I was going through the FWSM configuration guide and came around a concept of placing the MSFC in front or back of the FWSM. What i have understood is if you create a VLAN10 and assign this VLAN10 to the FWSM and then create the SVI for this VLAN10 on the MSFC then you have placed the MSFC behind the Firewall module and if you have create the SVI for this VLAN10 on the FWSM instead of the MSFC then you have placed the MSFC in front of the Firewall module. I wanted to know if this understanding is correct If not can you give me the right concept.
Thanks in advance for you answers
I believe you understood this perfectly.
What the doc. says is correct.
[ In the left-hand example, the MSFC routes between VLANs 201, 301, 302, and 303, and no inside traffic goes through the FWSM unless it is destined for the Internet. In the right-hand example, the FWSM processes and protects all traffic between the inside VLANs 201, 202, and 203.
This would only be possible if the SVIs for these vlans is on the MSFC, if the SVIs for these vlans would have been on the Firewall then traffic will ahve to go through the FWSM.]
[KS] When the MSFC (with layer 3 interfaces on all these vlans) is on the inside then all these vlans 201,301,302 and 303 are considered inside vlans. Traffic between them will not even go to the firewall. Again, like you said you can create interfaces on the firewall but, still the MSFC will not send the traffic to the FWSM if it knows (directly connected SVI for all the vlans) unless it is specifically told to do so via route map and set-ing the next hop to the FWSM interface address for traffic between vlans.
If you want to firewall traffic between vlans 201, 301, 302 and 303 would have to follow the rigth side picture. Think of this as a PIX/ASA with many DMZs configured and the MSFC on the outside, just like any other layer 3 routers connected to the ISP and out to the internet.
Is this clear? If not pls. post your question.