11-13-2007 06:48 AM - edited 03-09-2019 07:22 PM
Hi all,
we have 2 * 6500 series core switches with each FWSM installed.
There are some user VLANs (per floor) and lots of servers inside that belong to some other VLANs.
The core switches have been configured with HSRP redundancy (active/passive).
Nowadays i am challenging with FWSM configuration in routed mode.
There is no problem with typical configuration and tests,
i mean assigning VLANs to FWSM and removing IP adresses from MSFC.
But unfortunately whenever i do such a configuration, i naturally lose redundancy between the switches.
In our situation HSRP is a must.
Is there any way to solve this design issue in routed mode with HSRP support.?
Thanks,
Erdem.
Solved! Go to Solution.
11-15-2007 05:00 AM
Hi Erdem,
(correct me if I'm wrong, Jon) - If you delete all SVIs you need of course route all traffic on the FWSM.
What we did was to create a transfer network (VLAN) with a SVI and the outside FWSM interface in it. Now the default gateway on the FWSM is set to the IP address of this SVI. So most of the routing is configured on the switch.
regards,
Juergen
11-15-2007 05:25 AM
Erdem
Juergen is absolutely right. As long as you have a default route on your FWSM pointing to the MSFC then you can leave the statics as is.
So your FWSM has multiple vlans that it is protecting. You then connect the outside interface of your FWSM to the MSFC with L3 SVI and then your default route on the FWSM points to the L3 SVI.
Depending on whether you are running a routing protocol on the FWSM you may need to add static for the subnets behind your FWSM to the 6500 switch.
Jon
11-13-2007 10:46 AM
Hi Erdem
I'm not sure i understand. Are you not running the FWSM modules in active/standby configuration. In which case when you migrate the IP addresses to the FWSM from the MSFC you can apply a failover address to your standby FWSM. You only actually need 2 ip address unlike the 3 for HSRP eg.
vlan 10 on MSFC
HSRP address 192.168.5.1
real on switch 1 192.168.5.2
real on switch 2 192.168.5.3
on FWSM
ip address inside 192.168.5.1 255.255.255.0 standby 192.168.5.2
Obviously for this to work you need to setup failover ie active/standby config first.
Jon
11-13-2007 01:07 PM
Hi Jon,
I have nothing running about FWSM at production environment yet.
I'm doing the tests on the standby core switch.
Currently, core switches have been configured and running with HSRP redundancy (active/passive)
and VLAN configurations are just like you have typed in the above example.
Our major purpose is to control and restrict inter-vlan communication.
Do i have to remove the whole HSRP config. from MSFC or is there a simple way to make the
traffic flow through the firewall with the VLAN config. that is already done.?
As i searched and understood, it is not possible in routed mode, am i right.? :)
Thanks for your support,
Erdem
11-14-2007 07:53 AM
Hi Erdem
Apologies for the delay in replying.
Yes in routed mode you would need to migrate all the HSRP config for the vlans you want to protect from the switch to the FWSM. You would need to delete the L3 SVI's for any vlans you were wanting to protect with the FWSM.
If you used the FWSM in transparent mode you could keep your HSRP config, use 2 vlans per subnet (or you look at bridge groups) and use the FWSM to brdige between the vlans.
Hope this makes sense
Jon
11-15-2007 02:21 AM
Hi Jon,
Thanks for your reply, almost everything is clarified in my mind.
Actually i would like to use transparent mode but as it is known, there is a major limitation about interfaces.
Defining only two interfaces (inside & outside) does not meet our requirements because we can't categorize
the whole local network as "users" and "servers" and then assign each VLAN to one of these interfaces.
That's why i have to use routed mode.
And one more question about static routes:
We have some static routes on the MSFC. Do i also have to migrate these routes to the FWSM
or leave them on the MSFC so that the MSFC will continue to do the routing facility.?
Regards,
Erdem
11-15-2007 05:00 AM
Hi Erdem,
(correct me if I'm wrong, Jon) - If you delete all SVIs you need of course route all traffic on the FWSM.
What we did was to create a transfer network (VLAN) with a SVI and the outside FWSM interface in it. Now the default gateway on the FWSM is set to the IP address of this SVI. So most of the routing is configured on the switch.
regards,
Juergen
11-15-2007 05:25 AM
Erdem
Juergen is absolutely right. As long as you have a default route on your FWSM pointing to the MSFC then you can leave the statics as is.
So your FWSM has multiple vlans that it is protecting. You then connect the outside interface of your FWSM to the MSFC with L3 SVI and then your default route on the FWSM points to the L3 SVI.
Depending on whether you are running a routing protocol on the FWSM you may need to add static for the subnets behind your FWSM to the 6500 switch.
Jon
11-16-2007 01:09 AM
Hi Juergen and Jon,
of course there will be a L3 SVI between FWSM and MSFC,
as a result there is no need to migrate the static routes to FWSM.
Now i have to do a detailed migration plan.
It's almost impossible to migrate all VLANs at the same time, so:
1. configure the FWSMs in active/standby mode.
2. Migrate the test VLANs and do the initial tests.
3. Migrate the IT department VLAN as a cavy for actual tests.:)
Considerations:
1. I have to enter some temporary static routes while the test process goes on,
because some VLANs will be behind the FWSM while the others will be in front.
2. The HSRP will remain in use during the tests.
Do you have any ideas or recommendations besides.?
Thank you very much dear friends,
Regards,
Erdem
11-16-2007 01:58 AM
What we did to have a fallback senario is to just "shutdown" the SVIs and give the FWSM interfaces the MSFC IP.
So you dont have to change anything on the client side. And if a problem comes up with the FWSM you can just "no shut" the SVI. (But know that I think about it, the MAC address would change so the client would need some time to use the new gateway?! We NEVER had problems ;-) )
About the routing: maybe you already tested that but what if you add all the static routes to the networks which later lie behind the FWSM.
At the moment they all have a SVI, right? Which means they are localy connected - and have a static route. If the SVI is shutdown the localy connected routes go down and the static routes you entered get active!?
besides that: I wish you good luck for the migration :-)
best regards,
Juergen
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: