FWSM with multiple VLANs

Unanswered Question
Jul 6th, 2009


I have two queries: First -

We have an FWSM in 6500 with FW OS 3.2(12). It allows only 1 vlan (SVI) to assign to firewall vlan-group. If I want to assign more than 1 vlan, I need to add this command "firewall multiple-vlan-interfaces". The document says, if I add this command, traffic will bypass FWSM. We have around 40 vlan's to assign for inside interface. Any suggestion for this issue?

Second - I assigned 2 VLAN's to FWSM by enabling multiple-vlan-interfaces, configured inside & outside and added ACL ip any any to both interfaces. Traffic is passing thru both interfaces & packet count is increasing, but ACL hit count remains at zero. Any suggestion why it is happening?

Thanks in advance for your advice.



  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Jon Marshall Tue, 07/07/2009 - 01:51


"The document says, if I add this command, traffic will bypass FWSM"

Not necessarily. What the document is saying is that there is now a possibility for traffic to route around the FWSM, doesn't mean it's going to happen. A simple example -

you have 2 vlans on your 6500 both with L3 SVI's on the MSFC

int vlan 100

ip address

int vlan 200

ip address

now lets say you want to firewall vlan 200 and have it on the inside of the FWSM so -

MSFC -> vlan 100 <- outside (FWSM) inside -> vlan 200

but if you leave the 3 SVI for vlan 200 on the MSFC then traffic will just be routed straight onto vlan 200 without going through the FWSM. So you have to remove the L3 SVI off the MSFC and assign it to the FWSM ie. you create an inside interface on the FWSM and assign it the ip address of and then you remove the interface off the MSFC ie.

6500(config)# no int vlan 200

Now traffic has to go through the FWSM to get to vlan 200. Note you only remove the L3 SVI for vlan 200 from the MSFC, you still have vlan 200 created in the vlan database.

It sounds from your description as though you want multiple vlans behind the FWSM ie.

outside (FWSM) inside -> MSFC -> 40 vlans routed on MSFC

is this what you want. If so you need to make sure the vlan you use for the outside does not have a L3 SVI on the MSFC or the FWSM will simply be bypassed.

Edit - it may well be you do not need the multiple-vlan-interfaces command for yout setup. It may simply be that you need to remove one of the SVI's before you assign them to the FWSM.


aabdullah25 Tue, 07/07/2009 - 03:15

Hi Jon,

Thanks for your detailed explanation. I got your first point, I will test this during off hours or on weekend as it is in production environment.

For the second point regarding adding 40 VLAN's behind FWSM, I have 2 issues with this:

1) The outside VLAN which I am planning to add is connected to PIX Fw which routes all VLAN traffic destined to outside/internet. If I remove L3 SVI interface for this VLAN, can you pls mention which IP I can put as default GW in FWSM, Is it PIX interface IP?

2) As I mentioned 40 VLAN's needs to add for inside interface, which are configured with HSRP between 2 6500 switches for load share, if I remove SVI for all these VLAN's how to configure HSRP?

Also, there will be a DMZ to this FWSM, which is server farm.

Thanks once again.



Jon Marshall Tue, 07/07/2009 - 03:26


2) If you just want to firewall all vlans from the outside then you don't need to remove the L3 SVI's for the 40 vlans.

Can you confirm that this is the topology you want -

internet -> pix -> FWSM -> MSFC -> 40 vlans

is this what you want ie. the 40 vlans are firewalled from the Internet but you do not need to firewall the 40 vlans from each other ? If so then this is what you need to do

1) create a new vlan for the connection between the inside interface of the FWSM and the MSFC.

2) Create a L3 SVI for this new vlan. Lets call this vlan 20.

3) Lets also call the vlan that connects the FWSM on the outside to the pix vlan 30.

4) Remove the L3 SVI for vlan 30 from the MSFC.

5) On the FWSM have the default-gateway point to the inside interface of the pix.

6) You will need to sort out routing on the pix as well. You could run a routing protocol between the FWSM and pix or you could just add static routes on the pix for each of the subnets on the MSFC, the next-hop address being the outside interface of the FWSM.

So you end up with a topology like this

Internet -> pix -> vlan 30 <- FWSM -> vlan 20 <- MSFC -> 40 vlans

The 40 vlans can route between each other without being firewalled.

Your DMZ is just another vlan without a L3 SVI on the MSFC.

For this topology you do not need the "mulitple-vlan-interfaces" command and in fact you don't want it.

key thing for the above to work is you cannot have a L3 SVI for the outside vlan ie. vlan 30, nor for your DMZ vlan. Both of these must be routed off the FWSM.

Hope this makes sense. If the topology i have used is wrong let me know.


aabdullah25 Wed, 07/08/2009 - 03:16

Hi Jon,

Thanks for the details, I hope this should work fine. I will test this during weekend and update you the status as well as issues, if any.

One more query about the above setup, if I will not firewall between the internal VLAN's and if I apply VACL to VLAN's to communicate between each other/DMZ/Internet, will this be OK, any drawbacks with this? Do you suggest to firewall between VLAN's also?



Jon Marshall Wed, 07/08/2009 - 03:27


"I will not firewall between the internal VLAN's and if I apply VACL to VLAN's to communicate between each other/DMZ/Internet, will this be OK"

You don't need VACL's, you can use use standard acl's on the L3 SVI's.

As to whether it is good enough i can't say because it comes down to what level of security you need in your company.

If you need to restrict traffic between these vlans then you may well want to use the FWSM. You may only need to firewall a certain number of the 40 vlans, all of them, or none at all but i can't tell you which ones as only you know that.

Note that if you did decide you wanted to firewall the vlans then a lot of the details i provided would need to change as would the overall topology.

Good luck this weekend and let me know if i can be of further help.


aabdullah25 Wed, 07/08/2009 - 04:38

Hi Jon,

Thanks for your prompt reply. Actually we want to firewall among all VLAN's because we need to restrict access between them as well as to other segments. But, my concern to firewall all VLAN's, by thinking that it might require to remove SVI's for all VLAN's as they are on HSRP.

Half the VLAN's are active on one 6500, second half on standby and vice-versa with second 6500, each chassis with 1 FWSM.

If time permits, you may please advice with the setup to firewall all VLAN's with the above HSRP.



Jon Marshall Thu, 07/09/2009 - 09:56


Apologies for the delay in getting back.

Firstly if you want to firewall all 40 vlans you have 2 topology choices

1) No MSFC involvement

Internet -> pix -> FWSM -> 40 vlans

2) MSFC in front of FWSM

Internet -> pix -> MSFC -> FWSM -> 40 vlans

It really depends on if you have traffic coming from the Internet that should be routed elsewhere ie. not one of the 40 vlans or if you have traffic going out to the Internet that does not come from one of the 40 vlans.

So you'll have to decide which one you need. Obviously option 2 has the MSFC involved so you need to be a bit more careful.

As for the HSRP. Well if you migrate the vlans to be firewalled by the FWSM then you don't need the HSRP for each vlan because you have to remove the L3 SVI for each of the 40 vlans off the MSFC.

I'm assuming you have an FWSM in each 6500. With a basic active/standby sceanrio all vlans use the same FWSM (the primary) to send their traffic out and to receive traffic. If the primary FWSM fails then the standby FWSM takes overs the primary FWSM ip address so the vlans can still send traffic to the same default-gateway and the standby will now receive the traffic.

As you can see firewall failover provides the same default-gateway redundancy as HSRP although it only requires 2 IP's, one for the primary and one for the standby unlike the 3 needed by HSRP ie. 2 physicals + 1 virtual.

If you wanted to spread the load you could look into contexts on the FWSM using an active/active setup but this complicates things considerably so i would recommend at the moment using active/standby and keeping an eye on the load.

Without wishing to complicate things even more bear in mind that with contexts you could have actually have many topologies if needed. Contexts are virtual firewalls within the FWSM, so you are not simply limited to one or another topology, but as i say contexts complicate things, and if you want to go above 2 contexts + 1 admin context then you need additional licenses which aren't cheap.


aabdullah25 Fri, 07/10/2009 - 22:55

Hi Jon,

Sorry for the delay in reply and thanx for the details. I tried to deploy FWSM at the weekend, it was partially successful.

The topology was

Internet -> pix -> vlan 30 <- FWSM -> vlan 20 <- MSFC -> inside vlans; vlan 40 as DMZ

I was able to access internet, pix and other outside devices from inside, but DMZ devices were not accessible. I was able to ping from FWSM to inside and DMZ devices, but cannot access DMZ from inside.

The following steps were done:

1) Removed the SVI for vlan 30 (outside) and vlan 40 (dmz)

2) Added new vlan 20 (inside) with SVI

3) Added default route in FWSM with next hop as pix inside

4) In Pix added routes for inside subnets with next hop as FWSM outside

5) In FWSM, added routes for inside subnets with next hop as SVI interface of vlan 20

6) Added default route in MSFC with next hop as vlan 20

7) Added ACL with ip any any to all 3 interfaces of FWSM inward direction

8) Security levels - inside (100), outside (0) and DMZ (60)

Hit count is increasing for inside and DMZ ACL's when I was trying to access anything. I even tried to statically NAT the whole DMZ subnet to the inside, but no use.

Looking forward for your suggestions to the above issue.



Jon Marshall Sat, 07/11/2009 - 03:37


Unfortunately i will busy most of today so can only offer limited help but here are a few things to check.

What connectivity are you testing with from the inside to the DMZ ? - is it just ping. If so you say you have an acl on the DMZ interface - is that acl allowing ping replies back to the inside, or alternatively do you have ICMP inspection turned on ?

What are you doing with NAT. You say the inside can get out but not to the DMZ and that you tried to statically NAT the whole DMZ subnet to the inside. This isn't needed, you actually need to make sure the inside is Natted as it hits the DMZ altho you could also turn off nat-control altogther.

Perhaps you could post the nat configs and when i get a chance i'll have a look.

Good to hear that you got the rest working so good job on that.


aabdullah25 Sat, 07/11/2009 - 05:12

Hi Jon,

Thanks a lot, though you are in busy schedule, you replied to me. I am attaching herewith the FWSM config.

I did static NAT, just to verify whether this solve the issue or not. Nat-control is disabled, icmp inspection allowed. I was trying to access the DMZ devices using ping as well as RDP, but it didn't work. From DMZ everything is allowed, nothing is blocking. You may pls check the config.



aabdullah25 Sun, 07/12/2009 - 02:08

Hi Jon,

Actually I rolled back to original config and right now fwsm is not functional. I added the following route to MSFC when fwsm was working:

ip route vlan61

Vlan61 is the SVI interface between msfc and fwsm.

I checked this show ip route when fwsm was functional, it gives the output like the following:

lists all vlans on msfc as directly connected and at the end

S* [1/0] via vlan61

Hope you the saw fwsm config which i posted before, in which all 3 interfaces are shutdown because i removed firewall vlan-group in msfc.

The strange thing, i can reach inside & dmz devices from fwsm, but not from inside to dmz.




This Discussion