Solved: FWSM on 6513 core switch

hebaelshahat · ‎10-22-2009

hi All,

there are 100 vlans (layer 3) and 20 Layre2 vlans on the core switch.

i'd like to add them to FWSM without NATing, what can i do? do i use nat 0? and how can i add the layer 2 vlans to FWSM (without having IP address for them)?

Marcus Hunold · ‎10-27-2009

You have to understand that you can have only ONE Layer3 Routing Interface in VLAN network. If you want to use the FWSM you have to shutdown all your Layer3 Vlan interfaces on your switch! So your Switch will only do Layer2 work. HSRP you can't do in this constellation.

You need 2 FWSM. One in the first Chassi and one in the second and than you have to configuring Failover on the FWSM.

I hope I could help you.

View solution in original post

Jagdeep Gambhir · ‎10-22-2009

You need to run it in transparent mode, check this link,

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a008089f467.shtml

Regards,

~JG

Do rate helpful posts

hebaelshahat · ‎10-23-2009

thanks for your reply.

but i have 100 internal interfaces (100 vlans), and transparent mode works only with two interfaces (one interface inside and one interface outside)so i think i can't use the transparent mode in this case.

Panos Kampanakis · ‎10-23-2009

You can have 8 vlan pairs per context. So if you are in multi-context mode then you will need some context.

In general if you don't want layer 3 interface on the FWSM and you have a 100 of them what you want is a bridge. But the FWSM cannot bridge 100vlans at the same time. It can bridge them only in pairs.

PK

hebaelshahat · ‎10-23-2009

i haven't license for using contexts,

i have 100 inside "layer 3" vlans so i cann't use transparent mode. can i nat between the inside interfaces and the outside interface using NAT 0 ?

Marcus Hunold · ‎10-23-2009

1000 total per service module

256 VLANs per security context in routed mode

you will do it in single mode. Only 100 Layer3 vlans will connected to the FWSM.

(you have to delete the Layer3 interfaces on your Coreswitch config)

The Layer2 vlan haven't any gate to other network/vlans because there is no layer 3 routing interface.

At the FWSM you can route without nating there is an option you can use! But if you want to nat you have to do many entrees ;-)

hebaelshahat · ‎10-23-2009

How can i route without nating? can you give me an example?

Marcus Hunold · ‎10-25-2009

Cisco ASDM User Guide:

You can find it on the Window for Nat Rules

Enable traffic through the firewall without address translation-Allows traffic to pass through

the security appliance without address translation

hebaelshahat · ‎10-25-2009

thanks for your reply.

i have another question, can FWSM on Routed mode work with HSRP On 6513 core switch that has 100 vlans (for redundancy) ?

thanks again

Kureli Sankar · ‎10-25-2009

Yes, it absolutely can.

Just make sure to point the route on the FWSM to the standby IP on the switch side.

for example

If 10.10.10.2 and 10.10.10.3 are the physical IPs and 10.10.10.1 is the standby IP then, the route on the FWSM should point to 10.10.10.1

hebaelshahat · ‎10-25-2009

thanks kusankar for your reply but if i enabled multiple SVI for the 100 interfaces (100 VLANs) for HSRP, the traffic may bypass both the inside and outside VLANs to the core switch (MSFC) so, how can i solve this problem?

Kureli Sankar · ‎10-25-2009

You need to do proper routing on the switch side (policy based) otherwise traffic will not hit the FWSM. Like you said, it will route around the firewall.

what is the reason for 100 SVIs between the FWSM and the switch?

Seems like you are looking for some design suggestion. Pls. contact your local Cisco office regarding that.

hebaelshahat · ‎10-26-2009

i'm using 100 vlans because we have in our design 100 layer 3 vlan and we make redundancy between them by using HSRP.

today i made a test, i configured multiple SVI on the core then HSRP worked properly but unfortunately the traffic bypass the FWSM!

so, how can i solve this weird problem?

Marcus Hunold · ‎10-27-2009

You have to understand that you can have only ONE Layer3 Routing Interface in VLAN network. If you want to use the FWSM you have to shutdown all your Layer3 Vlan interfaces on your switch! So your Switch will only do Layer2 work. HSRP you can't do in this constellation.

You need 2 FWSM. One in the first Chassi and one in the second and than you have to configuring Failover on the FWSM.

I hope I could help you.