Solved: Traffic move from msfc to fwsm?

mca.ahsan · ‎04-05-2013

Hi

I am planning to deploye the fwsm with all this complexity anyone tell me please this type of senario work or not means traffic will move from msfc to the core.. Is this right to create another svi int2 on msfc to move traffic from msfc to core-switch.

G0/1(cisco7613) Vlan10----Vlan10(inside)FWSM-(outside)vlan20---Vlan20(inside)(svi-int1)MSFC(outside)(svi-int2)Vlan30---Vlan 30G0/2(Core-Switch)-----internet--->

Giuseppe Larosa · ‎04-05-2013

Hello Syed,

yes the MSFC and the FWSM can peer on a common broadcast domain layer2 subnet within the C6500/7600 device.

This can happen in multiple L2 Vlans if

the MSFC uses VRFs, and the FWSM can use multiple contexts.

If you are deploying a full redundant solution with two chassis with MSFC/FWSM you need to provide L2 connectivity between MSFCs and FWSMs ( in failover pair) between the two chassis (in addition to a dedicated GE link for FWSM failover vlan and may be another for sessions state exchange)

When using multiple contexts the FWSM does not support dynamic routing so if you are using contexts you will need appropriate static routes on each side (MSFC / FWSM) and also to provide the return path from the internet via the FW.

The use of VRFs would be neeeded if internal traffic enters on an MSFC SVI, so to avoid bypassing of the FWSM VRFs can be deployed.

Your case is simplified with internal traffic hitting directly the FWSM logical interface so you don't need VRFs in your setup

Hope to help

Giuseppe

View solution in original post

Giuseppe Larosa · ‎04-05-2013

Hello Syed,

yes the MSFC and the FWSM can peer on a common broadcast domain layer2 subnet within the C6500/7600 device.

This can happen in multiple L2 Vlans if

the MSFC uses VRFs, and the FWSM can use multiple contexts.

If you are deploying a full redundant solution with two chassis with MSFC/FWSM you need to provide L2 connectivity between MSFCs and FWSMs ( in failover pair) between the two chassis (in addition to a dedicated GE link for FWSM failover vlan and may be another for sessions state exchange)

When using multiple contexts the FWSM does not support dynamic routing so if you are using contexts you will need appropriate static routes on each side (MSFC / FWSM) and also to provide the return path from the internet via the FW.

The use of VRFs would be neeeded if internal traffic enters on an MSFC SVI, so to avoid bypassing of the FWSM VRFs can be deployed.

Your case is simplified with internal traffic hitting directly the FWSM logical interface so you don't need VRFs in your setup

Hope to help

Giuseppe

mca.ahsan · ‎04-06-2013

Thanks a lot Giuseppe for giving me the helpfull information by the way i need to deploy FWSM in a transparent mode and there is no redundancy in my senario.

I have a doubt that there is any problem to move traffic from MSFC to G0/2 of 6500 Switch because on MSFC we have switching processor for L3 routing purpose.

So it means that for moving traffic from MSFC to G0/2 we need to create another interface SVI2 on MSFC for new VLAN suppose VLAN 30 and give IP address 192.168.30.10 and also assign new IP address to G0/2 of 6500 for e. 192.168.30.20

This is the Real senario --------

Giuseppe Larosa · ‎04-09-2013

Hello Syed,

I apologize for my late answer.

a FWSM in transparent mode is a different scenario indeed.

Supposing that Gi0/1 is a L2 only switchport that is member of Vlan 10, then you have the transparent firewall and a different Vlan on the outside (L2 broadcast domain Vlan20)

You will have an SVI Vlan20 on the MSFC on a different Vlan but with the same IP subnet as in your network diagram.

From there if you need a new SVI with a different IP subnet it is fine as you have drawn in your network diagram.

So I think you should be fine following the network diagram.

.Note: Take in account that you had the same MSFC on the inside interface of the FWSM you would need to change the MAC address used by one SVI in order to be able to make the two SVIs to talk successfully (otherwise they cannot as they would use the same MAC address) via the transparent firewall.

Another tip is related to STP BPDUs the transparent FW should block them otherwise the Vlan mismatch would be evident to the switch logic (it could lead to inconsistent error messages).

However, I should check for this second aspect.

Hope to help

Giuseppe

mca.ahsan · ‎04-10-2013

Hi Giuseppe,

Thanks for clearing the doubts and for sharing the

precious information.

Regards:

Syed Ahsan Kamal

mca.ahsan · ‎04-11-2013

Hi Giuseppe,

I need to clear two doubt regarding the scenario ,actually all of our

traffic for Internet is move in this manner

7613(Gi0/1)-->6513(Gi0/2)-->ISA server[here we done NATing]-->6513(Gi0/10)-->Internet

1.So as you mentioned regarding MSFC "Take in account that you had the same MSFC on the inside interface of the FWSM you would need to change the MAC address ....." but here we try pass traffice from 7613(Gi0/1) to Inside Interface of FWSM then I think there is no need to change the MAC address as we put MSFC behind FWSM.

2.Second one is regarding blocking of STP BPDUs as you mentioned that it will block by FW or VLAN mismatch occur this concept is not very much clear to me so please can you provide any link or some detail regarding this issue.

Regards

Syed