Re: FWSM: svi, vlan 1

stsacas · ‎10-06-2004

Hello,

I've been used to "traditionnal" standalone pix, so I'm a bit confused about the way the fwsm and the msfc interact with each other.

Two questions :

1) I understand that only one svi-enabled vlan could be shared between the msfc and the fwsm. My question is, for functionnal routing between fwsm and msfc, IPs should be affected to both points of the vlan, "as if" they were two physically connected routing devices? Could only one ip for the fwsm interface be configured and then, for example, specifying msfc svi's ip from another vlan as default gateway on the fwsm?

2) could vlan 1 be affected to the fwsm? vlan 1 is the only vlan which is not 802.1q tagged, and as msfc and fwsm communicates with each other via 802.1q, is it still possible? It's not explictly stated in official documentation that vlan 1 could not be mapped to fwsm, but some posts here claim it couldn't. So what's the final word there?

Thanks in advance!

mschomburg · ‎10-06-2004

Are you on 1.1 code train or 2.2? There is a good discussion of the SVI/MSFC in the 2.2 configuration guide. If you have not upgraded, 2.2 has some very interesting features that are not available on 1.1, including much better documentation.

Hope that helps.

stsacas · ‎10-07-2004

2.2 here

I've read and read again http://www.cisco.com/univercd/cc/td/doc/product/lan/cat6000/mod_icn/fwsm/fwsm_2_2/fwsm_cfg/switch.htm

but it doesn't answer my questions. It doesn't even provide any IOS/fwsm code snippets about the svi interface configuration, it explains just the command "firewall" and the affectation of vlan to the fwsm (btw I can't find the doc for this command in the IOS command reference).

stsacas · ‎10-07-2004

In my 1) point, I've forgotten to mention that the "double ip" configuration of the shared vlan definitively works. I want to know if it is a prerequesite, and why (thanks to the L3/L3 capabilities of the switch it shouldn't be necessary to provide an ip on the svi interface, because all arp request are magically resolved as long we're wired directly to the msfc managed switch).

nnw11903 · ‎10-08-2004

Hi,

1) You can have more than 1 SVI shared between MSFC and FWSM.

MSFC(config)#firewall multiple-vlan-interfaces

enables this.

Then, you configure L3 VLAN interfaces on the MSFC.

MSFC(config)#interface VLAN ...

These VLANs must be trunked to the FWSM through a firewall vlan-group assignment.

The IP addresses you assign (normally different IP subnets for different SVIs) on the MSFC can be used as gateway addresses in FWSM contexts (you must assign these VLANs to the FWSM contexts they should belong to).

It depends on your design if you need multiple SVI interfaces.

stsacas · ‎10-08-2004

Hello, I'm aware one could bypass the base limitation of one shared svi with multiple-vlan-interfaces, but it doesn't answer my 1) question : should both point of the shared svi-vlan get an IP address?

nnw11903 · ‎10-08-2004

Yes, they should, if you do not want to use FWSM transparent mode.

If you do not assign an IP address to the SVI, for what reason it should be configured?

OTOH you can have another L3 routing device in the same VLAN outside the CAT6k that acts as a gateway for the FWSM, of course.

Both FWSM context vlan interface and MSFC L3 VLAN interface located in the same VLAN should have IP addresses assigned from the same subnet.

Different L3 VLAN interfaces / FWSM context interface pairs should be have addresses from different IP subnets.

If you want to build a transfer VLAN between FWSM contexts (for example a shared outside network) and to have the MSFC acting as a gateway, only one SVI is needed.

Hope that helps.

stsacas · ‎10-08-2004

ok thanks for the clarification.

What about vlan 1 and fwsm, so?

sdeal · ‎10-11-2004

I too had the same questions. Here is how I configured my FWSM

1. I do not use VLAN 1 for anything

2. You create the VLAN SVI with a ip address as normal and set it up as the inside interface of your firewall. That way all inside traffic flow into the firewall.

3. The outside of the firewall I created a layer 2 vlan (no ip address) add that to the firewall vlan-group. Create the outside interface in the firewall giving it an ip address ( I used a 30 bit mask) gave the other ip address to my internet router and place a port ithat vlan and plugged my internet router in that port.

hope this clears it up some.