Solved: Re: FWSM and multiple-vlan-interface command

tholmes · ‎08-30-2004

Hello,

I'm due to configure an FWSM in a 6513 running IOS, I guess the example configurations are pretty similar when using an MSFC but I have a question.

I have 3 inside VLANs, do I configure 3 VLAN interfaces with IP addresses (as default gateways for the hosts on the 3 VLANs), then configure another seperate VLAN for a 'next hop' between the router and the inside interface of the FWSM, putting IP addresses on the FWSM inside and router VLAN?

I tried this in a test set up and it seemed to work but when I PINGed an external host through the FWSM I couldn't see any packets using DEBUG ICMP TRACEL, the PING did stop working when I removed the ACL on the FWSM inside interface.

I had used the FIREWALL MULTIPLE-VLAN-INTERFACE command but having read through all the documentation I now think I'd be best avoiding this command.

I just want to make sure I wasn't bypassing the FW

Any help appreciated

Best Regards Tony

scoclayton · ‎08-31-2004

I am a little confused by your description but it sounds as if you have it setup correctly. It is expected that you would not see the output from the "debug icmp trace" for ICMP packets going *through* the FWSM. The reason for this is because the FWSM "fast switches" the packets once a connection has been established. The debug processes run in the PC complex which is essentially 3 layers of processing back in the flow. Initial connections as well as traffic *to* the FWSM itself are processed in the PC complex. Hence, this is why you saw the debugs when you pinged the FWSM directly. Removing the ACL was probably the best test to see that everything was working. As long as you only have one SVI, then there is no way possible for packets to be routed in the MSFC. The FWSM is the only thing that can route in the above scenerio.

Hope this helps explain matters somewhat.

Scott

View solution in original post

irelandsky · ‎08-30-2004

Hi Tony,

i'm not sure about the test you done but here some consideration:

1) You have to create 1 VLAN as internal link for MSFC and FWSM ( you have to assign an IP to FWSM interface and an IP to interface VLAN on MSFC)

2) Have you put the command permit icmp in your configuration. If not, the remote host is not able to reply to your ICMP request.

I hope this help

Marco

tholmes · ‎08-31-2004

Hi Marco, thanks for the reply.

Yes mate PINGs worked fine

I couldn't see the output from DEBUG ICMP TRACE during the PINGs, I wanted to make sure I was not bypassing the FWSM so I removed the ACL which allowed PING and the PINGS failed - this was expected.

If I PINGed the inside interface I did get the DEBUG info.

I follow your point No 1 though, I just think it a little confusing that you only have one interface (SVI) on the FW yet 3 virtual interfaces (inside, outside, DMZ)

Many thanks

Tony

scoclayton · ‎08-31-2004

I am a little confused by your description but it sounds as if you have it setup correctly. It is expected that you would not see the output from the "debug icmp trace" for ICMP packets going *through* the FWSM. The reason for this is because the FWSM "fast switches" the packets once a connection has been established. The debug processes run in the PC complex which is essentially 3 layers of processing back in the flow. Initial connections as well as traffic *to* the FWSM itself are processed in the PC complex. Hence, this is why you saw the debugs when you pinged the FWSM directly. Removing the ACL was probably the best test to see that everything was working. As long as you only have one SVI, then there is no way possible for packets to be routed in the MSFC. The FWSM is the only thing that can route in the above scenerio.

Hope this helps explain matters somewhat.

Scott

tholmes · ‎08-31-2004

That does makes sense, many thanks Scott, sometimes it helps just to bounce ideas off someone

Cheers Tony