https://community.cisco.com/t5/network-security/firewall-multiple-vlan-interfaces-6509-fwsm/m-p/1416398#M731570 <P>Hi,</P><P></P><P>i have a setup in which i had msfc svi configured on 6509 which is also configured on fwsm with the same subnet ip address to setup communication between msfc and firewall. its working fine.</P><P></P><P>Now we had requirement of configuring second interface with new subnet on 6509 which should be also present on fwsm with the same new subnet on fwsm.</P><P></P><P>The problem is newly created SVI's remain administratively down on 6509. do i have to use "firewall multiple-vlan-interfaces" command on 6509..to create multiple svi interfaces between msfc and fwsm ? If yes, when i introduce this command, does it hamper the existing traffic going from msfc to fwsm...?</P><P></P><P></P><P>Thanks in advance</P><P></P><P>Hitesh Vinzoda</P> Wed, 13 Mar 2019 00:59:51 GMT Hitesh Vinzoda 2019-03-13T00:59:51Z https://community.cisco.com/t5/network-security/firewall-multiple-vlan-interfaces-6509-fwsm/m-p/1416398#M731570 <P>Hi,</P><P></P><P>i have a setup in which i had msfc svi configured on 6509 which is also configured on fwsm with the same subnet ip address to setup communication between msfc and firewall. its working fine.</P><P></P><P>Now we had requirement of configuring second interface with new subnet on 6509 which should be also present on fwsm with the same new subnet on fwsm.</P><P></P><P>The problem is newly created SVI's remain administratively down on 6509. do i have to use "firewall multiple-vlan-interfaces" command on 6509..to create multiple svi interfaces between msfc and fwsm ? If yes, when i introduce this command, does it hamper the existing traffic going from msfc to fwsm...?</P><P></P><P></P><P>Thanks in advance</P><P></P><P>Hitesh Vinzoda</P> Wed, 13 Mar 2019 00:59:51 GMT https://community.cisco.com/t5/network-security/firewall-multiple-vlan-interfaces-6509-fwsm/m-p/1416398#M731570 Hitesh Vinzoda 2019-03-13T00:59:51Z https://community.cisco.com/t5/network-security/firewall-multiple-vlan-interfaces-6509-fwsm/m-p/1416399#M731580 <HTML><HEAD></HEAD><BODY><PRE __jive_macro_name="quote" class="jive_text_macro jive_macro_quote"><P>hitesh.vinzoda wrote:</P><P></P><P>Hi,</P><P></P><P>i have a setup in which i had msfc svi configured on 6509 which is also configured on fwsm with the same subnet ip address to setup communication between msfc and firewall. its working fine.</P><P></P><P>Now we had requirement of configuring second interface with new subnet on 6509 which should be also present on fwsm with the same new subnet on fwsm.</P><P></P><P>The problem is newly created SVI's remain administratively down on 6509. do i have to use "firewall multiple-vlan-interfaces" command on 6509..to create multiple svi interfaces between msfc and fwsm ? If yes, when i introduce this command, does it hamper the existing traffic going from msfc to fwsm...?</P><P></P><P></P><P>Thanks in advance</P><P></P><P>Hitesh Vinzoda</P></PRE><P></P><P>Hitesh</P><P></P><P>If you want to have multiple L3 SVIs up/up on the 6509 and have the FWSM use these vlans as well then yes you will need to enable "firewall multiple-vlan-interfaces".</P><P></P><P>You need to be careful when using this command. If you have multiple L3 SVIs for vlans attached to the FWSM you need to make sure that you have not bypassed the firewall eg.</P><P></P><P>2 vlans - vlan 10 &amp; 11</P><P></P><P>both vlans should be firewalled by the FWSM. If you create a L3 SVI for both vlans on the MSFC then traffic will simply be routed by the MSFC between the 2 vlans ie. it will not go via the FWSM. So you need to make sure that by enabling "firewall multiple-vlan-interfaces" and having a 2nd SVI on the MSFC you have actually bypassed the FWSM.</P><P></P><P>It should not hamper the existing traffic other than the above scenario where you may find you have bypassed the FWSM.</P><P></P><P>Jon</P></BODY></HTML> Fri, 22 Jan 2010 09:56:49 GMT https://community.cisco.com/t5/network-security/firewall-multiple-vlan-interfaces-6509-fwsm/m-p/1416399#M731580 Jon Marshall 2010-01-22T09:56:49Z https://community.cisco.com/t5/network-security/firewall-multiple-vlan-interfaces-6509-fwsm/m-p/1416400#M731591 <HTML><HEAD></HEAD><BODY><P>Thanks Jon,</P><P></P><P>In my case, my 2 vlans, vlan 10 belongs to GRT and vlan 11 belongs to vrf. So if they want to get route they will not use msfc rather it will go to firewall and based on policy they will have access to each other.</P><P></P><P>plese advice... on this hypothesis</P><P></P><P></P><P>Regards</P><P></P><P>Hitesh Vinzoda</P></BODY></HTML> Sat, 23 Jan 2010 09:37:14 GMT https://community.cisco.com/t5/network-security/firewall-multiple-vlan-interfaces-6509-fwsm/m-p/1416400#M731591 Hitesh Vinzoda 2010-01-23T09:37:14Z https://community.cisco.com/t5/network-security/firewall-multiple-vlan-interfaces-6509-fwsm/m-p/1416401#M731603 <HTML><HEAD></HEAD><BODY><PRE __jive_macro_name="quote" class="jive_text_macro jive_macro_quote"><P>hitesh.vinzoda wrote:</P><P></P><P>Thanks Jon,</P><P></P><P>In my case, my 2 vlans, vlan 10 belongs to GRT and vlan 11 belongs to vrf. So if they want to get route they will not use msfc rather it will go to firewall and based on policy they will have access to each other.</P><P></P><P>plese advice... on this hypothesis</P><P></P><P></P><P>Regards</P><P></P><P>Hitesh Vinzoda</P></PRE><P></P><P>Hitesh</P><P></P><P>I have never used this type of setup but what you say makes perfect sense ie. traffic will have to be routed via the FWSM. So you should enable "firewall multiple-vlan-interfaces".</P><P></P><P>Jon</P></BODY></HTML> Sat, 23 Jan 2010 12:56:19 GMT https://community.cisco.com/t5/network-security/firewall-multiple-vlan-interfaces-6509-fwsm/m-p/1416401#M731603 Jon Marshall 2010-01-23T12:56:19Z