Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
5183
Views
0
Helpful
5
Replies

Catalyst 6513 with FWSM - Adding new VLAN - Confused!!

packetzen
Level 1
Level 1

‎04-21-2010 08:36 AM - edited ‎03-06-2019 10:43 AM

Hi all,

I inherited a fairly large network.  Dual 6513's with single fwsm's.  When I log into the switch we have 8 vlans configured.  I am really confused on how to get started.  What I think needs to be done is first the vlan is created on the switch.  Then using the firewall vlan group command I would add this new vlan.  Then it will magically show up in the fwsm?

Reading the following article:  http://www.cisco.com/en/US/products/hw/modules/ps2706/products_configuration_example09186a00808b4d9f.shtml

It only add's one vlan to the msfc, vlan 20.  And then it configures the rest of the vlans on the fwsm?  This is backwards of the way mine looks to be configured.  Also, all of my vlan's on the msfc are shutdown.  That part is weird to.

From what I read, you can configure it this way but it lists a secuirty disclaimer when doing this.

For security reasons, by default, only one SVI can exist between the MSFC and the FWSM. For example, if you misconfigure the system with multiple SVIs, you can accidentally allow traffic to pass around the FWSM if you assign both the inside and outside VLANs to the MSFC.

This post is probably more confusing that it's worth.  But if someone could give me some insight into adding a vlan into this env that would be great.

Thanks

Labels:
0 Helpful
5 Replies 5

Jon Marshall
Hall of Fame
Hall of Fame

‎04-21-2010 09:01 AM

Have a read of this thread and then come back if you need further clarification -

FWSM basic configuration

Jon

0 Helpful

packetzen
Level 1
Level 1
In response to Jon Marshall

‎04-21-2010 09:13 AM

Yes, I had read this before and it is very helpful but it also raised a lot of questions for me.  I guess I'm

still trying to understand how my vlans are configured. Particularly since they are shutdown on the catalyst switch.

It looks to me like I am using multiple svi's on the switch that pushes to the fwsm.

firewall multiple-vlan-interfaces
firewall module 10 vlan-group 1
firewall vlan-group 1  2-4,6,7,9-11,13,14,17-20,500-502

I then have these vlane interfaces on the switch, with static routes etc.  Here is an example of one of the vlans listed above:

interface Vlan11
ip address x.x.x.x
no ip redirects
shutdown
standby 71 ip x.x.x.x
standby 71 timers 5 15
standby 71 priority 250
standby 71 preempt

I also have this vlan on the fwsm.  It looks to me like were creating these vlans on the switch, pushing them to the fwsm using the firewall vlan group command.  I think... 

Thanks for the link!

0 Helpful

Jon Marshall
Hall of Fame
Hall of Fame
In response to packetzen

‎04-21-2010 09:30 AM

Okay, firstly are you running multiple contexts on your FWSM or just one ?

If just one then having multiple SVIs for vlans allocated to the FWSM is not a good idea. The fact that most of the SVIs are shutdown is a good thing although i would question why they are there in the first place.

Of the vlans allocated to the FWSM how many have SVIs that are up/up on the MSFC ?

Jon

0 Helpful

packetzen
Level 1
Level 1
In response to Jon Marshall

‎04-21-2010 10:00 AM

verified mode on fwsm is single context

The only active vlan interface are 5 which is my uplink to the outside world but it is not in the firewall vlan group and one other vlan that is also not in the vlan firewall group.

The only active vlan interface I have that is also in the vlan firewall group is xxx and it has the outside int ip of the fwsm.  So that sounds like I am only running one svi to the fwsm.  Perhaps someone set up those vlan interfaces incorrectly and just shut them down.

If that's the case I then only create the vlan's on the fwsm.  But I have to add the vlan id I create on the fwsm to the firewall vlan group on the switch, correct?

No wonder I was confused.

Thanks!!

0 Helpful

Jon Marshall
Hall of Fame
Hall of Fame
In response to packetzen

‎04-21-2010 10:06 AM

The only active vlan interface are 5 which is my uplink to the outside world but it is not in the firewall vlan group and one other vlan that is also not in the vlan firewall group.

The only active vlan interface I have that is also in the vlan firewall group is xxx and it has the outside int ip of the fwsm.  So that sounds like I am only running one svi to the fwsm.  Perhaps someone set up those vlan interfaces incorrectly and just shut them down.

Sounds right then. Be aware that as far as i recall the vlan shared between the FWSM and the MSFC does not have to be allocated to the FWSM in the firewall vlan-group command. So can you just doublecheck that you actually only have one vlan with both an active SVI on the MSFC and an interface on the FWSM.

If that's the case I then only create the vlan's on the fwsm.  But I have to add the vlan id I create on the fwsm to the firewall vlan group on the switch, correct?

Yes, any vlans you want to add to the FWSM, other than the shared vlan mentioned above, need to be allocated to the FWSM using the firewall vlan-group command on the switch.

Jon

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card