FWSM: Firewall between vlans

Unanswered Question
Jul 2nd, 2009

Customer has two core 6506 switches, and all VLANS are running HSRP between the core switches.

Customer is adding a FWSM to both core 6506 switches. They plan to 'firewall' traffic between the Voice and Data VLANS on both core switches.

How will I configure this in relation to running HSRP between the core switches?

Please advise.

Thanks

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Kureli Sankar Thu, 07/02/2009 - 10:15

HSRP has nothing to do with configuring the FWSM.

In the route statements on the FWSM make sure to use the HSRP IP and not the physical IP.

Does this answer your question?

Jon Marshall Thu, 07/02/2009 - 11:33

Colm

As Kureli says, the 2 are not really related. Bear in mind if you are firewalling between the voice and data vlans then you won't have L3 SVI's for these vlans on the 6500 switches anymore so HSRP for these vlans is not relevant.

The L3 interfaces for the voice and data vlans will have to be migrated to the FWSM.

Jon

colmgrier Thu, 07/02/2009 - 15:26

Thanks Jon & Kureli for the feed back.

As the FWSM will only being installed next week I'm just planning this install. I'm new to fwsms!!

Still quite confused about replacing HSRP running between the core switches, can you give me an example on how to configure this for the DATA & Voice VLANS on both fwsms. There must be full redundancy on both core switches.

Please see below for each core switch & fwsm.

### 6506 CoreA ###

vlan 10

name DATA

vlan 20

name Voice

vlan 30

name WLAN

vlan 100

name FWSM

firewall vlan-group 1 10,20,100

firewall module 1 vlan-group 1

interface Vlan 30

description "WLAN"

ip address 192.168.30.2 255.255.255.0

no ip redirects

standby 30 ip 192.168.30.1

standby 30 priority 105

standby 30 preempt

standby 30 authentication C1sc0

interface vlan 100

description "FWSM"

ip address 192.168.100.1 255.255.255.252

### FWSM CoreA ###

interface vlan 100

nameif outside

security-level 0

ip address 192.168.100.2 255.255.255.0

interface vlan 10

nameif DATA

security-level 100

ip address 192.168.10.1 255.255.255.0

interface vlan 20

nameif VOICE

security-level 100

ip address 192.168.20.1 255.255.255.0

route outside 0.0.0.0 0.0.0.0 192.168.100.1 1

### 6506 CoreB ###

vlan 10

name DATA

vlan 20

name Voice

vlan 30

name WLAN

vlan 100

name FWSM

firewall vlan-group 1 10,20,100

firewall module 1 vlan-group 1

interface Vlan 30

description "WLAN"

ip address 192.168.30.3 255.255.255.0

no ip redirects

standby 30 ip 192.168.30.1

standby 30 preempt

standby 30 authentication C1sc0

interface vlan 100

description "FWSM MGMT"

ip address 192.168.100.5 255.255.255.252

### FWSM CoreB ###

interface vlan 100

nameif outside

security-level 0

ip address 192.168.100.6 255.255.255.252

interface vlan 10

nameif DATA

security-level 100

ip address 192.168.10.1 255.255.255.0

interface vlan 20

nameif VOICE

security-level 100

ip address 192.168.20.1 255.255.255.0

route outside 0.0.0.0 0.0.0.0 192.168.100.5 1

Kind Regards,

Colm

Kureli Sankar Thu, 07/02/2009 - 17:40

vlan 100 is the SVI (MSFC on the outside)

http://www.cisco.com/en/US/docs/security/fwsm/fwsm40/configuration/guide/intro_f.html#wp1050361

The config looks pretty good for the first time.

So, this is inter chassis failover. Let us forget about chassis B FWSM for now and I will let you read the config guide here:

http://www.cisco.com/en/US/docs/security/fwsm/fwsm40/configuration/guide/fail_f.html#wp1142744

You need 1 or 2 vlans pushed down for failover interface failover state

There are two main issues in the config.

1. There is no access-list applied on the interface. To allow any traffic to enter the FWSM, you must attach an inbound access list to an interface; otherwise, the FWSM automatically drops all traffic that enters that interface.

http://www.cisco.com/en/US/docs/security/fwsm/fwsm40/configuration/guide/nwacc_f.html#wp1048418

2. Voice and Data vlan seem to have the same security so, you need this command in the config to be able to allow traffic between the two vlans.

same-security-traffic permit inter-interface

http://www.cisco.com/en/US/docs/security/fwsm/fwsm40/configuration/guide/intfce_f.html#wp1059402

Good luck to you.

Actions

This Discussion