Questions about 6500/FWSM/CSM

Unanswered Question
Jun 28th, 2007

Hi,

I have some questions regarding FWSM and CSM. Thank you in advance for your feedback.

I am using a pair of 6513 with one fwsm and csm in each. I am setting up a dmz environment with these units. fwsm is the second tier firewall (a pair of PIX 525 are in perimeter).

1. Do I have to use MSFC? I am connecting PIXes to the outside VLAN of the FWSM and two inside routers to inside VLAN of the FWSM. FWSM has a DMZ VLAN as well. I don't see any reason to involve MSFC in the picture. Is this correct? Is there any reason in the future that I may need MSFC (i.e. changing from single context to multiple or using load balancing for DMZ servers)?

2. I am going to extend outside and inside VLANs of FWSM between two 6513 switches. Should I do this for DMZ as well? As I do not use gateway redundancy for my DMZ servers and it is a pure firewall configuration of 6513/FWSM, I don't think it is required.

3. My understanding is with extending outside VLAN, if the link between primary PIX and primary 6513 fails or if primary PIX fails over to secondary for any reason, secondary PIX will have a way to get to the outside interface of primary FWSM. Is this correct? If not, then how I can make sure that PIX fail over will be transparent to primary 6513/FWSM which is not connected to secondary PIX?

4. Any difference in spanning-tree configuration between this environment and a regular dual homed server based config?

Thanks,

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Jon Marshall Thu, 06/28/2007 - 11:18

Hi

1) No you should be fine if you leave out the MSFC. Certainly you don't want the MSFC between your perimeter pix firewalls and the FWSM's as you could end up routing around the firewalls. You could have the MSFC on the inside of the FSWM's.

Changing to multiple context will not requre that you need the MSFC for the above. It is quite feasible to have a separate context where the MSFC is involved and still have your above setup where you haven't involved the MSFC. You dictate this by how you allocate vlans to the FWSM.

2) You will have to extend the DMZ, or at least you will have to allocate the DMZ vlan on both switches under the "firewall vlan-group .. " command. If you don't allocate the same vlans on each switch to the FWSM your failover will not work properley. If the DMZ servers are physically connecting into the 6500 chassis i would look to dual hone and include the DMZ in failover if you can. Can't see the reason not to use failover between chassis's if you can. (Of course depends on your have 2 NIC's in DMZ servers ).

3)Assuming your 6500's are connected with a layer 2 trunk yes the secondary pix should still be able to get to the outside interface of the FWSM primary.

4) For the FWSM not really. Just make sure you use a dedicated layer 2 trunk/etherchannel for the FWSM between the 2 switches.

Hope this has answered some of your queries

Jon

Actions

This Discussion