HSRP in 6500 with FWSM module

Unanswered Question
Nov 16th, 2007

Hi All,

Can any one guide me on my following question. I have two 6500 (Sup 720) chassis with FWSM module in each. I need to configure Hot standby mode both in the switch and FWSM module .FWSM will be in multi context mode. In this multi context mode each internal Vlan will have different policies to external network (internet) and Hot standby on switch will be on Vlan based, in this case if I do inter vlan routing in switch means how the different vlan traffic will have different policies at FWSM module when it want to reach internet. To achieve this should I want to do inter vlan routing at FWSM?

regards

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
owillins Thu, 11/22/2007 - 10:32

HSRP and FWSM both are implemented in the interface level so you can configure both things through that you can achive your needs ( ie FWSM does not include any external physical interfaces. Instead, it uses VLAN interfaces. Assigning VLANs to the FWSM is similar to how you assign a VLAN to a switch port; the FWSM includes an internal interface to the Switch Fabric Module and also HSRP applied in the interface level only).

jagan_240 Thu, 11/22/2007 - 20:26

Can you explain this by giving some reference links or by any short meterials

regards.

jarredtaylor Fri, 11/23/2007 - 05:51

With the FWSM/MSFC combination you have two options in terms of connectivity:

1) You can place the FWSM between the MSFC and the rest of the network (e.g. the Internet)

or

2) You can place the MSFC between the FWSM and the rest of the network.

Reading your original post, it sounds like by using contexts each client vlan requires its own policy. To solve that problem I would use option 2 above.

In this configuration the MSFC would have one interface that connected back to the rest of the network and one or more interfaces connecting to the 'outside' of each FWSM context. The switch itself would have VLANS for both the inside and outside of each FWSM context. The point being that the MSFC does not have layer 3 interfaces for the 'inside' segments.

The FWSM 'inside' IP addresses would serve as the default gateway for the clients on each vlan, and each FWSM context would have a default route towards the MSFC (or MSFC HSRP address). Inter-vlan traffic would be routed via the MSFC, but two firewall contexts would have to be traversed. As such the firewall policies would need to include rules for both Internet access as well as vlan to vlan access.

HTH,

Jarred

jagan_240 Sun, 12/16/2007 - 22:00

Hi Jarred,

Thanks for your information. But I don't want to give of FWSM ip address instood of that will possible to give hsrp ip address as gateway for clients.

Regards

Actions

This Discussion