topic Re: FWSM and multiple-vlan-interface in Network Security

FWSM and multiple-vlan-interface

anniet — Mon, 11 Mar 2019 14:52:02 GMT

We are using a CAT 6500 with a FWSM. I need to know if, by enabling multiple-vlan-interface on the switch, will that force vlans from one firewall-group to pass thru the FWSM to reach vlans on another firewall-group (all vlans defined in the same mfsc)?

Or will traffic from all of the non-firewall VLANs in the switch be routed through the MSFC without being stopped by the firewall, even if these vlans are defined in different firewall-groups?

Thanks for your input.

Re: FWSM and multiple-vlan-interface

Jon Marshall — Tue, 17 Feb 2009 22:44:00 GMT

Annie

It totally depends on the topology of your network. Have a look at this thread i did a while back which explains exactly what the command does -

http://forum.cisco.com/eforum/servlet/NetProf?page=netprof&forum=Security&topic=Firewalling&topicID=.ee6e1fa&CommCmd=MB%3Fcmd%3Dpass_through%26location%3Doutline%40%5E1%40%40.2cc0a239/0#selected_message')">http://forum.cisco.com/eforum/servlet/NetProf?page=netprof&forum=Security&topic=Firewalling&topicID=.ee6e1fa&CommCmd=MB%3Fcmd%3Dpass_through%26location%3Doutline%40%5E1%40%40.2cc0a239/0#selected_message

If this doesn't answer your question then please come back with more details.

Jon

Re: FWSM and multiple-vlan-interface

Jon Marshall — Tue, 17 Feb 2009 22:52:18 GMT

Sorry, previous link seems to have got messed up -

Jon

Re: FWSM and multiple-vlan-interface

anniet — Wed, 18 Feb 2009 16:20:32 GMT

Thanks Jon,

I guess that is why I read "some PBR may be required". I have about 5 vlans in the server farm and I want all traffic going to the server farm to be firewalled. We were thinking about grouping the server farm's vlans into a VRF to make sure all traffic goes thru the FWSM. Does that sound good or do you have any other suggestions?

Thanks,

Annie

Re: FWSM and multiple-vlan-interface

Jon Marshall — Wed, 18 Feb 2009 17:53:20 GMT

Annie

You could either

1) use a VRF for the servers as you say

2) create an interface for each server vlan on the FWSM so in effect each server vlan gets it's own DMZ. If you don't want to firewall the traffic from one server vlan to another then you can use

"permit ip any any" between the server vlans.

Each of these server vlans must not have a L3 SVI on the MSFC ie. their default-gateway per vlan is an interface on the FWSM. So the only way to get to them is via the FWSM.

Out of the 2 options i have only deployed option 2 so i can't say what gotcha's there will be with the VRF solution.

Also worth bearing mind. If there is a lot of traffic flowing between these server vlans then the VRF approach may be a better approach because this traffic can be routed via the MSFC rather than have to go through the FWSM and only traffic from non-server vlans would have to go through the FWSM.

Does this make sense ?

Jon

Re: FWSM and multiple-vlan-interface

anniet — Wed, 18 Feb 2009 22:20:18 GMT

Jon,

Thanks for your input. It helped us confirm our thoughts. I actually lied earlier about the 5 vlans in the server farm, we have 24. Ridiculous I know, but that's the network setup I inherited.

No way we are going to define all those interfaces in the FWSM, and like you mentionned, we don't really want to firewall between those vlans, so VRF is how we are going to group them.

Regards,

Annie

Re: FWSM and multiple-vlan-interface

Jon Marshall — Wed, 18 Feb 2009 22:41:37 GMT

Annie

"I actually lied earlier about the 5 vlans in the server farm, we have 24."

Ah well then i agree you should look into VRF. Hope it goes well.

Jon