Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
389
Views
0
Helpful
4
Replies

FWSM prerequisite

y.lo
Level 1
Level 1

‎08-18-2004 12:15 AM - edited ‎03-09-2019 08:29 AM

I read in the FWSM configuration guide 2.2 that there is a prerequisite for the vlan on FWSM to be used. It is to assign vlan to FWSM before assigning them to the MSFC.

I'm going to put a FWSM into a production 6509. As all the vlans are already defined in the MSFC, how can I get it to work if there exists the above prerequisite?

Labels:
0 Helpful
4 Replies 4

nkhawaja
Cisco Employee
Cisco Employee

‎08-18-2004 08:02 PM

Not sure what that means!!

Basically you have to set/add the vlans first in the switch (if using HYBRID) or MSFC (if using NATIVE IOS).

Then you have to bound it to FWSM.

Then you configure FWSM

Thanks

Nadeem

0 Helpful

y.lo
Level 1
Level 1
In response to nkhawaja

‎08-18-2004 08:27 PM

I mean the order of adding vlans to the FWSM and MSFC.

In Firewall Services Module configuration guide 2.2 page 2-3, there are 3 prerequisites and no. 3 is 'Assign vlans to the FWSM before you assign them to the MSFC. vlans that do not satisfy this condition are discarded from the range of vlans that you attempt to assign on the FWSM'.

The vlans are already defined on the MSFC in the production 6509. So how can I satisfy this prerequisite without removing the vlans on MSFC first? Or do I misinterpret this prerequisite?

The production 6509 is running hybrid ios.

There are sample configurations in the manuel.

Console> (enable) set vlan 55-57

Console> (enable) set vlan 70-85

Console> (enable) set vlan 55-57,70-85 firewall-vlan 8

Console> (enable) set firewall multiple-vlan-interfaces enable

Console> (enable) switch console

Router> enable

Password: ******

Router# configure terminal

Router(config)# interface vlan 55

Router(config-if)# ip address 10.1.1.1 255.255.255.0

Router(config-if)# no shut

Router(config-if)# interface vlan 56

Router(config-if)# ip address 10.1.2.1 255.255.255.0

Router(config-if)# no shut

Router(config-if)# end

It first creates vlans on the switch, then assign them to FWSM, and then define those vlans in MSFC.

0 Helpful

e.escalante
Level 1
Level 1
In response to y.lo

‎08-19-2004 11:15 AM

You have to remove the vlans from the MSFC. If not the fwsm will not recognize it at all. So the vlans should be first on the fwsm and then the msfc. Our setup calls for the msfc on the outside, so all my vlans that where using the msfc as dfg, now use the fw as their dfg. This way the only vlan that would appear on the fwsm and the msfc is my svi that connects the fwsm with the msfc.

0 Helpful

nkhawaja
Cisco Employee
Cisco Employee
In response to y.lo

‎08-19-2004 11:52 AM

Hi,

Basically the rule 3 talks about SVI. What it means is that if you have given IP addresses on the MSFC and added the interface vlans, on the MSFC, you have to remove them first. Then you have to bind the VLANs to FWSM (assigning them to FWSM), then you have to define just one vlan (give IP address) as SVI

So yes, if you have these VLANs assigned (as interfaces) you have to remove them

in a nutshell

1- add vlans on the switch

2- assign switch ports to these vlans

3- bind vlans to FWSM (make sure you dont have these vlans defined in MSFC)

Thanks

Nadeem

0 Helpful
Customers Also Viewed These Support Documents