simple firewall question

Answered Question

hi! We've a fwsm module in our core sw and i'm new to this. just want to find out what's the purpose of the bridge-group 1 command on the inside and outside interfaces? + what's the BVI1 for? is it related to the brige-group 1 command on the inside n outside command? can i have different bridge-group number for inside and outside? thx

interface Vlan100

nameif outside

bridge-group 1

security-level 0



interface BVI1

ip address 10.10.10.1 255.255.255.0

Correct Answer by Jon Marshall about 7 years 2 months ago

[email protected]


hi! We've a fwsm module in our core sw and i'm new to this. just want to find out what's the purpose of the bridge-group 1 command on the inside and outside interfaces? + what's the BVI1 for? is it related to the brige-group 1 command on the inside n outside command? can i have different bridge-group number for inside and outside? thx


interface Vlan100

nameif outside

bridge-group 1

security-level 0



interface BVI1

ip address 10.10.10.1 255.255.255.0


This configuration is for when you run the FWSM in transparent mode. With transparent mode the IP subnet is the same on the outside and the inside. You use 2 vlans, one for the outside and one for the inside but as i say they both use the same IP subnet.


You then join (ie. bridge) the 2 vlans together with the FWSM. So the bridge group needs to match so the FWSM knows which vlans to join together. The BVI is management IP for this transparent firewall.


Jon

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
Jon Marshall Mon, 02/01/2010 - 09:31
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

[email protected]


hi! We've a fwsm module in our core sw and i'm new to this. just want to find out what's the purpose of the bridge-group 1 command on the inside and outside interfaces? + what's the BVI1 for? is it related to the brige-group 1 command on the inside n outside command? can i have different bridge-group number for inside and outside? thx


interface Vlan100

nameif outside

bridge-group 1

security-level 0



interface BVI1

ip address 10.10.10.1 255.255.255.0


This configuration is for when you run the FWSM in transparent mode. With transparent mode the IP subnet is the same on the outside and the inside. You use 2 vlans, one for the outside and one for the inside but as i say they both use the same IP subnet.


You then join (ie. bridge) the 2 vlans together with the FWSM. So the bridge group needs to match so the FWSM knows which vlans to join together. The BVI is management IP for this transparent firewall.


Jon

Actions

This Discussion