Re: OT:VRFs with FWSM from Piotr Matusiak on 2010-11-05 (Ccielab archives 11/2010)

From: Piotr Matusiak <pitt2k_at_gmail.com>
Date: Fri, 5 Nov 2010 12:01:42 +0100

Hi,

You do not need virtual contexts as long as you're sure there are no
overlapping subnets in different VRFs and you do not need default routing.
There is also a risk that you'll get traffic mixed between VRFs. In that
case I'd use transparent single context with multiple vlan group.
Unfortunately, this is not scalable as there is a limit of 8 groups per
context/physical box.

This is not a best practice tho, so it is much better to use security
contexts in this case.

Kind Regards,

--
Piotr Matusiak
CCIE #19860 (R&S, Security), CCSI #33705
Technical Instructor
website: www.MicronicsTraining.com
blog: www.ccie1.com
If you can't explain it simply, you don't understand it well enough -
Albert Einstein
2010/11/4 karim jamali <karim.jamali_at_gmail.com>
> Dear Experts,
>
> I would like to enquire regarding about a scenario I am facing which is as
> follows:
> -I have two Core Switches (6509) having FWSM modules and running in VSS
> Mode
> on one side which is connecting in fact the clients.
> -I have another two core switches (6509) having FWSM modules/running in VSS
> where the servers are connected (applications.etc).
>
> An internal MPLS cloud will be built and the goal is to be able to keep the
> traffic of clients seperate (using VRFs) i.e. every client has his own set
> of servers/user subnets and those subnets will be put into a VRF. MBGP will
> be run in order to share/isolate one customer's routes from another.
>
> Now the question that comes to my mind is that FWSM doesn't support VRFs,
> thus I won't be able to terminate the VLANs on the FWSM for security
> policies. If I terminate the VLANs on the FWSM how will I be able to
> achieve
> route isolation through VRF? The only solution I could think of is to use
> multiple contexts on the FWSM (one per client) and every context outside
> interface will be pointing to an SVI which will be in a certain VRF.
> However
> I don't find this to be very practical.
>
> I am not an expert on MPLS/VRFs, but all I need is to be able to do an
> isolation of Routes into VRFs and use the security policies of FWSM at the
> same time.
>
> Your help will be greatly appreciated.
>
> --
> KJ
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
Blogs and organic groups at http://www.ccie.net

Received on Fri Nov 05 2010 - 12:01:42 ART

This archive was generated by hypermail 2.2.0 : Sun Dec 05 2010 - 22:14:55 ART