cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1054
Views
0
Helpful
2
Replies

FWSM on 6509

pbenner
Level 1
Level 1

Good Morning,

I will preface this with the fact that I know that the network needs to be redesigned. This is not my animal, I have just walked into a disaster. Re-design is not possible at this point, but some secutity is needed.

The network is composed of 2 X 6509's that are connected together, as well as cross connected to 2 X 4006's. The 6509's run VLAN2 with 5 secondary addresses on the vlan interface. The 4006's run VLAN3 that also have multiple secondary addresses. I need to be able to secure the traffic that flows between VLAN2 and VLAN3.

The FWSM will not support multiple addresses on the VLAN interface. (multinetting)

I figure that if I run the FWSM in transparent mode I can configure the port to the 4006's as 1 side of the transparent interface and another port in VLAN2 as the other interface.

Thoughts? (Network engineers should know better than to do something like what has been done to this company!!!!)

Thanks,

Phil

2 Replies 2

eugene.beckett
Level 1
Level 1

seems like you could almost do this with vacl's - due to the secondary addressing i believe you are correct and the FWSM may not do what you want

pringlem
Level 1
Level 1

Phil,

Your transparent mode plan seems doable.

Here are a couple of other options using the FWSM in routed mode.

1. Create separate VLANs to correspond with each secondary address, reassign host ports to those VLANs per subnet, and create firewall interfaces for each individual subnet/VLAN. (of course, this could be quite labor intensive on a large network)

-or-

2. Keep routing with the 4006's and 6509's, create new subnets linking each router to a new interface on the FWSM and add routes pointing your next hop to the FWSM.

i.e. VLAN2 -> 6509 -> VLANx -> FWSM <- VLANy <- 4006 <-VLAN3

That way, you only need one IP address on each FWSM interface, and routing will do the rest. The FWSM would need some static routes assigned to point back to the subnets handled by each router.

I hope you find these ideas somewhat useful.

-Mike

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: