Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1035
Views
0
Helpful
7
Replies

FWSMs Asymmetric Routing Solution.

a12288
Level 3
Level 3

‎11-07-2005 01:43 PM - edited ‎03-09-2019 12:57 PM

In a full redundant environemnt, i.e. two gateway routers, two cores, two distributions, we would like to put two FWSM on two cores in transparent mode, while the outbound traffic might take left-hand side dist-core-gateway while the inbound response traffic might take right-hand side gateway-core-dist, since they have at least two equal-eigrp-cost routes, how can we configure / deploy FWSMs to fit in this environment, we do not want to loose redundancy and diversity.

Labels:
0 Helpful
7 Replies 7

yongl
Level 1
Level 1

‎11-07-2005 10:07 PM

Hi,

You can configure both FWSMs in failover mode.

Please read the requirement from http://www.cisco.com/univercd/cc/td/doc/product/lan/cat6000/mod_icn/fwsm/fwsm_2_3/fwsm_cfg/failover.htm#wp1039197

0 Helpful

a12288
Level 3
Level 3
In response to yongl

‎11-08-2005 07:17 AM

I am not sure it would work in our topology, becuase our network infrastructure is somethig like Figure 15-2, we have two gateway rotuers (all active and run eBGP with our ISPs). It's very likely the outbound traffic would take left-hand gear and while inbound traffic come back through another ISP and take right-hand gear. what would be better design?

0 Helpful

yongl
Level 1
Level 1
In response to a12288

‎11-08-2005 05:13 PM

Hi,

please briefly describe your network topology.

where do you want to locate your transparent FWSM - between core switch and gateway router ?

0 Helpful

a12288
Level 3
Level 3
In response to yongl

‎11-09-2005 01:15 PM

hi, there.

please have a look on the attached .JPG file, and we'd like to deploy two FWSM on two Core- switch (6509) on towards Gatewau- side, thanks.

Preview file
146 KB
0 Helpful

yongl
Level 1
Level 1
In response to a12288

‎11-09-2005 08:37 PM

Hi,

Your current network has 4 IP subnets between core switch and gateway router. You need to redesign your network so that only one IP subnet is available between core switch and gateway router in order to deploy transparent firewall. The transparent firewall is ‘inserted’ into single IP subnet and this design will eliminate asymmetric routing problem.

0 Helpful

a12288
Level 3
Level 3
In response to yongl

‎11-10-2005 07:20 AM

thanks for your reply, it is not a problem to redesign our network, to consolidate into one VLAN between Core- and Gateway-, but back to square one, still, the outbound traffic would take left-hand side while inbound traffic comes back would take right-hand side due to the two equal-cost EIGRP routes, this asymmetric behavior would break the connection, how can I solve this issue? thanks again.

Preview file
153 KB
0 Helpful

yongl
Level 1
Level 1
In response to a12288

‎11-10-2005 08:37 PM

Hi,

You should deploy transparent firewall in failover mode (active/standby). All traffic from core switches to gateway routers (and vice-versa) will pass through the active transparent firewall because firewall is performing ‘bridging’ between gateway vlan & core vlan. Please refer to following example:

FWSM in transparent mode:

- failover with another FWSM

- inside=vlan10, outside=vlan100

gateway1 router

- connect port 2/1 to core1 & assign vlan100

- connection to core2 is not required

- ip add 1.1.1.1/24 (example)

gateway2 router

- connect port 0/2 to core2 & assign vlan100

- connection to core1 is not required

- ip add 1.1.1.2/24 (example)

core1:

- create ‘int vlan 10’ & ip add=1.1.1.3/24

core2:

- create ‘int vlan 10’ & ip add=1.1.1.4/24

0 Helpful
Customers Also Viewed These Support Documents