Will a FWSM work for our topology?

Unanswered Question
Apr 25th, 2008

Hello, we are considering an FWSM but aren't sure how it will integrate into our network... Our core consists of a 6500 divided into approx 6 vlans... 1 Vlan for a residential network, (Further subnetted at the access layer) 4 vlans for an administrative network, and 1 vlan for internet access. OSPF is run on most of these SVIs. We want to separate these areas into 3 distinct security zones... Is this possible with transparent mode? Thanks in advance,

-Mark

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
rkazmierczak Fri, 04/25/2008 - 11:07

I think that with transparent firewall you can have only 2 interfaces. Why transparent firewall?

If the 3 security zones were separate subnets then it would be easy to do it with routed l3 mode. You could run OPSF on the SM for routing if necessary.

But it all depends on where the bounderies for zones would need to be.

markyrules Fri, 04/25/2008 - 11:26

Yes, that was one of the caveats I read.. I wasn't sure if they were referring to 2 phys or SVI interfaces in the documentation.. Anyway if it can be done with routed mode that would be fine, I figured transparent mode would be simpler but I guess not. Would each security zone be considered a "context" or am I confused? :) The terminology is foreign to me, coming from the netscreen area.

Syed Iftekhar Ahmed Fri, 04/25/2008 - 16:12

After 3.1 code you can have 8 pairs (groups) allowed per context in transparent mode.

Each interface group will have its own IP address, and there is one default route per context. The IP address can be set through “interface BVI” (which is just for management purposes.

Important thing is that there should be no overlapping subnet between groups.

For example you can have N Bridge groups such that

Bridge group1

interfaces: vlans10 & 20

Subnet: 1.0.0.0

Bridge group2

interfaces: vlans30 & 40

Subnet: 2.0.0.0

and so on....

Syed

markyrules Wed, 04/30/2008 - 08:00

Thanks for the replies, I now understand the best way to implement the FWSM for our network. It doesn't look like transparent mode will work out but routed mode should work out fine. Our only issue is the use of VLAN1 (our largest administrative network) which from the manuals cannot be used on the FWSM.. What I am thinking is keeping that VLAN on the MSFC.

-Mark

Actions

This Discussion