Solved: Re: Firewall multiple-vlan-interfaces ( 6509 & FWSM)

Hitesh Vinzoda · ‎01-21-2010

Hi,

i have a setup in which i had msfc svi configured on 6509 which is also configured on fwsm with the same subnet ip address to setup communication between msfc and firewall. its working fine.

Now we had requirement of configuring second interface with new subnet on 6509 which should be also present on fwsm with the same new subnet on fwsm.

The problem is newly created SVI's remain administratively down on 6509. do i have to use "firewall multiple-vlan-interfaces" command on 6509..to create multiple svi interfaces between msfc and fwsm ? If yes, when i introduce this command, does it hamper the existing traffic going from msfc to fwsm...?

Thanks in advance

Hitesh Vinzoda

Jon Marshall · ‎01-22-2010

hitesh.vinzoda wrote:

Hi,

i have a setup in which i had msfc svi configured on 6509 which is also configured on fwsm with the same subnet ip address to setup communication between msfc and firewall. its working fine.

Now we had requirement of configuring second interface with new subnet on 6509 which should be also present on fwsm with the same new subnet on fwsm.

The problem is newly created SVI's remain administratively down on 6509. do i have to use "firewall multiple-vlan-interfaces" command on 6509..to create multiple svi interfaces between msfc and fwsm ? If yes, when i introduce this command, does it hamper the existing traffic going from msfc to fwsm...?

Thanks in advance

Hitesh Vinzoda

Hitesh

If you want to have multiple L3 SVIs up/up on the 6509 and have the FWSM use these vlans as well then yes you will need to enable "firewall multiple-vlan-interfaces".

You need to be careful when using this command. If you have multiple L3 SVIs for vlans attached to the FWSM you need to make sure that you have not bypassed the firewall eg.

2 vlans - vlan 10 & 11

both vlans should be firewalled by the FWSM. If you create a L3 SVI for both vlans on the MSFC then traffic will simply be routed by the MSFC between the 2 vlans ie. it will not go via the FWSM. So you need to make sure that by enabling "firewall multiple-vlan-interfaces" and having a 2nd SVI on the MSFC you have actually bypassed the FWSM.

It should not hamper the existing traffic other than the above scenario where you may find you have bypassed the FWSM.

Jon

View solution in original post

Jon Marshall · ‎01-22-2010

hitesh.vinzoda wrote:

Hi,

i have a setup in which i had msfc svi configured on 6509 which is also configured on fwsm with the same subnet ip address to setup communication between msfc and firewall. its working fine.

Now we had requirement of configuring second interface with new subnet on 6509 which should be also present on fwsm with the same new subnet on fwsm.

The problem is newly created SVI's remain administratively down on 6509. do i have to use "firewall multiple-vlan-interfaces" command on 6509..to create multiple svi interfaces between msfc and fwsm ? If yes, when i introduce this command, does it hamper the existing traffic going from msfc to fwsm...?

Thanks in advance

Hitesh Vinzoda

Hitesh

If you want to have multiple L3 SVIs up/up on the 6509 and have the FWSM use these vlans as well then yes you will need to enable "firewall multiple-vlan-interfaces".

You need to be careful when using this command. If you have multiple L3 SVIs for vlans attached to the FWSM you need to make sure that you have not bypassed the firewall eg.

2 vlans - vlan 10 & 11

both vlans should be firewalled by the FWSM. If you create a L3 SVI for both vlans on the MSFC then traffic will simply be routed by the MSFC between the 2 vlans ie. it will not go via the FWSM. So you need to make sure that by enabling "firewall multiple-vlan-interfaces" and having a 2nd SVI on the MSFC you have actually bypassed the FWSM.

It should not hamper the existing traffic other than the above scenario where you may find you have bypassed the FWSM.

Jon

Hitesh Vinzoda · ‎01-23-2010

Thanks Jon,

In my case, my 2 vlans, vlan 10 belongs to GRT and vlan 11 belongs to vrf. So if they want to get route they will not use msfc rather it will go to firewall and based on policy they will have access to each other.

plese advice... on this hypothesis

Regards

Hitesh Vinzoda

Jon Marshall · ‎01-23-2010

hitesh.vinzoda wrote:

Thanks Jon,

In my case, my 2 vlans, vlan 10 belongs to GRT and vlan 11 belongs to vrf. So if they want to get route they will not use msfc rather it will go to firewall and based on policy they will have access to each other.

plese advice... on this hypothesis

Regards

Hitesh Vinzoda

Hitesh

I have never used this type of setup but what you say makes perfect sense ie. traffic will have to be routed via the FWSM. So you should enable "firewall multiple-vlan-interfaces".

Jon