cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
338
Views
0
Helpful
4
Replies

Will a FWSM work for our topology?

markyrules
Level 1
Level 1

Hello, we are considering an FWSM but aren't sure how it will integrate into our network... Our core consists of a 6500 divided into approx 6 vlans... 1 Vlan for a residential network, (Further subnetted at the access layer) 4 vlans for an administrative network, and 1 vlan for internet access. OSPF is run on most of these SVIs. We want to separate these areas into 3 distinct security zones... Is this possible with transparent mode? Thanks in advance,

-Mark

4 Replies 4

rkazmierczak
Level 1
Level 1

I think that with transparent firewall you can have only 2 interfaces. Why transparent firewall?

If the 3 security zones were separate subnets then it would be easy to do it with routed l3 mode. You could run OPSF on the SM for routing if necessary.

But it all depends on where the bounderies for zones would need to be.

Yes, that was one of the caveats I read.. I wasn't sure if they were referring to 2 phys or SVI interfaces in the documentation.. Anyway if it can be done with routed mode that would be fine, I figured transparent mode would be simpler but I guess not. Would each security zone be considered a "context" or am I confused? :) The terminology is foreign to me, coming from the netscreen area.

After 3.1 code you can have 8 pairs (groups) allowed per context in transparent mode.

Each interface group will have its own IP address, and there is one default route per context. The IP address can be set through “interface BVI” (which is just for management purposes.

Important thing is that there should be no overlapping subnet between groups.

For example you can have N Bridge groups such that

Bridge group1

interfaces: vlans10 & 20

Subnet: 1.0.0.0

Bridge group2

interfaces: vlans30 & 40

Subnet: 2.0.0.0

and so on....

Syed

Thanks for the replies, I now understand the best way to implement the FWSM for our network. It doesn't look like transparent mode will work out but routed mode should work out fine. Our only issue is the use of VLAN1 (our largest administrative network) which from the manuals cannot be used on the FWSM.. What I am thinking is keeping that VLAN on the MSFC.

-Mark

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: