How to determine which vlans are placed on FWSM?

superapple · ‎07-10-2012

Hi all,

I have some basic questions on firewall/data center design. I have inherited a pair of 6500s containing FWSM modules. All 50+ VLan interfaces are placed on the FWSM and are doing quite a bit of intervlan traffic for the 200+ machines we have on our access layer switches in those various Vlans. I'm starting to see performance issues which is most likely due to the limitations of the firewall.

To me it's obvious not all of these vlans should be placed on the FWSM and should be moved down to the 6500 msfc, however, what is best practice to determine what networks should be locked up int he fwsm? The obvious ones to move to the msfc are storage, backup, etc. Do you typically only place networks in which the outside internet has access to on the FWSM?

Thanks.

Dinkar Sharma · ‎07-10-2012

Hi Steven,

Yes you need to put critical resources (web-servers, email servers etc.) behind the FWSM. You need to be very careful while designing this. About performance issue on FWSM, make sure FWSM is not oversubscribed with traffic being handled by it.

For more information on Oversubscription please follow the below document.

https://supportforums.cisco.com/docs/DOC-13066

Would recommend to open a TAC case and work on performance related issues.

Regards,

Dinkar

superapple · ‎07-11-2012

What types on network vlans would you place/route ON the FWSM? Our Public IP -> nat internal ips for the load balancer?

Dinkar Sharma · ‎07-11-2012

Hi Steve,

For all those servers which are vulnerable to attacks, mostly from outsdside users.

Regards,

Dinkar