Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Nexus Context?

I have a pair of Nexus 5596s being used at the core of my datacenter network, I have several 2000 series fabric extenders connected to them using VPCs. What I am trying to do is install a pair of fabric extenders for my segregated PCI environment sh the traffic within that environment is isolated to those FEXs, the gateways to all VLANs will be a Checkpoint firewall.

Is there a way to create a routing or security context that isolates these pair of FEXs and their VLANs on the 5596?


Thanks for any help!



Hall of Fame Super Blue

JeffThe N5Ks do support VRF


The N5Ks do support VRF-Lite which allows you to have a separate routing and forwarding table for those vlans.

That said if the default gateway is going to be the firewall then why do you need a different routing context ie. just don't create any L3 SVIs for those vlans on the N5ks.

Then you cannot route from or to those vlans without going via the checkpoint so you do have isolation.

I should say i don't have direct experience with the Nexus switches so i may not be understanding your question correctly.



New Member

Yea....probably not the best

Yea....probably not the best of there a way to create a "virtual data center" to segregate the you mentioned the traffic I can segregate using just L2 vlans, limiting that traffic to just the "PCI" FEX ports, etc......I guess my real question is is there any way to keep the traffic on the wire so it is not accessible from the core without some sort of password/etc. to it.

For example, if I telnet in to the core I can monitor any port on any FEX in the datacenter, can I keep that from happening somehow maybe with some sort of security context, etc?? I am new to the Nexus gear so I am trying to catch up.

The object was to leverage the 5500/FEX design with somehow carving off and isolating the PCI network so as to be PCI compliant, and not have to use stand-alone switches behind the PCI firewall.

I probably muddied the water even more with all of that.....thanks.

Hall of Fame Super Blue

JeffI see what you mean now.I


I see what you mean now.

I think a separate VDC could be what you are looking ie. a virtual switch but as far as i know only the N7K series suppors VDCs.

I believe with VDCs you can setup up who can access which ones etc.

But for the N5ks i don't know of a solution other than to rely on vlans for isolation.

Perhaps someone with experience of these switches may be able to suggest something.

Sorry i can't be more help.


New Member

Thanks for the feedback!

Thanks for the feedback!

VIP Super Bronze

For PCI, you don't

For PCI, you don't necessarily need VRF or VDC, because the if vlans need to talk to Internet you would have to leak the VRFs together.  As long as you can firewall the vlans interfaces, open specific ports for your applications and log all the activities, you should be fine.

BTW, as Jon also noted, only 7ks support VDCs. All the other models support VRFs, only as long as you have the right license.