FWSM in Cat 6509..

Unanswered Question
May 7th, 2009


I have 3 tire architecture with Access(2960), distribution (6509) and core (6509) with HSRP is configured between 2 distribution switches and stright and cross links between 2 distribution and 2 core swicthes are /30 routed link.i have around 20 vlans in the setup and we are using vrf lite for path isolation.

now we are ading FWSM in both my distribution switches.will it requires me another set of vlans. i am little confused on it.

which mode is more simple to configure and manage (Routed/transparent)

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
nishantmj Fri, 05/08/2009 - 02:29

I wuold suggest routed is more simple to implement.Now the next question is if you re using vrf lite then you have to go for contexts in firewalls,which depends on the liceneces you have.

sameermunj Fri, 05/08/2009 - 02:36


we have 20 Virtual firewall licences.whats the best topology in case of multi context scenario.is it better to have MSFC behind fwsm or fwsm connected on outside of fwsm.in case of MSFC connected to outside of FWSM,then i will have multiple svi from inside of FWSM.Is it necessary to have multiple svi between fwsm -msfc or single will do...

nishantmj Fri, 05/08/2009 - 03:13

Dear sameer,

probably i do feel you have deployed vrf-lite without firewall.correct me if i am wrong.In your case i feel you have firewall at both distribution and core level,in this i recommend you to connect outside fwsm(dist) connected to inside of (MSFC).For vrf lite you need to have multiple SVI's between fwsm and msfc.

sameermunj Fri, 05/08/2009 - 04:06


FWSM is in distribution switch only.HSRP we are configuring in the distributon swithes for the user vlan and from distribution to core all links are routed links.so i feel inside of fwsm will point towards user vlans and outside will connect to msfc of distribution.so for my user vlans the default gateway would be FWSM instance and between fwsm-msfc i will again extend /30 for the individual customer which would be part of customer vrf which is extended towards my core.

Giuseppe Larosa Fri, 05/08/2009 - 07:25

Hello Sameer,

nice to hear your project is going on.

To use correctly FWSM in VRF lite scenario as we have discussed in past threads you need a context for each customer.

Each FWSM can be a routed context with one interface (inside) towards customer X client vlan(s) and outside interface towards MSFC has to be in customer VRF.

However, notice the following fact:


>> customer vrf which is extended towards my core

the better location to place FWSM would be the core unless you want to protect some of the customer subnets from other subnets in the same VRF.

Hope to help


nishantmj Fri, 05/08/2009 - 08:25

probably i got it wrong!! I thought you have two firewalls one at dist and one core.In your case i totally agree with Giuseppe.You need to place the FWSM module in core switch rather then dist switch.

sameermunj Fri, 05/08/2009 - 21:42


Thanks for your reply.In the actual design which is proposed,we have IDSM module in both the core switches and FWSM in both distribution switches.Do you feel any change in the same.

Giuseppe Larosa Fri, 05/08/2009 - 23:33

Hello Sameer,

I would install one FWSM and one IDSM in each core switch unless there is an explicit incompatibility.

The data path could be:

MSFC(VRFs) -- multiVLAN - FWSM (multicontext) -- IDSM --- MSFC (GRT) -> internet

the IDSM should bridge traffic between outside interfaces of contexts and the MSFC interface in global routing table (GRT).

Hope to help


sameermunj Sat, 05/09/2009 - 00:56


so you mean distribution FWSM would be shifted to core and distribution msfc would be do the routing/gateway (HSRP) for customer vlan.From Distribution it will go to fwsm (inside) core with multi context ann fwsm (outside) will go to core MSFC with IDSM in between which would jsut do the bridging.fwsm outside will also have multicontext towards core msfc..which mode u suggest for the idsm operation (Promiscuous Mode/Inline Interface Mode/Inline VLAN Pair Mode)

nishantmj Sat, 05/09/2009 - 01:18

Yes.you are correct.For IDSM i did failed with inline but then succeed with promiscuous mode.probably it s is easier to implement unless there is a clause saying that it should be inline.


This Discussion