cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1798
Views
0
Helpful
8
Replies

How to configure 2 fwsm to get 10 gb throughput

shinde_hanu
Level 1
Level 1

Hi,

I have 2 fwsm and 2 6509 switches. Both are configured in inter-chassis failover.


Now I have to add 2 fwsm and increase the throughput to 10 gbps. I have 20 vlans and I have to keep 10 vlans on 1st fwsm module and other 10 vlans on 2nd fwsm module.


I had checked all the cisoc doucments but no relevant solutions found.

Please guide me how to configure or how to bundle 2 fwsm to get 10 gbps throughput.

Shinde

1 Accepted Solution

Accepted Solutions

Answers inline.

Is this configuration will work for load sharing?

>Yes as FWSM will handle different vlans traffic so load is distributed across different FWSMs.

How traffic between vlan 100 to vlan 132 will pass?

> You will need to get it routed from MSFC side. So any traffic which needs to go to another vlan behind the 2nd FWSM should be routed to MSFC and MSFC will route it to other FWSM2.

View solution in original post

8 Replies 8

Kureli Sankar
Cisco Employee
Cisco Employee

What you can do is configure active/active failover and load balance some contexts in one FWSM and others in the other.

Refer this document: https://supportforums.cisco.com/docs/DOC-12668#Backplane_Etherchannel

Read about active/active failover here: http://www.cisco.com/en/US/docs/security/fwsm/fwsm32/configuration/guide/fail_f.html#wp1052847

-KS

Hi Kusankar,

I have 2 6509 switches and 4 fwsm modules i.e in each switch 2 fwsm modules.

Presently I have active/standby failover configuration with one fwsm in each chassis (inter-chassis failover). Now I have add one more fwsm in each chassis. So there is two fwsm in each chassis.

I have to configure two fwsm in one chassis. How to configure? to increase the throughput to 10 gb.

Shinde

Shinde,

You can only have two FWSMs in a Failover scenario.  You can configure two pairs. Configure act/act and divide the traffic between the two pair.

-KS

Shinde,

You cannot combine the 2 FWSMs to increase the throughput but you can load share traffic based on vlans serviced by each FWSM.

Hope this helpS!

- AD

Hi Anil,

Thanks.

Following is the  configuration for load balancing.

*********

Switch configuration

*********

firewall module 4 vlan-group 10,20,30
firewall module 8 vlan-group 30,40,50
firewall vlan-group 10  100-103
firewall vlan-group 20  500,501
firewall vlan-group 30  131
firewall vlan-group 40  132,133
firewall vlan-group 40  502,503

*********
fwsm configuration - module 4

*********

interface Vlan131
nameif Management
security-level 80
ip address 192.168.39.1 255.255.255.128 standby 192.168.39.2


interface Vlan100
nameif DMZ2
security-level 80
ip address 192.166.10.1 255.255.255.0 standby 192.168.10.2
!
interface Vlan101
nameif DMZ3
security-level 80
ip address 192.166.11.1 255.255.255.0 standby 192.168.11.2
!
interface Vlan102
nameif DMZ3
security-level 80
ip address 192.166.12.1 255.255.255.0 standby 192.168.12.2
!
interface Vlan103
nameif DMZ4
security-level 80
ip address 192.166.13.1 255.255.255.0 standby 192.168.13.2
!
interface Vlan500
description LAN Failover Interface
!
interface Vlan501
description STATE Failover Interface
!

same-security-traffic permit inter-interface

***********
failover configuration

***********

failover
failover lan unit primary
failover lan interface faillink Vlan500
failover interface-policy 1
failover key cisco
failover link statelink Vlan501
failover interface ip faillink 10.10.1.1 255.255.255.252 standby 10.10.1.2
failover interface ip statelink 10.10.2.1 255.255.255.252 standby 10.10.2.2

@@@@@@@@

*********
fwsm configuration - module 8

*********

interface Vlan131
nameif Management
security-level 80
ip address 192.168.39.3 255.255.255.128 standby 192.168.39.4


interface Vlan132
nameif Internet
security-level 80
ip address 192.166.40.1 255.255.255.0 standby 192.168.40.2
!
interface Vlan133
nameif DMZ
security-level 80
ip address 192.166.41.1 255.255.255.0 standby 192.168.41.2
!
interface Vlan502
description LAN Failover Interface
!
interface Vlan503
description STATE Failover Interface
!

same-security-traffic permit inter-interface

*********
failover configuration

*********

failover
failover lan unit primary
failover lan interface faillink Vlan502
failover interface-policy 1
failover key cisco
failover link statelink Vlan503
failover interface ip faillink 10.10.3.1 255.255.255.252 standby 10.10.3.2
failover interface ip statelink 10.10.4.1 255.255.255.252 standby 10.10.4.2

@@@@@@@@@@@@@

Is this configuration will work for load sharing?

How traffic between vlan 100 to vlan 132 will pass?

Regards,

Shinde

I am not sure what you mean by load sharing. It seems like you have two pairs of FWSM configured.

You are asking if traffic from vlan 100 can get to vlan 132.

vlan 100----FWSM(4)---[what is in between?]-----FWSM(8)------vlan 132

Do you have

Route

Permission and

NAT

configured? If you have the above configured then the traffic will flow from the source to the destination.

-KS

Answers inline.

Is this configuration will work for load sharing?

>Yes as FWSM will handle different vlans traffic so load is distributed across different FWSMs.

How traffic between vlan 100 to vlan 132 will pass?

> You will need to get it routed from MSFC side. So any traffic which needs to go to another vlan behind the 2nd FWSM should be routed to MSFC and MSFC will route it to other FWSM2.

Hi KS / AD

Today I tested  2 FWSM in one chassis and traffic is passing from one vlan of 1st FWSM to anothe vlan of 2nd FWSM.

Thanks for your valuable support.

Regards,

Shinde

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: