07-10-2012 02:02 PM - edited 03-11-2019 04:29 PM
Hi all,
I have some basic questions on firewall/data center design. I have inherited a pair of 6500s containing FWSM modules. All 50+ VLan interfaces are placed on the FWSM and are doing quite a bit of intervlan traffic for the 200+ machines we have on our access layer switches in those various Vlans. I'm starting to see performance issues which is most likely due to the limitations of the firewall.
To me it's obvious not all of these vlans should be placed on the FWSM and should be moved down to the 6500 msfc, however, what is best practice to determine what networks should be locked up int he fwsm? The obvious ones to move to the msfc are storage, backup, etc. Do you typically only place networks in which the outside internet has access to on the FWSM?
Thanks.
07-10-2012 03:57 PM
Hi Steven,
Yes you need to put critical resources (web-servers, email servers etc.) behind the FWSM. You need to be very careful while designing this. About performance issue on FWSM, make sure FWSM is not oversubscribed with traffic being handled by it.
For more information on Oversubscription please follow the below document.
https://supportforums.cisco.com/docs/DOC-13066
Would recommend to open a TAC case and work on performance related issues.
Regards,
Dinkar
07-11-2012 02:25 PM
What types on network vlans would you place/route ON the FWSM? Our Public IP -> nat internal ips for the load balancer?
07-11-2012 02:38 PM
Hi Steve,
For all those servers which are vulnerable to attacks, mostly from outsdside users.
Regards,
Dinkar
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide