspective of vrf green.
  For vrf green in the HUB:
  ip route vrf green 10.201.0.0 255.255 255.192 vlan 199
  ip route vrf green 10.201.64.0 255.255.255.192 vlan198
  SPOKE1
  ip route 0.0.0.0 0.0.0.0 vlan199
  SPOKE2
  ip route 0.0.0.0 0.0.0.0 vlan198
  Suppose we already get the 2 internet feeds to HUB route with vrf green and global routing table. This should get vrf green going.
  But we also have global routing table on the HUB router.
  We would like to have 10.201.0.0/16 communicating with each other, and only keep internet default separated.
  How should we get to 10.201.0.0/18 from global routing table and how should we get to 10.201.192.0/18 from SPOKE[12]?

  In my lab, I have 2 ports configured.
  int gi1/2
  ip vrf forward green
  ip address 10.201.192.253 255.255.255.252
  int gi1/1
  ip address 10.201.192.254 255.255.255.252
  ip route 10.201.0.0 255.255.192.0 gi1/2
  ip route vrf 10.201.192.0 255.255.192.0 gi1/1 10.201.192.254
  This way, from vrf green to global has go through HUB. and vrf greens will also go through greens.
  Is there any other much elegant way for this purpose?

• Will Java UFLs satisfy reports designed with COM UFLs

  cr_xi_java_ufl.pdf notes that "When using Crystal Reports" to design reports that contain user-defined function libraries (UFL), you can use only Java UFLs or only COM UFLs, but not both".
  Is that purely a statement about configuring the Developer to access the UFLs or does it indicate some sort of distinction between COM and Java UFLs.
  In particular can I take a report designed on Microsoft Windows and including a call to a UF that happened to be exposed by a COM UFL and then run it under Crystal Reports Server XI R2 for Linux using JRC and have the function call evaluated by a Java UF of the same signature within a Java UFL?

  Business Objects led me wrong.  Java UFLs DO satisfy reports designed with COM UFLs.
  If I take a report that was designed under Microsoft Windows and I added functions that were there via COM UFLs (certainly I have proved it by typing the UFL name in directly into the formula editor; I presume it will also work if you drag the COM UFL into the formula editor) and I then place that rpt file on my Linux machine and view that report using Crystal Reports Server XI R2 and Tomcat and JRC and I have Java UFLs on that Linux machine that have the same name and arguments as the COM one then the report runs OK and the Java UFLs do their job.
  (Now that is great news)

• I would like to inquire about the design of iphone 5 .. why, iphone 5 is designed with a slightly wider screen ..?

  I would like to inquire about the design of iphone 5 .. why, iphone 5 is designed with a slightly wider screen ..?

  Apple's design team was looking to build an iphone with a screen that had a 16:9 aspect ratio. Call it pressure to keep up with the competition.
  Plus, LTE is so FAST! Time to turn up the speed!

• When I design with Muse and export as HTML Dreamweaver doesn't attach the style sheets. Any answers?

  When I design with Muse and export as HTML Dreamweaver doesn't attach the style sheets when I open the files with Dreamweaver. Essentially when I design with Muse the files don't render the same with Dreamweaver. Is this a bug? Any work arounds?

  Then you will have to install a local server and use live view.  It's not that DW isn't rendering it or isn't attaching it, it's that Muse decided to use server-side processing to include it which is ok for a CMS practice when you are combining stylesheets for better caching, but it really isn't ideal for a single style sheet.  This is a shortcoming of Muse and one of the reasons many professionals don't back the product at the moment.  That and you can't actually buy Muse, so unless you are on a subscription you don't have it.  It's trying to fill a void for those who don't want to invest in the professional design tools like Fireworks or Photoshop or Dreamweaver, but want a cross between them to make designs.  If you have invested in the subscription though and want a better way to make layouts I highly recommend coding it yourself and using Fireworks or Photoshop to do the layout for you.  There is an excellent tutorial on the devnet (3 parts) to show you how its done ( http://www.adobe.com/devnet/dreamweaver/articles/dw_fw_css_pt1.html ).  Once you start using Fireworks or Photoshop you will realize just how limited Muse is in design.

• GRE keepalives with VRF

  GRE keeplives enabled under tunnel interfaces will put the line protocol of tunnel to down... I have tested this in LAB !!!
  why is it so , what is the workaround to use keepalives with VRF ........

  Hello,
  It is caused by the way how the GRE keepalives work. I suggest reading these two documents first:
  http://www.cisco.com/en/US/tech/tk827/tk369/technologies_tech_note09186a008048cffc.shtml
  http://www.cisco.com/en/US/tech/tk827/tk369/technologies_tech_note09186a008040a17c.shtml
  In short, a router sending keepalive in essence constructs an IP packet whose source is the remote endpoint and recipient is the router itself. It then encapsulates it using GRE and attaches another IP header to it with the send being itself and destination being the remote end. This packet will be sent to the remote end, there it will be decapsulated and afterwards it will be routed as usual, thereby returning the inner IP packet back to the original sender.
  Obviously, this keepalive mechanism is not integrated with the VRF feature. The keepalive packet may arrive at the remote endpoint but after it is decapsulated the association with the receiving Tunnel interface is obviously lost and the remote endpoint tries to route that packet back using the global routing table, not the VRF in which the tunnel resides. This in turn causes the keepalive packet to never return.
  I am unfortunately not aware of any backup keepalive mechanism for this, apart of running routing protocols over the tunnel with more aggresive hello and dead intervals.
  Best regards,
  Peter

• BGP to OSPF redistribution with VRFs

  I am having a problem with redistribution of routes between BGP and OSPF when using VRFs mapping to VLANs between the PE and CE.
  In this lab I've put together I have R4 and R5 communicating with eachother via BGP with MPLS. If I redistribute the BGP into OSPF and delivering the connection to the CE without VLANs it works fine. If I want to essentially keep the same primary network going into the other side of the BGP but send the VRF over a VLAN to the next router the redistribution doesn't happen.
  In this example I have
  192.168.100.0/24 (R6) --ospf-- (R4) --BGP-- (R5) --ospf-- (R7) 192.168.200.0/24
  Between R4 and R5 is the core network running ospf (R1 - R3).
  Can anyone point me in the right direction why this isn't working? I am obviously missing something here.
  Thanks,
  Mike

  Hi Mike,
  You need to add capability vrf-lite under ospf process of R6 and R7 because they are configured with VRF-lite. This command will disable the check usually done on the PE to avoid routing loops.
  HTH
  Laurent.

• Why not include LiveCycle Designer with Creative Cloud subscription?

  Creative Cloud offers quite a few premier Adobe products - which is great !! So how about Adobe offering LiveCycle Designer with Creative Cloud? It would be awesome ...

  I wish I had enough time to tell you the hell I went through to get a my copy of LC3.
  Long story short: Company purchased CC with CS6 and Acrobat 9 that comes with LC2. Saw a new version of Acrobat X released and LC3. Upgraded to Acrobat X and figured LC3 would come along since we had ALL Adobe applications because of our CC. Installed, noticed my LC2 had been uninstalled due to Acrobat X upgrade... TOOK MANY MANY MANY Custome support call to to find out NO ONE knew anything about LC2 and LC3 being on CC..., ended up with upgrade to LC3 after filing form to receive physical copy. Still angry at the whole thing.
  Not only this, but LC4 is now out and it is not a free upgrade. But this is fine because nothing much changed from LC3.
  So note. LC2 Came with first Creative Cloud due to Acrobat 9, then removed when Acrobat X released. LC2 deleted, no LC3 upgrade.
  Message was edited by: TDRonline: Forgot to mention the downtime we had because we had to wait for our physical copy that took 2 weeks to arrive.