My company has adquired a Catalyst 6513 with a FWSM module installed on it.
I have been reading lot of documentation on cisco.com, but still have some problems configuring the FWSM:
The 6513 has 10 SVIs configured, each of them with an IP address. These 10 SVIs are binded to 10 VLANs which I need to secure. These SVIs are used for routing all the Inter-VLAN traffic inside the switch. The documentation says it is recommended to use just one SVIs for connecting the switch to the FWSM, altough you can use more than one using the command "firewall multiple-vlan-interfaces". I don't want to use this command because it seems a pretty more difficult configuration, since you have to use policy routing after using this command (or that is, at least, what documentation says).
When I try to "send" to the FWSM more than one VLAN that are configured as SVIs on the switch I get this error message:
"No more than one svi is allowed, command rejected."
If I delete the IP address of those SVIs, then I can to "send" those SVIs to the switch whith no problem at all. But I need the SVIs to have IP address configured, since they are needed for routing Inter-VLAN traffic.
So, the question is: how can I route all the inter-VLAN traffic using just one SVI on the switch? Should I use the FWSM for inter-VLAN traffic routing??
Thanks in advance.
Firstly, i have used the "firewall multiple-vlan-interfaces" command before and it does not require policy routing - at least not on version 2.x of the FWSM software.
That aside you do not need that command and even if you did you do not need to use policy-routing.
An example might help.
Lets say you have 10 vlans that are currently on the 6500 switch. So there will L3 SVI's for them eg.
interface vlan 10
ip address 192.168.5.1 255.255.255.0
interface vlan 11
ip address 192.168.6.1 255.255.255.0
Now if you want to firewall these you need to migrate these interfaces to the FWSM. So, assuming that you are using single mode on your FWSM you need to do the following
1) Create a NEW vlan that will be used for communication between the MSFC and the FWSM.
For arguments sake lets call this vlan 100.
On your MSFC
int vlan 100
ip address 192.168.100.1 255.255.255.248
on your FWSM
nameif vlan100 outside security0
ip address outside 192.168.100.2 255.255.255.248
2) for every one of the vlans that you want to firewall you need to (we will use vlan 10 as an example)
i) On the 6500 switch
delete the L3 SVI
6500(config)# no interface vlan 10
Allocate vlan 10 to the FWSM - note the example below assumes that you have created a vlan-group 1 and tied it to the FWSM module
6500(config)# firewall vlan-group 1 10
ii) On the FWSM
nameif vlan10 v10 security50
ip address v10 192.168.5.1 255.255.255.0
i have used v10 as the name but you could use a more meaningful name.
I have chosen security level 50 but again you can use any number up to 100 but not 0.
You then do the same for each of the other vlans.
If you are running in single mode as we assumed you have a couple of choices. The 6500 MSFC needs to know how to get to the vlans behind the FWSM. So you can either
1) Run a routing protocol on the FWSM - RIP/OSPF and exchange routes with the MSFC. Depends on what routing protocol you are already using and how confident you feel about doing this.
2) Use static routes. Remember that the outside interface of the FWSM is 192.168.100.2.
So for each of the subnets behind the FWSM you need to add on the 6500 switch (again we will use vlan 10 as example)
ip route 192.168.5.0 255.255.255.0 192.168.100.2
etc... for all vlans.
Once you have done all this you can then control traffic between these vlans and the outside with access-lists.
1) I have assumed single mode on the FWSM - if you are running your FWSM in multiple context mode then there are a couple of additional steps needed.
2) None of the above takes into account failover. If you have 2 6500's each with an FWSM then you will need to add ip addresses to some of the above commands. The documentation is good on failover but if you are strugglinng please come back.