Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2037
Views
0
Helpful
7
Replies

How does FWSM work?

Go to solution
Majid Jalinousi
Level 1
Level 1

‎06-08-2015 09:46 AM - edited ‎03-11-2019 11:04 PM

Hi buddies,

There are tow FWSM modules in cisco switch 6513 and vlan-groups assinged to this modules like below:

firewall module 4 vlan-group 10,100,200,300,400
firewall module 5 vlan-group 11,600,800,1000

and then valns asigned to this vlan group like below:

firewall vlan-group 10  96,97,901,998
firewall vlan-group 11  98,99,610,699,703,707,708,710,712,713,720,723,733,750,770,799,902,999
firewall vlan-group 100  106,109,117,120-122,140-148,150,151,199
firewall vlan-group 200  208,212,222,229,232,240-248,299
firewall vlan-group 300  301,309,317,325,333,399
firewall vlan-group 400  403,405,410,420,421,433,434,440-450,499
firewall vlan-group 600  601,603-605,607,611,614,615,619-623,625-627,629,630,640,641,644
firewall vlan-group 800  852,853,857,899
firewall vlan-group 1000  1099,3200

When I did 'show ip int br' I saw some of this vlan were in layer 3 and some of were in layer 2.

I read cisco 6500 and 7600 series FWSM configuration guide and there are some parts that i didn't understand.

1st. Is it correct if any of above Vlans were in layer 3, they would be links between FWSM module and MSFC?

2nd. Why we need to some of above Vlans in layer 2?

3nd. Is it possible any Vlan not listed above send traffic to FWSM, if it was correct, why would we not define them as layer 2 Vlan in Vlan-groups like above?

4th.How do we map layer 2 Vlans on the links between FWSM and MSFC?you know how do we define different context?

5th.I did show ip cef 172.20.1.8 and i saw the next hop for this IP was 10.1.1.2, then I did show ip cef 10.1.1.2 and it showed it has been attached to vlan699, after that i did sh ip int vlan699 and i saw it's IP address is 10.1.1.1. I think 10.1.1.2 is IP address of MSFC but dont know how is it configured on switch?

6th.If there was a traffic flow diagram that show me the path that entrance traffic from any vlan (listed above or not) passes, I would be appriciate?

 

Thanks in advance,

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame

‎06-08-2015 10:49 AM

q1) depends what you mean by "L3 vlans" as vlans aren't L3.

Do you mean there is a L3 vlan interface (SVI) on the MSFC for that vlan ?

If so then if the vlan for that SVI has been assigned to the FWSM then yes that vlan would usually be for a link between the FWSM and the MSFC.

q2) any vlans you want to firewall you cannot have an SVI on the MSFC ie. the L3 interface for that vlan must be an interface on the FWSM otherwise you just route around the firewall.

q3) the vlans listed in the FWSM commands are of the two types listed above.

Any other vlan/IP subnet routed on the MSFC can send traffic to the FWSM to access devices being firewalled. So that could be a vlan on the 6500 or it could be a remote IP subnet etc. These vlans do not need to be assigned to the FWSM.

q4) Not sure I understand. With L3 routed mode on the FWSM (which is the commonest as far as I know) you don't map the vlans to the links, you map the vlans you want firewalled to the FWSM as above.

Contexts are something different ie. they are virtual firewalls on the same physical chassis and interfaces on the FWSM can either be dedicated to a context or can be shared between contexts.

q5) Difficult to say without knowing where you ran the commands etc. 

When the FWSM is in routed mode just think of it as separate device with a lot of interfaces. One of those interfaces must be used to connect to the 6500.

Or if you are running contexts then think it as multiple separate devices connecting to the 6500.

It is all virtualised but the principle is the same.

q6) traffic flow is pretty simple eg.

client (vlan 10) -> MSFC -> vlan 11 > FWSM -> (vlan 12) server

in the above vlan 10 is not firewalled and it has an SVI on the MSFC. The link between the MSFC and the FWSM is vlan 11 and there is an SVI for vlan 11 on the MSFC and the outside interface of the FWSM is in vlan 11 as well.

The server vlan is firewalled, there is no SVI for it on the MSFC only an interface on the FWSM in vlan 12 and you would need to allocate this vlan to the FWSM using the commands you posted in your original configuration.

You can run a dynamic routing protocol between the MSFC and the FWSM but just to keep it simple, there is a static route on the MSFC for the vlan 12 IP subnet with the next hop IP of the outside interface of the FWSM and on the FWSM there is a default route pointing to the vlan 11 SVI IP address on the MSFC.

Traffic from the client is sent with the destination IP of the server, the MSFC does a route lookup and sees this is reachable via the next hop IP of the FWSM outside interface, forwards it to the FWSM which, if access is allowed, forwards it to the server.

Server responds and FWSM uses it's default route to the vlan 11 SVI IP on the MSFC and the MSFC then forwards it to the client.

Note that the client is directly connected to the MSFC but as already said it could be anywhere ie. across the WAN.

Jon

View solution in original post

0 Helpful
7 Replies 7

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame

‎06-08-2015 10:49 AM

q1) depends what you mean by "L3 vlans" as vlans aren't L3.

Do you mean there is a L3 vlan interface (SVI) on the MSFC for that vlan ?

If so then if the vlan for that SVI has been assigned to the FWSM then yes that vlan would usually be for a link between the FWSM and the MSFC.

q2) any vlans you want to firewall you cannot have an SVI on the MSFC ie. the L3 interface for that vlan must be an interface on the FWSM otherwise you just route around the firewall.

q3) the vlans listed in the FWSM commands are of the two types listed above.

Any other vlan/IP subnet routed on the MSFC can send traffic to the FWSM to access devices being firewalled. So that could be a vlan on the 6500 or it could be a remote IP subnet etc. These vlans do not need to be assigned to the FWSM.

q4) Not sure I understand. With L3 routed mode on the FWSM (which is the commonest as far as I know) you don't map the vlans to the links, you map the vlans you want firewalled to the FWSM as above.

Contexts are something different ie. they are virtual firewalls on the same physical chassis and interfaces on the FWSM can either be dedicated to a context or can be shared between contexts.

q5) Difficult to say without knowing where you ran the commands etc. 

When the FWSM is in routed mode just think of it as separate device with a lot of interfaces. One of those interfaces must be used to connect to the 6500.

Or if you are running contexts then think it as multiple separate devices connecting to the 6500.

It is all virtualised but the principle is the same.

q6) traffic flow is pretty simple eg.

client (vlan 10) -> MSFC -> vlan 11 > FWSM -> (vlan 12) server

in the above vlan 10 is not firewalled and it has an SVI on the MSFC. The link between the MSFC and the FWSM is vlan 11 and there is an SVI for vlan 11 on the MSFC and the outside interface of the FWSM is in vlan 11 as well.

The server vlan is firewalled, there is no SVI for it on the MSFC only an interface on the FWSM in vlan 12 and you would need to allocate this vlan to the FWSM using the commands you posted in your original configuration.

You can run a dynamic routing protocol between the MSFC and the FWSM but just to keep it simple, there is a static route on the MSFC for the vlan 12 IP subnet with the next hop IP of the outside interface of the FWSM and on the FWSM there is a default route pointing to the vlan 11 SVI IP address on the MSFC.

Traffic from the client is sent with the destination IP of the server, the MSFC does a route lookup and sees this is reachable via the next hop IP of the FWSM outside interface, forwards it to the FWSM which, if access is allowed, forwards it to the server.

Server responds and FWSM uses it's default route to the vlan 11 SVI IP on the MSFC and the MSFC then forwards it to the client.

Note that the client is directly connected to the MSFC but as already said it could be anywhere ie. across the WAN.

Jon

0 Helpful

Go to solution
Majid Jalinousi
Level 1
Level 1
In response to Jon Marshall

‎06-09-2015 06:28 AM

Hi,

Thanks for your great help

If i understood well, the Vlans in vlan-group without a layer 3 SVI are vlans that servers reside on them,

And If i understood well users reside in Vlans dont belong to FWSM, in general? But we can palce users in FWSM valns too?for example when we want to kind of secure them.

Another question is, if there was a internet link, how can we connect internet to our switch? you know it should connect to a FWSM vlan or MSFC? Because in diagrams it connects to MSFC.

 

About the traffic path you showed me:
client (vlan 10) -> MSFC -> vlan 11 > FWSM -> (vlan 12) server

It's needed to define vlan 11 in MSFC with and IP address and also we should define this vlan in FWSM with another IP address? if it's true, what's the comamnds?

 

 

 

0 Helpful

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame
In response to Majid Jalinousi

‎06-09-2015 07:10 AM

Generally speaking the vlans you firewall do contain servers but you can firewall a client vlan if you want to.

It depends on your requirements.

In terms of the internet link you would usually only connect it to the MSFC directly if you had another firewall protecting your 6500.

So we used the FWSM to firewall internal server vlans in our DC but we had separate firewalls for internet.

With the FWSM per context you can have two setups -

1) the commonest I have seen is the FWSM behind the MSFC ie.

rest of network -> MSFC -> FWSM - firewalled vlans

in the above there may be vlans you don't want to firewall on the MSFC and only the vlans you want to protect are behind the FWSM.

2)  the second option is not as commonly used, as far as I am aware -

rest of network -> FWSM -> MSFC -> all vlans routed on MSFC

here to get to any vlans on the 6500 you have to go through the FWSM.

With contexts you can use both options ie. different contexts can use one or the other of the above.

With the traffic flow vlan 11 would need an SVI on the 6500 because it used for connectivity to the FWSM.

From memory as it has been a while since I used these you don't need to allocate vlan 11 to the FWSM because of the L3 SVI on the 6500 but I may be mistaken. You certainly need to allocate all vlans that have their L3 interfaces on the FWSM (ie. no SVI on the MSFC) to the FWSM using the commands you originally posted.

In terms of commands the SVI on the MSFC is like any other SVI. The interface on the FWSM is like any of the interfaces ie. you assign it to the vlan, give it a name, a security level and an IP address.

Jon

 

0 Helpful

Go to solution
Majid Jalinousi
Level 1
Level 1
In response to Jon Marshall

‎06-10-2015 07:00 AM

.

0 Helpful

Go to solution
Majid Jalinousi
Level 1
Level 1
In response to Jon Marshall

‎06-10-2015 07:02 AM

Hi,

Thanks again for your answer,

There is one ip address I didn't know what it is.

When I traced an server ip from my host, i saw like below

10.20.4.48(host IP) -> 10.20.4.1(vlan10 IP) -> 172.22.194.57(i doubt what it is) -> 172.20.1.8(server IP)

I don't know  IP address 172.22.194.57 what it is and how to set it? Because there is an ip 172.22.194.59 that is ip address of vlan699(a FWSM vlan).

As you showed traffic path to me:
In my mind this should be an IP address have set on FWSM but i dont know how can I do it?

it's true, if it was OK, then we need login to FWSM and set this up on it, OK?

 

0 Helpful

Go to solution
Majid Jalinousi
Level 1
Level 1
In response to Majid Jalinousi

‎06-13-2015 05:45 AM

Hi Jon,

I've been waiting for your confirmation, if it was correct, please confirm me.

Thanks

0 Helpful

Go to solution
kimvaleron91952082
Level 1
Level 1
In response to Jon Marshall

‎08-25-2021 07:48 AM 

Hello!
can you help me figure it out please!
tracert does not show next hops. is it possible to fix this somehow on fwsm
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card