FWSM & vlan1

cef2lion2 · ‎08-04-2008

Just installed the FWSM in our 6513. Was reading on its configuration. It states under assigning VLANs to the FWSM under VLAN guidelines that you can not use VLAN 1. We do use VLAN 1.

To change away from VLAN 1 would require a lot of changes on our campus edge switches. By default all switch ports were in VLAN 1 when our LAN was first setup.

What is the issue with VLAN 1 and is there nothing I can do other than start the process of moving away from using VLAN 1?

Craig

robertson.michael · ‎08-04-2008

Hi Craig,

Unfortunately, as you noted, it is impossible to push VLAN 1 down to the FWSM.

Aside from redesigning your network to not use VLAN 1, you can try creating another SVI and routing your traffic through the MSFC before being sent down to the FWSM. So, the packet's path might look something like this:

VLAN1---MSFC---VLAN2---FWSM---VLAN100---Internet

With this workaround, you can push VLAN2 and VLAN100 down to the FWSM and still keep your hosts on VLAN1.

Hope that helps.

-Mike

cef2lion2 · ‎08-04-2008

Thanks for the workaround. So what is the issue with VLAN 1?

Craig

robertson.michael · ‎08-04-2008

Hi Craig,

I believe the reason for this is simply the enforcement of a best practice. It is assumed that VLAN1 will be used for management traffic only and not need to be firewalled. It is a best practice to move your production traffic into VLANs other than VLAN1 (though certainly not a requirement as you have seen in your case).

-Mike