Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
600
Views
0
Helpful
2
Replies

fwsm basic question

dkblee
Level 1
Level 1

‎02-22-2010 09:01 AM - edited ‎03-11-2019 10:13 AM

hi! I've a few questions to verify with the configuration shown below.

1) i created a context called test-no-vrf(transparent mode) with vlan 240(outside) and 241(inside) created in the 6509 switch and i'm able to access the GUI using ASDM.  If i would to apply firewall rule in my test-no-vrf context (between my live svr's vlan(not vlan240 n 241) with my test vlan of 241), will this impact my live vlan's servers in another live-context? First of all, will i be able to add my live vlan subnet into my test-no-vrf's rules?

2) can i create another group for my test vlan 240 and 241 instead of joining to my live vlan in vlan-group3? What's the different of creating another vlan-group for test vlan 240 and 241 with my current setup below? Does that mean i will not be able to use rules that involve my live vlan/subnets' servers?

3) If i create a context with vrf (routing done within the vrf itself instead of going throug the msfc) + all the new vlans. Can these vlans be use in my live context? or it's localized within the context itself?

Thanks.

Cisco6509 Sw

-----------------------

svclc multiple-vlan-interfaces

svclc module 2 vlan-group 1,2

svclc vlan-group 1  108,202

svclc vlan-group 2  107

svclc vlan-group 3  4,5,7,8,100-102,109,110,200,201,240,241

firewall multiple-vlan-interfaces

firewall module 3 vlan-group 2,3

FWSM Module

----------------------

interface Vlan7
!
interface Vlan8
!
interface Vlan100
!
interface Vlan107
!
interface Vlan109
!
interface Vlan110
!
interface Vlan150
shutdown
!
interface Vlan200
description LAN Failover Interface
!
interface Vlan201
description STATE Failover Interface
!
interface Vlan240
!
interface Vlan241
!

FWSM-Context

------------------------

context test-no-vrf
  allocate-interface Vlan240
  allocate-interface Vlan241
  config-url disk:/test-no-vrf.CFG
!

Labels:
0 Helpful
2 Replies 2

francisco_1
Level 7
Level 7

‎02-22-2010 09:33 AM

The FWSM does not support virtual routing. (VRF). To configure the FWSM for Virtualization, you gonna have create VRF on the MSFC instead and have different vlans on the MSFC in their own VRF. On the FWSM create you multiple Context and allocate the vlans to a context on the FWSM. Traffic between VRFs will transit the FWSM context associated with the local VRF, route through the switch MSFC  and traverse back through the FWSM context associated with the destination VRF.

0 Helpful

dkblee
Level 1
Level 1
In response to francisco_1

‎02-23-2010 09:53 AM

hi! Just to confirm, about the question i asked abou the vlan-group. If i created a new test context with 3 vlans assigned to a new vlan-group, cab i apply rules that include my other live server which is of different vlans from the one i assigned my test context? (eg. allow only http from my other server segments to access the inside of my test context). What's the different of grouping them into one vlan-group and isolating my test context's vlan from my live server vlans? thx.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card