04-25-2008 09:45 AM - edited 03-11-2019 05:36 AM
Hello, we are considering an FWSM but aren't sure how it will integrate into our network... Our core consists of a 6500 divided into approx 6 vlans... 1 Vlan for a residential network, (Further subnetted at the access layer) 4 vlans for an administrative network, and 1 vlan for internet access. OSPF is run on most of these SVIs. We want to separate these areas into 3 distinct security zones... Is this possible with transparent mode? Thanks in advance,
-Mark
04-25-2008 11:07 AM
I think that with transparent firewall you can have only 2 interfaces. Why transparent firewall?
If the 3 security zones were separate subnets then it would be easy to do it with routed l3 mode. You could run OPSF on the SM for routing if necessary.
But it all depends on where the bounderies for zones would need to be.
04-25-2008 11:26 AM
Yes, that was one of the caveats I read.. I wasn't sure if they were referring to 2 phys or SVI interfaces in the documentation.. Anyway if it can be done with routed mode that would be fine, I figured transparent mode would be simpler but I guess not. Would each security zone be considered a "context" or am I confused? :) The terminology is foreign to me, coming from the netscreen area.
04-25-2008 04:12 PM
After 3.1 code you can have 8 pairs (groups) allowed per context in transparent mode.
Each interface group will have its own IP address, and there is one default route per context. The IP address can be set through âinterface BVIâ (which is just for management purposes.
Important thing is that there should be no overlapping subnet between groups.
For example you can have N Bridge groups such that
Bridge group1
interfaces: vlans10 & 20
Subnet: 1.0.0.0
Bridge group2
interfaces: vlans30 & 40
Subnet: 2.0.0.0
and so on....
Syed
04-30-2008 08:00 AM
Thanks for the replies, I now understand the best way to implement the FWSM for our network. It doesn't look like transparent mode will work out but routed mode should work out fine. Our only issue is the use of VLAN1 (our largest administrative network) which from the manuals cannot be used on the FWSM.. What I am thinking is keeping that VLAN on the MSFC.
-Mark
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: