You've got the concept exactly as it should be.
Server 1 --> VLAN1 --> FWSM Context 1 --> VLAN2 --> Int VLAN2 vrf cust1
Server 2 --> VLAN3 --> FWSM Context 2 --> VLAN4 --> Int VLAN4 vrf cust2
David
-- http://dcp.dcptech.com > -----Original Message----- > From: nobody_at_groupstudy.com [mailto:nobody_at_groupstudy.com] On Behalf Of > karim jamali > Sent: Thursday, November 04, 2010 5:34 PM > To: Cisco certification > Subject: OT:VRFs with FWSM > > Dear Experts, > > I would like to enquire regarding about a scenario I am facing which is > as > follows: > -I have two Core Switches (6509) having FWSM modules and running in VSS > Mode > on one side which is connecting in fact the clients. > -I have another two core switches (6509) having FWSM modules/running in > VSS > where the servers are connected (applications.etc). > > An internal MPLS cloud will be built and the goal is to be able to keep > the > traffic of clients seperate (using VRFs) i.e. every client has his own > set > of servers/user subnets and those subnets will be put into a VRF. MBGP > will > be run in order to share/isolate one customer's routes from another. > > Now the question that comes to my mind is that FWSM doesn't support > VRFs, > thus I won't be able to terminate the VLANs on the FWSM for security > policies. If I terminate the VLANs on the FWSM how will I be able to > achieve > route isolation through VRF? The only solution I could think of is to > use > multiple contexts on the FWSM (one per client) and every context > outside > interface will be pointing to an SVI which will be in a certain VRF. > However > I don't find this to be very practical. > > I am not an expert on MPLS/VRFs, but all I need is to be able to do an > isolation of Routes into VRFs and use the security policies of FWSM at > the > same time. > > Your help will be greatly appreciated. > > -- > KJ > > > Blogs and organic groups at http://www.ccie.net > > _______________________________________________________________________ > Subscription information may be found at: > http://www.groupstudy.com/list/CCIELab.html Blogs and organic groups at http://www.ccie.netReceived on Fri Nov 05 2010 - 00:46:46 ART
This archive was generated by hypermail 2.2.0 : Sun Dec 05 2010 - 22:14:55 ART