FWSM Design for Internet Data Centre

Unanswered Question
Apr 20th, 2007


I realise this is Enterprise but has anyone experience/thoughts on the following?

The Current Cisco Data Centre SRND v2.0 documents, specifically "Firewalling and Load balancing with 6500",


mention the fact that, typically, for an Internet Data Centre, the FWSM is placed 'outside' the MSFC, yet the document concentrates on the scanrio where FWSM is 'inside' or behind the MSFC.

Does this change how you would go about configuring a FWSM?



I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Jon Marshall Fri, 04/20/2007 - 03:12

Hi Mark

If you only want to place the FWSM in front of the MSFC then no not really. You just need to make sure that the routed vlan is not the outside interface.

If you want to have a FWSM in front of the MSFC and also behind you need contexts. We have this setup in our data centre where we have multiple server vlans protected by the FWSM with the MSFC in front and then a separate context for connecting a 3rd party with the MSFC behind.

I would still be wary of using the FWSM as the front door to the internet. I believe it is very good as a datacentre firewall for segregating your server vlans etc. but i would feel nervous using it as the main Internet firewall. The scope for a configuration error, vlan hopping etc. would make me nervous. I would prefer to use a standalone firewall myself.

But it could just be me being old fashioned :-)




This Discussion