Method 2 Layer 3 VPN Segregation with Layer 2 FWSM Multiple Context Mode

In Figure 23-7, the router RB/RA represents a MPLS domain for the enterprise WAN campus, and the RC represents another MPLS domain for the inside security domain. This design aims to achieve this dynamic communication using the FWSM in transparent mode. RA and RB are in the MPLS domain (LDP neighbors). OSPF is used in RA, RB, and PFC for next hop reachability. The VRF custB and custA are transported through multiprotocol BGP (VPNv4) from RA to PFC. At the PFC, each VRF is terminated and is mapped to VLANs that are represented in the FWSM context. The FWSM context is in transparent mode.

L20- RD2:1 CustB

Multiple context transparent mode in the FWSM helps in dynamic route learning between the Layer 3 devices in each domain. Each context represents each VRF in the MPLS domain. From the outside VRF of the MPLS domain, a default route is advertised to the inside interface.

The inside interface of the FWSM is connected to a separate VLAN with the same subnet as the outside SVI. This inside VLAN is represented as VLAN 12 and this VLAN is mapped to a separate VRF. The VRF mapped to the inside VLAN is different from the outside VRF. This VRF for the inside interface is called the CustA-IN VRF for the respective customer. The outside security domain is represented as CustA-OUT VRF. An OSPF relationship will exist between the CustA-OUT VRF and the CustA-IN VRF because they are in the same subnet but different VLANs. This allows the route information to be dynamically learned across the two VRFs in separate MPLS domains across FWSMs. This example does not include the scope of using two FWSM modules across two chassis, which will help build redundancy to the design. This design gives the flexibility of having two MPLS domains to communicate across the firewall, with dynamic learning of the routes.


What is PVLAN?

Private VLAN is a VLAN that is used to achieve Layer 2 isolation for hosts in the same subnet. A single VLAN can be split into multiple Layer 2 domains. Port configuration defines the domain segregation in a PVLAN. There are three types of PVLANs ports:

• Isolated: This has complete Layer 2 separation from other ports within the same PVLAN except for the promiscuous port. PVLANs block all traffic to isolated ports except traffic from promiscuous ports.

• Community: The hosts communicate among themselves and with their promiscuous ports. These interfaces are isolated at the Layer 2 domain from all other interfaces in other communities or isolated ports within their PVLAN.

• Promiscuous: Promiscuous ports can communicate with all interfaces, including the community and isolated ports within a PVLAN.

Was this article helpful?

0 0

Post a comment