Firewall multiple-vlan-interfaces ( 6509 & FWSM)

Answered Question
Jan 21st, 2010
User Badges:
  • Silver, 250 points or more

Hi,


i have a setup in which i had msfc svi configured on 6509 which is also configured on fwsm with the same subnet ip address to setup communication between msfc and firewall. its working fine.


Now we had requirement of configuring second interface with new subnet on 6509 which should be also present on fwsm with the same new subnet on fwsm.


The problem is newly created SVI's remain administratively down on 6509. do i have to use "firewall multiple-vlan-interfaces" command on 6509..to create multiple svi interfaces between msfc and fwsm ? If yes, when i introduce this command, does it hamper the existing traffic going from msfc to fwsm...?



Thanks in advance


Hitesh Vinzoda

Correct Answer by Jon Marshall about 7 years 5 months ago

hitesh.vinzoda wrote:


Hi,


i have a setup in which i had msfc svi configured on 6509 which is also configured on fwsm with the same subnet ip address to setup communication between msfc and firewall. its working fine.


Now we had requirement of configuring second interface with new subnet on 6509 which should be also present on fwsm with the same new subnet on fwsm.


The problem is newly created SVI's remain administratively down on 6509. do i have to use "firewall multiple-vlan-interfaces" command on 6509..to create multiple svi interfaces between msfc and fwsm ? If yes, when i introduce this command, does it hamper the existing traffic going from msfc to fwsm...?



Thanks in advance


Hitesh Vinzoda


Hitesh


If you want to have multiple L3 SVIs up/up on the 6509 and have the FWSM use these vlans as well then yes you will need to enable "firewall multiple-vlan-interfaces".


You need to be careful when using this command. If you have multiple L3 SVIs for vlans attached to the FWSM you need to make sure that you have not bypassed the firewall eg.


2 vlans - vlan 10 & 11


both vlans should be firewalled by the FWSM. If you create a L3 SVI for both vlans on the MSFC then traffic will simply be routed by the MSFC between the 2 vlans ie. it will not go via the FWSM. So you need to make sure that by enabling "firewall multiple-vlan-interfaces" and having a 2nd SVI on the MSFC you have actually bypassed the FWSM.


It should not hamper the existing traffic other than the above scenario where you may find you have bypassed the FWSM.


Jon

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
Jon Marshall Fri, 01/22/2010 - 01:56
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

hitesh.vinzoda wrote:


Hi,


i have a setup in which i had msfc svi configured on 6509 which is also configured on fwsm with the same subnet ip address to setup communication between msfc and firewall. its working fine.


Now we had requirement of configuring second interface with new subnet on 6509 which should be also present on fwsm with the same new subnet on fwsm.


The problem is newly created SVI's remain administratively down on 6509. do i have to use "firewall multiple-vlan-interfaces" command on 6509..to create multiple svi interfaces between msfc and fwsm ? If yes, when i introduce this command, does it hamper the existing traffic going from msfc to fwsm...?



Thanks in advance


Hitesh Vinzoda


Hitesh


If you want to have multiple L3 SVIs up/up on the 6509 and have the FWSM use these vlans as well then yes you will need to enable "firewall multiple-vlan-interfaces".


You need to be careful when using this command. If you have multiple L3 SVIs for vlans attached to the FWSM you need to make sure that you have not bypassed the firewall eg.


2 vlans - vlan 10 & 11


both vlans should be firewalled by the FWSM. If you create a L3 SVI for both vlans on the MSFC then traffic will simply be routed by the MSFC between the 2 vlans ie. it will not go via the FWSM. So you need to make sure that by enabling "firewall multiple-vlan-interfaces" and having a 2nd SVI on the MSFC you have actually bypassed the FWSM.


It should not hamper the existing traffic other than the above scenario where you may find you have bypassed the FWSM.


Jon

Hitesh Vinzoda Sat, 01/23/2010 - 01:37
User Badges:
  • Silver, 250 points or more

Thanks Jon,


In my case, my 2 vlans, vlan 10 belongs to GRT and vlan 11 belongs to vrf. So if they want to get route they will not use msfc rather it will go to firewall and based on policy they will have access to each other.


plese advice... on this hypothesis



Regards


Hitesh Vinzoda

Jon Marshall Sat, 01/23/2010 - 04:56
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

hitesh.vinzoda wrote:


Thanks Jon,


In my case, my 2 vlans, vlan 10 belongs to GRT and vlan 11 belongs to vrf. So if they want to get route they will not use msfc rather it will go to firewall and based on policy they will have access to each other.


plese advice... on this hypothesis



Regards


Hitesh Vinzoda


Hitesh


I have never used this type of setup but what you say makes perfect sense ie. traffic will have to be routed via the FWSM. So you should enable "firewall multiple-vlan-interfaces".


Jon

Actions

This Discussion

Related Content