So this thread is old thread and likely not actively monitored any more. I did want to add to the converstaion that the "ASA" in the topology that is pictured, was likely running "Multi-context" mode which would allow for the "VRF like" functionality since each context is using it's own routing table.   In essence, the each VRF that was defined in the traditional Cisco switch, would have an ASA context as it's L3 neighbor.   Example: ASA-PCI 192.168.0.1/24 ASA-Prod 10.0.0.1/24 Core-VSS PCI VRF 192.168.0.2/24 Core-VSS Prod VRF 10.0.0.2/24   In the above example, the Core-VSS switch likely did not allow for communication between the VRFs by the lack of routes between them.   The effect of all of the above is that even though there is shared physical infrastructure in place, there is FULL logical separation of the environments. ... View more