fwsm and msfc with glbp

Unanswered Question
Mar 15th, 2008
User Badges:

hello,


SCENARIO; (see attached drawing)

-2x6500

-each having FWSM

-GLBP running on the MSFC for redundancy

-FWSM running on active/standby


QUESTIONs;

-could GLBP on msfc and active/standby on FWSMs coexist? if they could, how does msfc2 froward the outound traffic to FWSM1? ( ie. fwsm2 is standby mode).

-Do I need L2 connections between this 2 FWSM Vlans?

-do i need to run GLBP in this case for the MSFC vlan 100? i asked this because the fwsm has to see only single ip to forward traffic back to the rest of the vlans.

-anything missing on my connections (cabling)?


thanks a lot.





  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (1 ratings)
Loading.
Jon Marshall Sun, 03/16/2008 - 04:57
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Hi


There is no reason why the 2 (GLBP + A/S on FWSM) can't co-exist. They are independent of each other.

MSFC would forward traffic over your L2 trunk between your 6500 chassis to the active firewall. Which answers your next question - yes you do need L2 trunk for the FWSM vlans for 2 reasons


1) For forwarding traffic as described above

2) For failover between the FWSM modules.


You could run GLBP on vlan 100 but you wouldn't get any benefit because the source mac-address will always be the active FWSM and this is the only sender on that vlan so there are no other senders to load balance across both MSFCs.


Nothing missing as far as i can see. Design

looks good to me.


HTH


Jon

cfajardo1_2 Sun, 03/16/2008 - 22:49
User Badges:


- DO YOU MEAN TRUNKING ON ALL THE USER VLANS? I DONT HAVE ANY L2 TRUNK ON MY DIAGRAM. ARENT WE AVOIDING L2 TRUNKING WHEN USING GLBP.


- ISNT IT FAILOVER WILL BE TAKEN CHARGE BY THE THE FW TRUNKING SHOWN WHICH IS THE FAILOVER VLANS.



Jon Marshall Mon, 03/17/2008 - 00:22
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

No you don't have to trunk all the user vlans, apologies if i gave that impression. But you do need to trunk vlan 100 so that if the MSFC that is acting as the default-gateway on the clients is on the other 6500 from the FWSM active gateway it can stil send traffic to the active FWSM.


You do have a L2 trunk on your diagram unless i am misunderstanding - the one for the FWSM vlans ?


Jon

cfajardo1_2 Mon, 03/17/2008 - 05:02
User Badges:

the trunk on the fwsm are for the failover..i allocated 3 gigabit interfaces..

Jon Marshall Mon, 03/17/2008 - 05:08
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

You will need to allow vlan 100 otherwise if the active FWSM is on switch 1 but the active MSFC for a client is on switch2 then how will traffic get to the active FWSM ?

cfajardo1_2 Mon, 03/17/2008 - 05:29
User Badges:

jon i will revise the drawing and later and repost it on another thread..


thanks

Actions

This Discussion