FWSM configuration design in a 6509

rramlal · ‎12-11-2010

Hi All,

I am a newbie with respect to firewalls and we have a customer that purchased the a 6509 with two fwsm modules.

Now from reading the manuals for configuration of the fwsm its very difficult to decide which one of the modes is better to use.

The customer have external firewall for their internet traffic and dmz so the fwsm will only be scanning internal traffic. There intent is to segment and locked down traffic between the vlans.

I was thinking to have the MSFC do the routing and have the FWSM work in transparent mode but do you think this is a good design? Any words of advice based on experience if the routed mode would be better?

fadlouni · ‎12-15-2010

Hi.

Transparent mode would be the easiest to implement in an existing network as no re-addressing is needed, and since it acts like a bridge. you can also control non-ip based traffic (which routed mode can't).

Routed mode however has some more features which don't exist in transparent (like multicast routing, routing protocols etc...). so if you don't need any routed-mode only specific feature, stay with transparent.

With transparent you have to be carefull how to implement it so as not to cause layer 2 loops.

However since the cat6k routing features are a lot more advanced than the FWSM, i'd say keep the routing to the msfc, and let the fwsm just do firewalling. so best to use FWSM in transparent mode.

The fwsm config guide section about the 2 modes, explains the difference between both, so i recommend you read it and based on your requirements implement what you want:

http://www.cisco.com/en/US/docs/security/fwsm/fwsm41/configuration/guide/fwmode_f.html

Regards,

Fadi.