Solved: FWSM problem

s.debenito · ‎12-21-2007

Hi all,

My company has adquired a Catalyst 6513 with a FWSM module installed on it.

I have been reading lot of documentation on cisco.com, but still have some problems configuring the FWSM:

The 6513 has 10 SVIs configured, each of them with an IP address. These 10 SVIs are binded to 10 VLANs which I need to secure. These SVIs are used for routing all the Inter-VLAN traffic inside the switch. The documentation says it is recommended to use just one SVIs for connecting the switch to the FWSM, altough you can use more than one using the command "firewall multiple-vlan-interfaces". I don't want to use this command because it seems a pretty more difficult configuration, since you have to use policy routing after using this command (or that is, at least, what documentation says).

When I try to "send" to the FWSM more than one VLAN that are configured as SVIs on the switch I get this error message:

"No more than one svi is allowed, command rejected."

If I delete the IP address of those SVIs, then I can to "send" those SVIs to the switch whith no problem at all. But I need the SVIs to have IP address configured, since they are needed for routing Inter-VLAN traffic.

So, the question is: how can I route all the inter-VLAN traffic using just one SVI on the switch? Should I use the FWSM for inter-VLAN traffic routing??

Thanks in advance.

Regards,

Sergio.

Jon Marshall · ‎01-02-2008

Sergio

Firstly, i have used the "firewall multiple-vlan-interfaces" command before and it does not require policy routing - at least not on version 2.x of the FWSM software.

That aside you do not need that command and even if you did you do not need to use policy-routing.

An example might help.

Lets say you have 10 vlans that are currently on the 6500 switch. So there will L3 SVI's for them eg.

interface vlan 10

ip address 192.168.5.1 255.255.255.0

interface vlan 11

ip address 192.168.6.1 255.255.255.0

etc.

Now if you want to firewall these you need to migrate these interfaces to the FWSM. So, assuming that you are using single mode on your FWSM you need to do the following

1) Create a NEW vlan that will be used for communication between the MSFC and the FWSM.

For arguments sake lets call this vlan 100.

On your MSFC

int vlan 100

ip address 192.168.100.1 255.255.255.248

on your FWSM

nameif vlan100 outside security0

ip address outside 192.168.100.2 255.255.255.248

2) for every one of the vlans that you want to firewall you need to (we will use vlan 10 as an example)

i) On the 6500 switch

delete the L3 SVI

6500(config)# no interface vlan 10

Allocate vlan 10 to the FWSM - note the example below assumes that you have created a vlan-group 1 and tied it to the FWSM module

6500(config)# firewall vlan-group 1 10

ii) On the FWSM

nameif vlan10 v10 security50

ip address v10 192.168.5.1 255.255.255.0

i have used v10 as the name but you could use a more meaningful name.

I have chosen security level 50 but again you can use any number up to 100 but not 0.

You then do the same for each of the other vlans.

3) Routing

If you are running in single mode as we assumed you have a couple of choices. The 6500 MSFC needs to know how to get to the vlans behind the FWSM. So you can either

1) Run a routing protocol on the FWSM - RIP/OSPF and exchange routes with the MSFC. Depends on what routing protocol you are already using and how confident you feel about doing this.

2) Use static routes. Remember that the outside interface of the FWSM is 192.168.100.2.

So for each of the subnets behind the FWSM you need to add on the 6500 switch (again we will use vlan 10 as example)

ip route 192.168.5.0 255.255.255.0 192.168.100.2

etc... for all vlans.

Once you have done all this you can then control traffic between these vlans and the outside with access-lists.

Caveats

-------

1) I have assumed single mode on the FWSM - if you are running your FWSM in multiple context mode then there are a couple of additional steps needed.

2) None of the above takes into account failover. If you have 2 6500's each with an FWSM then you will need to add ip addresses to some of the above commands. The documentation is good on failover but if you are strugglinng please come back.

HTH

Jon

View solution in original post

jsivulka · ‎12-28-2007

You can use use the FWSM for inter-VLAN traffic routingWith the MSFC in the chassis sitting on the outside interface to handle routing of traffic, and multiple VLANs on the inside and DMZ interfaces, any traffic that needs to traverse from one DMZ or inside VLAN to another DMZ must be routed based on configured policy through the FWSM. This would effectively limit total traffic throughput of inter-VLAN traffic to 5Gbps (FWSM throughput).

shivlu jain · ‎12-28-2007

for 6513 Switch

firewall multiple-vlan-interfaces

firewall module 4 vlan-group 1

firewall vlan-group 1 2-100

FWSM CONFIGURATION

FWSM Version 3.1(3)

!

resource acl-partition 12

hostname Shivlu

domain-name shivlu.com

!

interface Vlan17

description LAN Failover Interface

!

interface Vlan18

description STATE Failover Interface

!

interface Vlan42

description MPLS TRAFFIC

!

interface Vlan50

!

interface Vlan51

!

interface Vlan52

!

interface Vlan99

!

interface Vlan100

!

class default

limit-resource All 0

limit-resource IPSec 5

limit-resource Mac-addresses 65535

limit-resource ASDM 5

limit-resource SSH 5

limit-resource Telnet 5

!

ftp mode passive

pager lines 24

failover

failover lan unit secondary

failover lan interface faillink Vlan17

failover link statelink Vlan18

failover interface ip faillink 10.240.248.21 255.255.255.252 standby 10.240.248.

22

failover interface ip statelink 10.240.248.25 255.255.255.252 standby 10.240.248

.26

no asdm history enable

arp timeout 14400

console timeout 0

admin-context admin

context admin

allocate-interface Vlan100

allocate-interface Vlan99

allocate-acl-partition 0

config-url disk:/admin.cfg

!

context customer1

description This is the context for customer 1

allocate-interface Vlan100

allocate-interface Vlan50

allocate-acl-partition 1

config-url disk:/context1.cfg

!

context customer2

description This is the context for customer 2

allocate-interface Vlan42

allocate-interface Vlan51

allocate-acl-partition 2

config-url disk:/context2.cfg

!

context customer3

description This is the context for customer 3

allocate-interface Vlan100

allocate-interface Vlan52

allocate-acl-partition 3

config-url disk:/context3.cfg

!

prompt hostname context

Cryptochecksum:xxx

: end

regards

shivlu

Jon Marshall · ‎12-30-2007

Sergio

How do you want to secure the 10 vlans ie.

1) from each other and outside access

2) from outside access ?

If 1) then you need to delete all the vlan SVI's off the 6500 switch and create them on your FWSM. Each vlan would have a interface on your FWSM. You would then have one extra vlan that connects your MSFC to your FWSM so you would have a Layer 3 SVI on the MSFC for this one vlan only and an outside interface on your FWSM with an IP address out of that same vlan.

If 2) You just need to have a vlan on the outside of the FWSM, a vlan on the inside and the inside vlan is that one that is shared with the FWSM.

Perhaps before we go into too much detail you could come back with whether it is 1 or 2 or some combination.

Jon

s.debenito · ‎01-02-2008

Hi Jon,

Thank you so much for your answer.

What I want to do is securing all of the VLANs from each other and from outside access.

So, do I have to use policy-routing?

Regards,

Sergio.

Jon Marshall · ‎01-02-2008

Sergio

Firstly, i have used the "firewall multiple-vlan-interfaces" command before and it does not require policy routing - at least not on version 2.x of the FWSM software.

That aside you do not need that command and even if you did you do not need to use policy-routing.

An example might help.

Lets say you have 10 vlans that are currently on the 6500 switch. So there will L3 SVI's for them eg.

interface vlan 10

ip address 192.168.5.1 255.255.255.0

interface vlan 11

ip address 192.168.6.1 255.255.255.0

etc.

Now if you want to firewall these you need to migrate these interfaces to the FWSM. So, assuming that you are using single mode on your FWSM you need to do the following

1) Create a NEW vlan that will be used for communication between the MSFC and the FWSM.

For arguments sake lets call this vlan 100.

On your MSFC

int vlan 100

ip address 192.168.100.1 255.255.255.248

on your FWSM

nameif vlan100 outside security0

ip address outside 192.168.100.2 255.255.255.248

2) for every one of the vlans that you want to firewall you need to (we will use vlan 10 as an example)

i) On the 6500 switch

delete the L3 SVI

6500(config)# no interface vlan 10

Allocate vlan 10 to the FWSM - note the example below assumes that you have created a vlan-group 1 and tied it to the FWSM module

6500(config)# firewall vlan-group 1 10

ii) On the FWSM

nameif vlan10 v10 security50

ip address v10 192.168.5.1 255.255.255.0

i have used v10 as the name but you could use a more meaningful name.

I have chosen security level 50 but again you can use any number up to 100 but not 0.

You then do the same for each of the other vlans.

3) Routing

If you are running in single mode as we assumed you have a couple of choices. The 6500 MSFC needs to know how to get to the vlans behind the FWSM. So you can either

1) Run a routing protocol on the FWSM - RIP/OSPF and exchange routes with the MSFC. Depends on what routing protocol you are already using and how confident you feel about doing this.

2) Use static routes. Remember that the outside interface of the FWSM is 192.168.100.2.

So for each of the subnets behind the FWSM you need to add on the 6500 switch (again we will use vlan 10 as example)

ip route 192.168.5.0 255.255.255.0 192.168.100.2

etc... for all vlans.

Once you have done all this you can then control traffic between these vlans and the outside with access-lists.

Caveats

-------

1) I have assumed single mode on the FWSM - if you are running your FWSM in multiple context mode then there are a couple of additional steps needed.

2) None of the above takes into account failover. If you have 2 6500's each with an FWSM then you will need to add ip addresses to some of the above commands. The documentation is good on failover but if you are strugglinng please come back.

HTH

Jon

s.debenito · ‎01-08-2008

Jon,

Thank you SO MUCH for your detailed reply. It's gonna be extremely helpful to me. Thank you again, sincerely.

I am not sure whether to use single mode or multiple context mode. We have 5 customer networks which need to be secured, and firstly I thought maybe it would be easier to administer the firewall using 5 different contexts. But that depends on what difficult it should be to configure.

What is your advice? should we use single or multiple context mode?

I'm beginning the FWSM configuration sometime next week, and I hope that you be around here in case new doubts and problems arise.

Best Regards Jon.

Sergio.

Jon Marshall · ‎01-08-2008

Sergio

No problem with the help.

Firstly vlan-group is used to allocate a set of vlans to the FWSM. So in your 6500 config you will have something like

firewall module 7 vlan-group 1

firewall vlan-group 1 10,11,12

You can use any number, just use the first available. The number that is relevant is the

firewall module 7 <- this number must match the slot in the chassis that FWSM is in.

As for contexts. If i was separating multiple customers i would look to utilise contexts which allows for comlete segregation. Also means a config mistake on one context only affects that customer rather than affecting potentially other customers as well.

However it does depend on what license you have. The base license for the FWSM allows you to run 2 contexts + an admin context. Iif you need more than this you need to get a context license which isn't cheap.

So you need to make a cost vs security decision. You can of course segregate customer traffic on the same firewall if you want to, you don't have to use contexts.

Jon

s.debenito · ‎01-08-2008

Hi again Jon,

I would like to ask you one more question:

What is the vlan-group number used for? and what number should I use? can I use any number?

Thanks!

Regards,

Sergio.

myoucef · ‎01-10-2008

What about the default route on the FWSM?

bravob · ‎02-04-2008

Jon,

This is very good explanation, I really need to ask you a question, what is then the packet flow for instance:

1) A host 192.168.5.20 that wants to communicate with host 192.168.6.20 will first hit the SVI on the FWSM, I'm lost after that!

Jacob Samuel · ‎07-19-2009

Dear Jon,

You are really cool, thanks a lot for taking time for this clear description, which usually no one does.

I need a kind help on the Multiple context mode configuration. I havent see much helpfull post describing the multiple context scenario like this.

My case i need to give a solution for the customer with Active/Active failover. I dont have any additional context license other than the free. I have One Vlan interface for the Server Farm and some another Vlans for the Users / Dept.

How to do the multiple context mode in the current scenario for Active/Active Failover. I am really confused about this i need your kind hlep on the same please.

regards

Jacob

eahmed007 · ‎04-07-2011

Dear All,

I have configured the FWSM in cisco WS-C6509E switch.But not getting ping from FWSM to Switch vlan interface 80 and its standby IP to go outside.Please have look the below configuration and need your kind cooperation.Can you tell me should i get ping from FWSM to Switch vlan interface as their in same VLAN80 and same network.Failover configuration is working fine without trunk between two switch.But traffice not sending from FWSM to outside.

Switch01_configuration

interface Vlan80
description out-side-MSFC
ip address 202.144.155.61 255.255.255.240
standby 0 ip 202.144.155.60
standby 0 priority 120
standby 0 preempt

Switch02_configuration

interface Vlan80
description out-side-MSFC
ip address 202.144.155.62 255.255.255.240
standby 0 ip 202.144.155.60

Switch01 and switch02 vlan_configuration:

60   DMZ-VLAN                         active    Gi2/16
70   inside-VLAN                      active    Gi2/15
80   MSFC-Out-side                    active    Gi2/13
90   Failover-VLAN                    active    Gi2/17
100 Statefull-VLAN                   active    Gi2/18

FWSM01-configuration:

interface Vlan60
description FESM-DMZ
nameif DMZ
security-level 50
ip address 10.10.10.1 255.255.255.0 standby 10.10.10.2
!
interface Vlan70
nameif inside
security-level 100
ip address 10.10.5.1 255.255.255.0 standby 10.10.5.2
!
interface Vlan80
nameif outside
security-level 0
ip address 202.144.155.52 255.255.255.240 standby 202.144.155.53
!
interface Vlan90
description LAN Failover Interface
!
interface Vlan100
description STATE Failover Interface

failover
failover lan unit secondary
failover lan interface failover Vlan90
failover link state Vlan100
failover interface ip failover 10.5.5.1 255.255.255.0 standby 10.5.5.2
failover interface ip state 10.5.6.1 255.255.255.0 standby 10.5.6.2

FWSM02-Configuration:

failover
failover lan unit secondary
failover lan interface failover vlan90
failover interface ip failover 10.5.5.1 255.255.255.0 standby 10.5.5.2

Looking for your kind cooperation.It would be highly appreciated if you help me.

Thanks and regards...

Erfan

rseiler · ‎12-31-2007

Do a Cisco web search for VRF-Lite. Use VRF it will make your life much easier. Using policy routing is so 1990's and is apt to misconfiguration.

Shiva Prasad · ‎02-23-2012

Hi Guys,

This thread has been really helpful, one question though, when a vlan is created and assigned to the firewall vlan group does it show up in the system context automagically ? i recently assigned a new vlan and it does not appear in the fwsm system context.

Regards,

Shiva

FWSM problem

ハードウェア交換 (RMA): サービスリクエストのオープン時に選択する問題の領域 (Problem Code)

Cisco Wireless Phone 840 および 860 で Problem Report Tool (PRT) ログ取得する方法

AnyConnect(Windows) インストール時のエラー (There is a problem with this Windows Installer package.)

ASA-PIX/FWSM: Multicast tips and common problems

Upgrade FWSM