Is anydoby can explain the potential risk if I enable "multiple-vlan-interfaces" on 6k for the firewall module. Cisco says "Can result in traffic bypassing the firewall module", but I do not understand.
#firewall multiple-vlan-interfaces enable
This command will enable multiple vlan feature for all firewall modules in the
chassis .Can result in traffic bypassing the firewall module
As soon as you enable this command you can now have more than one L3 SVI for a vlan on the MSFC that is also assigned to the FWSM.
So a very basic example. Note at this time you haven't enabled multiple-vlan-interfaces.
1) You assign 2 vlans to the FWSM, vlan 10 for the outside and vlan 11 for the inside.
2) You create a L3 SVI on the MSFC for vlan 10 so traffic can be routed to the outside of the FWSM.
3) On the FWSM you create an outside interface with an IP out of the vlan 10 subnet.
4) On the FWSM you then create an inside interface with an IP out of vlan 11.
So far so good. To get to any devices on vlan 11 you now have to go to the outside interface of the FWSM in vlan 10.
Now lets say someone then accidentally tries to configure a L3 SVI on the MSFC for vlan 11. The 6500 won't let you.
But say you have enabled "multiple-vlan-interfaces" and then try to create an SVI for vlan 11.
The 6500 will now let you do this. And what have you done. Traffic now coming into vlan 11 will simply be routed on the MSFC because you have a vlan 10 and a vlan 11 L3 interface on the MSFC.
So you have bypassed the firewall. That is why you get a warning.
There are very valid reasons to enable it and we have where we have multiple contexts on our FWSM and it doesn't necessarily mean you will route around the FWSM but you must always be careful and be aware of the path of the traffic.
Hope this makes sense