You answered your own question. Svi's (placed in vrfs) to allocated vlans of the 6500 to fwsm interfaces.
Enjoy.
There is no downside to doing this, "firewall in the cloud" MPLS-lite type deployment.
A common default route can be sent in from the GRT on the 6500.
-joe
-----Original Message-----
From: nobody_at_groupstudy.com [mailto:nobody_at_groupstudy.com] On Behalf Of karim jamali
Sent: Thursday, November 04, 2010 5:34 PM
To: Cisco certification
Subject: OT:VRFs with FWSM
Dear Experts,
I would like to enquire regarding about a scenario I am facing which is as
follows:
-I have two Core Switches (6509) having FWSM modules and running in VSS Mode
on one side which is connecting in fact the clients.
-I have another two core switches (6509) having FWSM modules/running in VSS
where the servers are connected (applications.etc).
An internal MPLS cloud will be built and the goal is to be able to keep the
traffic of clients seperate (using VRFs) i.e. every client has his own set
of servers/user subnets and those subnets will be put into a VRF. MBGP will
be run in order to share/isolate one customer's routes from another.
Now the question that comes to my mind is that FWSM doesn't support VRFs,
thus I won't be able to terminate the VLANs on the FWSM for security
policies. If I terminate the VLANs on the FWSM how will I be able to achieve
route isolation through VRF? The only solution I could think of is to use
multiple contexts on the FWSM (one per client) and every context outside
interface will be pointing to an SVI which will be in a certain VRF. However
I don't find this to be very practical.
I am not an expert on MPLS/VRFs, but all I need is to be able to do an
isolation of Routes into VRFs and use the security policies of FWSM at the
same time.
Your help will be greatly appreciated.
-- KJ Blogs and organic groups at http://www.ccie.netReceived on Thu Nov 04 2010 - 18:39:59 ART
This archive was generated by hypermail 2.2.0 : Sun Dec 05 2010 - 22:14:55 ART