ask core switch

acer.refay1 · ‎11-05-2015

Hi all,

i am newbie here, my company have cisco 6500 switch with FWSM module (we called it A) connect to other 6500 (called B) via port channel, inside the FWSM switch A has 2 vlans and OSPF routing and it need to dismantle, because will be replace by appliance firewall, so i will remove vlans and routing from FWSM to the 6500 A itself (switch),

also the biggest is the firewall device which replace the cisco FWSM has requirement that the connection from switch has to be access port not trunk port.

can anyone give me some guide or best pratice how to do it

thanks

Jon Marshall · ‎11-05-2015

For the 6500 you need to create SVIs ("int vlan <x>") for the vlans currently routed on the FWSM.

You will need downtime.

So create the SVIs on the 6500 and keep them shutdown (this is important).

You can then assign the same IP as is currently used on the FWSM interface for that vlan.

Then remove the vlan from the FWSM ie. get rid of the "vlan-group .." commands on the 6500 and then bring up the SVIs on the 6500.

Alternatively you can just assign the new IP to the SVI after you have removed it from the FWSM interface as it is the arp cache that is going to be the big delay.

So end devices will now have the wrong entries in their arp caches ie. the default gateway IP will still be pointing to the FWSM mac address not the SVI mac address on the 6500 so you will need to clear their arp caches or reboot them or do it after hours and hopefully by the time people get back in next day the arp cache entry has timed out.

For your new firewall if you want to firewall multiple vlans it can't be an access port, it has to be a trunk unless you run multiple cables back from separate interfaces on the firewall to the 6500.

Edit - I am assuming the mac address of the SVI will be different but it has been a while since I used the FWSM.

Should be an easy thing to check.

Jon

acer.refay1 · ‎11-05-2015

Hi jon,

thanks for the solution, i agree with you but this new firewall (the engineer guy) tell me to remove the portchannel and make the port which connect to them to access port not trunk, so what make me confuse how the vlans inside the 6500 can communicate to next switch, the solution currently i think about is to make different vlan in both switch and give between them routing.

(the firewall has transparent mode because currently in testing moment)

please advice

Regards,

acer

Masoud Pourshabanian · ‎11-05-2015

Hello,

If I understood correctly, FWSM has been configured in routed mode and default gateways of clients are SVIs on FWSM. New firewall is going to be placed between clients and MSFC or firewal is going to inspect the traffic between MSFC and outside? There is only one new firewall or two?

Masoud

acer.refay1 · ‎11-05-2015

Hi,

thanks for answer, yah sorry i forgot about that, you are right the FWSM is in routed mode,

each switch has own vlan, the port channel has 2 physical port, which will be remove and each physical port connect to one firewall.

Masoud Pourshabanian · ‎11-05-2015

I do not think that you need to remove the portchannel. If you remove the portchannel and change the trunk port to access, you will lose the redundancy provided by two 6500s.

The new firewall can be placed either between MSFC and access clients or between MSFC and outside the network.

In both ways(or might be more options), you need to have a trunk interface between two switches.

Ask the new topology, before starting to change.

Masoud

Jon Marshall · ‎11-05-2015

One other thing.

If you are going to be running HSRP between the two 6500s then that should send out gratuitous arps which would update the end devices arp cache tables so you may not have to worry about the incorrect entries in the arp cache.

Some devices do ignore gratuitous arps though.

Jon