Hi Ajay do i need to do ospf redstribution on fw context for this to work, also i was have gone thru some document which says that inter vrf communication can be done using ospf route distribution as it does not work well and suggesting to do static routes(http://routing-bits.com/2010/09/13/vrf-lite-route-leaking/)

This example is bit diffrent than what you are looking for.In your case communication between vrfs will be next hop Firewall which will take care of L3 routing .

Ajay, u mean that i dont need ospf redistribution between upper and lower vrf ospf processes

If you have 3 vrf on the same device and you want them to communicate with each other, than what is the purpose of having different vrfs?  Vrfs are used to isolate paths, so the resources don't see each other and don't talk to each other.

On the firewall, when create 2 vrfs, these vrfs will not talk to each other.  You can't do vrf leaking on the firewall. The easiest way to do this is on the 7k with export/import.

HTH

Reza import/export can not be used as i am not using BGP betwen vrfs, i plan to run OSPF, both fw contexts are connected physically to different vrf of nexus and there are layer3 hops in between so do you think it is a route leaking? It looks to me that both contexts are in separate networks.

N7K--VRF1---FW-CONTEXT1-VRF2---N7K-----VRF2---FW-CONTEXT2--VRF3-----N7K

       |

                                                         VRF2                                           VRF3

     VRF1                                             |                                                     |

SERVER1                               SERVER2                                            SERVER3

The only reuirement of your setup I understand is to isolate traffic between zones.Running OPSF how its going to help I am not sure.As Reza said that will totally destroy meaning of having VRFs.

But lets say you want to communicate between two VRFs thats possible with FW in between use static route if reuirement is just to communicate between servers.

Minimum reuiqrement would be to put atleast 2 Vlans for one VRF in your case one Vlan for server and one for FW interface same case woul be for vrf 2 as well. Layer 3 routing between vrf will be taken care by FW.

Ajay the reason why routing needs to be enabled between vrfs is a design which cisco calls a virtualized multi tenant architecture, here is the link to that http://www.cisco.com/en/US/docs/solutions/Enterprise/Data_Center/VMDC/2.1/implementation_guide/implement.html#wp1125564

In this doc you will see that OSPF is used to exchange the routes, but in the doc a fwsm is used while i am looking for ASA contexts

Hi,

OSPF-support in multi-context mode is a brand new feature in the latest ASA software version. So far I have no experience with reliability or scalability in a several dozens context environment, that's why I still use static routes. While it's a pain in the a... to configure, it works quite well, given you don't add or remove new contexts every day and that your network structure allows to use network summarization.

You need a transfer network connected to the outside interface, which could be part of a transfer VRF or the global VRF. The n7k has to know all customer(=VRF) networks (or at least a summarization of them) and all corresponding transfer-networks for each VRF. This way the routing is done by the n7k, while the ASA is responsible for the access restrictions.

Hi

I am creating all VRF on n7k, between 2 VRF i have a firewall context, so one arm of firewall context can be treated as inside to one vrf and other arm connected to other vrf as outside arm, now if i run ospf on the firewall context between these two vrfs then will both the vrfs be able to exchange routes, as i read some articles which are saying that firewall needs to be vrf aware for this to work, but still unclear about that.

Thanks in advance