FWSM in 6500 Switch

Rupesh Kashyap · ‎03-24-2009

Why we need Vland Group & what is the benefit of assigning VLan in that Group. Please help.

Router(config)# firewall vlan-group 50 55-57

Router(config)# firewall vlan-group 51 70-85

Router(config)# firewall vlan-group 52 100

Router(config)# firewall module 5 vlan-group 50,52

Router(config)# firewall module 8 vlan-group 51,52

Giuseppe Larosa · ‎03-24-2009

Hello Rupesh,

the communication between each FWSM and the C6500 backplane happens by using an internal bundle of 6 GE internal ports

see from one of our devices

sh module

Mod Ports Card Type Model Serial No.

--- ----- -------------------------------------- ------------------ -----------

2 6 Firewall Module WS-SVC-FWM-1 SAD085008DY

sh ethercha sum | beg 271

271 Po271(SU) - Gi2/1(P) Gi2/2(P) Gi2/3(P) Gi2/4(P)

Gi2/5(P) Gi2/6(P)

the vlan-group(s) are the list of vlans allowed on this bundle between C6500 and FWSM.

in your case you have two FWSM modules in the same chassis they share some vlans (vlans 100 of vlan-group 52) and have some different vlans.

if the vlan-group were empty the FWSM would be totally offline.

Hope to help

Giuseppe

Rupesh Kashyap · ‎03-24-2009

Router(config)# firewall vlan-group 50 55-57

IT means, we are filtering the traffice of vlan 55-56-57. We can select one as outside interface and one as inside. Please suggest.

Giuseppe Larosa · ‎03-24-2009

Hello Rupesh,

more basic:

see it as the list of vlans permitted on the internal bundle to the FWSM (like a L2 trunk).

later during FWSM configuration you decide what vlan is the outside and so on.

But the first step is to decide what vlans are permitted on the internal trunk

Hope to help

Giuseppe