FWSM question

Unanswered Question
Jun 24th, 2009
User Badges:

I have our FWSM setup with the MSFC on the inside. I have an outside interface (0) and a inside interface (100).

I need to add an additional interface for a internal department. I created a VLAN on the 6513 and presented it to the FWSM. I defined that interface on the FWSM with an IP address and a security level of (80). Its working but I looked at it and started thinking.

On the additional internal interfaces using the MSFC on the inside approach. Should I be defining them as interfaces with IP address on the 6513 or just creating the VLAN on the 6513. Not sure if I'm stating this clearly.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Jon Marshall Wed, 06/24/2009 - 12:35
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN


If the MSFC is reachable via the inside interface of the FWSM then you would generally just add the L2 vlan and the L3 vlan interface to the 6513. In fact you don't even need to assign the new vlan to the FWSM as the only vlans you would assign to the FWSM are the outside and inside vlan ie.

vlan 10 -> (outside) FWSM (inside) vlan 11 -> MSFC - multiple vlans

you would only actually need to assign vlan 10 & 11 to the FWSM. To control traffic to new vlan from outside you just modify the acl on the outside interface ie. vlan 10 interface.

However this does mean your new vlan will be able to access all other vlans routed off the MSFC without going through the FWSM. But that is why you have the MSFC behind the FWSM.


trevora Thu, 07/02/2009 - 03:27
User Badges:

Many companies have multiple L3 inside vlans. The easiest way to handle this is to create a single point-point L3 vlan for communication to the FWSM as the inside interface and the MSFC handles all the other internal vlans via routing.

What you appear to have configured is 2 different routes into your inside network.

If you need multiple MSFC routed interfaces (vlans) then use VRF's to segment your network.


This Discussion