Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1372
Views
0
Helpful
3
Replies

MSFC placement in FWSM Deployment

Go to solution
sheikh ahmed zubedi
Level 1
Level 1

‎06-08-2010 06:30 AM - edited ‎03-11-2019 10:56 AM

Hello everybody,

I was going through the FWSM configuration guide and came around a concept of placing the MSFC in front or back of the FWSM. What i have understood is if you create a VLAN10 and assign this VLAN10 to the FWSM and then create the SVI for this VLAN10 on the MSFC then you have placed the MSFC behind the Firewall module and if you have create the SVI for this VLAN10 on the FWSM instead of the MSFC then you have placed the MSFC in front of the Firewall module. I wanted to know if this understanding is correct If not can you give me the right concept.

Thanks in advance for you answers

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Kureli Sankar
Cisco Employee
Cisco Employee
In response to sheikh ahmed zubedi

‎06-08-2010 08:05 AM

Sheikh,

I believe you understood this perfectly.

What the doc. says is correct.

[ In the left-hand example, the MSFC routes between VLANs 201, 301, 302, and 303, and no inside traffic goes through the FWSM unless it is destined for the Internet. In the right-hand example, the FWSM processes and protects all traffic between the inside VLANs 201, 202, and 203.

This would only be possible if the SVIs for these vlans is on the MSFC, if the SVIs for these vlans would have been on the Firewall then traffic will ahve to go through the FWSM.]

[KS] When the MSFC (with layer 3 interfaces on all these vlans) is on the inside then all these vlans 201,301,302 and 303 are considered inside vlans.  Traffic between them will not even go to the firewall.  Again, like you said you can create interfaces on the firewall but, still the MSFC will not send the traffic to the FWSM if it knows (directly connected SVI for all the vlans) unless it is specifically told to do so via route map and set-ing the next hop to the FWSM interface address for traffic between vlans.

If you want to firewall traffic between vlans 201, 301, 302 and 303 would have to follow the rigth side picture. Think of this as a PIX/ASA with many DMZs configured and the MSFC on the outside, just like any other layer 3 routers connected to the ISP and out to the internet.

Is this clear? If not pls. post your question.

-KS

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Kureli Sankar
Cisco Employee
Cisco Employee

‎06-08-2010 06:46 AM

Sheikh,

Not really. It depends on the nameif for vlan10

msfc---vlan10--(inside)FWSM(outside)-vlan20--another_layer3_device---internet  -----> in this case MSFC has int vlan 10 created (SVI)

In this case vlan10 is your inside interface for the FWSM and so the MSFC is behind the FWSM.

If you have


inside hosts----Vlan10----(inside)FWSM-(outside)vlan20---MSFC---internet  ----> in this case the switch has int vlan 20 created (SVI)

Now, the MSFC is on the outside.

-KS

0 Helpful

Go to solution
sheikh ahmed zubedi
Level 1
Level 1
In response to Kureli Sankar

‎06-08-2010 07:48 AM

hi kusankar,

Thanks for you reply. i have one doubt as i was reading chapter one of Cisco's FWSM configuration guide under using the MSFC section

http://www.cisco.com/en/US/docs/security/fwsm/fwsm40/configuration/guide/intro_f.html

it shows that vlan 201 is considered inside when it is between the FWSM and the MSFC but on the right side of the diagram it shows now that vlan 201 is behind the firewall and it says

In the left-hand example, the MSFC routes between VLANs 201, 301, 302, and 303, and no inside traffic goes through the FWSM unless it is destined for the Internet. In the right-hand example, the FWSM processes and protects all traffic between the inside VLANs 201, 202, and 203.

This would only be possible if the SVIs for these vlans is on the MSFC, if the SVIs for these vlans would have been on the Firewall then traffic will ahve to go through the FWSM.

The document says For multiple context mode, if you place the MSFC behind the FWSM, you should only connect it to a single context. If you connect the MSFC to multiple contexts, the MSFC will route between the contexts, which might not be your intention.

This would mean that the SVIs for the VLANs that have been assigned to the context need to have their SVIs on the MSFC and in this case the MSFC would route between the contexts, if the SVIs for these vlans were on the FWSM then this would have not been possible.

i want understand this concept in relation to other vlan that are assigned to FWSM or MSFC and not just inside and outside vlan

Can you please clarify this point to me.

Once again thanks for answer

0 Helpful

Go to solution
Kureli Sankar
Cisco Employee
Cisco Employee
In response to sheikh ahmed zubedi

‎06-08-2010 08:05 AM

Sheikh,

I believe you understood this perfectly.

What the doc. says is correct.

[ In the left-hand example, the MSFC routes between VLANs 201, 301, 302, and 303, and no inside traffic goes through the FWSM unless it is destined for the Internet. In the right-hand example, the FWSM processes and protects all traffic between the inside VLANs 201, 202, and 203.

This would only be possible if the SVIs for these vlans is on the MSFC, if the SVIs for these vlans would have been on the Firewall then traffic will ahve to go through the FWSM.]

[KS] When the MSFC (with layer 3 interfaces on all these vlans) is on the inside then all these vlans 201,301,302 and 303 are considered inside vlans.  Traffic between them will not even go to the firewall.  Again, like you said you can create interfaces on the firewall but, still the MSFC will not send the traffic to the FWSM if it knows (directly connected SVI for all the vlans) unless it is specifically told to do so via route map and set-ing the next hop to the FWSM interface address for traffic between vlans.

If you want to firewall traffic between vlans 201, 301, 302 and 303 would have to follow the rigth side picture. Think of this as a PIX/ASA with many DMZs configured and the MSFC on the outside, just like any other layer 3 routers connected to the ISP and out to the internet.

Is this clear? If not pls. post your question.

-KS

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card