Hello,

I don't mind creating the additional VLANs on the switch and the asymmetric routing. Supposedly, there is a way to ensure failover support with asymmetric routing.

Let's suppose my server VLAN is 90 and I create vlan 290 for the outside interface. These are the two VLANs that will be part of the BVI on the firewall, right? VLAN90 has an SVI on the switch with GLBP configured and is the default gateway . Does VLAN 290 need an SVI on the switch as well?

let consider this example

server vlan90--90 FWSM transparant context1 290 ---MSFC SVI vlan290--

and the default gateway of the server will be VLAN290 SVI

for bvi

for example

FWSM(config)# int vlan 90

FWSM(config-if)# bridge-group 1

FWSM(config-if)# int vlan 290

FWSM(config-if)# bridge-group 1

FWSM(config-if)# int bvi 1

FWSM(config-if)# ip address 10.290.1.2 255.255.255.0

FWSM(config)# route outside 0 0 10.290.1.1

where 10.290.1.1 the vlan 290 SVI ip

***keep in mind if u creat any SVI for vlan 90 u gonna bypass the firewall and the traffic will not go throught but will go dirctly though the MSFC****

good luck

if hlepful Rate

But isn't 10.290.1.1 an invalid IP address?

VLAN 90 is the actual server VLAN. Let's assume that the SVI for VLAN 90 has an IP address of 10.90.1.1. VLAN 290 will be specifically created for the purpose of the bridge-group.

Will VLAN 290 also have an SVI on the MSFC?

let me make more clear

u can configure ur topology one of the two ways

1.

servers vlan90--MSFCvlan90 SVIvlan90 with (hsrp or glbp)--90 context1 FWSM transparant 290--outside connection

or

server vlan 90--90 FWSM context1 290---MSFC SVI 290 u can here make glbp or hsrp for outside---outside

for case ine i describe it to u prvously

the servers will be connected to the inside FWSM vlan

while if u wanna run glbp or hsrp with server vlan u could use the topology two

in this case the server will be connected to vlan 90 and MSFC directly then the msfc will send the traffic to the inside FWSM vlan interface in the case vlan 90 and the FWSM will be connected to the outside not the MSFC!!

which one suit u ?

if u need mmore details let me know

good luck

the IP address i have put for example not must!!

just let me know what is gonna be connected to the outside of the 6500

and do u want the outside link be connected to the FWSM, MSFC or any one of them work for u ?

becuase u have to decide where to put the MSFC and FWSM logicaly not physicaly ok

did get it working

Not yet. Still getting the config ready....

HI

I need a your kind input on the same. My logical NW is attached along with. I would like to run FWSM on Transparent mode with same case Active/Active Load balencing and Failover.

I hav 1 vlan for server, 1 vlan for Useres, 1 Vlan for Management in the network.

(In FWSM routed mode i would prefer to run like this -

Inside is Server Vlan, User Vlan DMZ with same Security Level as inside, Outside will connect to MSFC back and will forward to Flex WAN)

Can i do this in Transparent mode?

In my scenario do i have to run multiple bridge groups?

Can I run this in a single context mode (I would prefer)?

regards

Jacob

hi Jacob

in regard to transparante mode

according to cisco press

With the FWSM configured for transparent mode, it acts as a “bump in the wire.” This

configuration, known as a bridge group, supports only an inside and outside interface,

essentially bridging the networks together, as shown in Figure 3-1. Up to eight bridge

groups are supported on the FWSM, unless it's configured for multiple contexts; then it's

eight bridge groups per context. Any attempt to configure more than eight will result in the

following error message:

ERROR: Maximum number of interfaces already configured.

whihc mean you can use one context but the grouping of vlans and interfaces will be in pairs of two inside and outside only

in ur case u have about three or four

the question here why you prefere to implimit transparant mode

do u have IP addressing issue or routing issue ?

let me know

if you wanna go with routed mode we can discuss it here as well

good luck :)

Hi Marwan,

Thanks for the reply. I was decided to go with routerd mode, which i have did before once.

I was just thinknig to see difference and also for the ongoing maintanance point of view i thought to go for transparent mode. No issue with the ip addressing.

But i would like to know more about the transparent mode only.

i didnt get clarity on this part.

Say i have a vlan Server VLAN 50, ports are configured in vlan 50, ip 192.168.50.x/24. preferd inside of the fwsm. i want to filter / do the firewalling between the user vlan and the server farm. user vlan 10, ports confgured in 10. with 192.168.10.0/24.

How the configuration would be in this case ?

thanks a lot

regards

jacob

based on ur requirment u need one more vlan for firewall outside

let me describe it for u

first off all in transparante mode there will be no ip address in the firewall interfaces

there will be only brigded group ip address for managment called bvi interface this one will be in the same subnet as the outside vlan

ur case could be configured like

servrs vlan50 --inside--fwsm--outside vlan 51--msfc svi vlan 51

now for vlan 50

u will not configure any svi or ip address but vlan 51 will have the ip addressing and subnet exactly as vlan 50

in this case the firewall will bridge between interfaces and vlans only not routing

and the comunication between the serve and users will be through the fwsm and routed by the msfc

the defual gateway of the servers will be vlan 51 svi

thats why transparant mode useful when u need a firewall inbetween of devaces or vlans without changing ip addressing or routing topology

it is L2 device with L3/4 intelegance

good luck

if helpful rate