6500 FWSM with multi context, trans. mode.

hey there,

i am tring to configure a 6500 fwsm but am having problem with the concept.

i am running in tranparent mode, looking at the cisco files it looks like you need an outside vlan and an inside vlan, the problem is that traffic is not being vlan taged till the current switch (which will have the firewall) yet on the config sample it shows as if there is a vlan outside and inside, in my case there is one vlan outside and many vlans inside, i would like to firewall only traffic on 1 vlan in the inside.

as you can see from the sample you need a vlan outside also.

how can i configure this with a vlan outside if i dont have one in my network?

you may see the sample config from the site:

on the Transparent Mode Sample Configurations part.

there are vlan outside and inside, but in my network the vlans seperation is happenning on the switch itself with the firewall.

can anyone please explain this concept to me?

as i need to firewall only a single vlans on the inside and the rest of the traffic leave on touch.

thanks in advance and i hope i explained my problem well ;)



Re: 6500 FWSM with multi context, trans. mode.


You can make an inside and outside vlan.

Let`s say the vlan to protect is vlan 100. You allocate this vlan to your FWSM. You need to create another vlan, say 200, to act as you outside vlan.

Now, the host to be protected are in vlan 100 configure with a switchport access vlan 100 command on the cat 6500. You need to delete the MSFC(router) L3 interface from vlan 100 but still keep the L2 vlan 100 existing. You create a interface vlan 200 configure it just like your old vlan 100 (same IP). You assign those two vlan to your FWSM, configure the firewall and voila!

Re: 6500 FWSM with multi context, trans. mode.

hey there,

thanks for the answer, i think i see one problem there, if i give an ip address to the vlan 200 per say, i am not any more in transparent mode, but switching to routed mode.

which is not what i am trying to achieve.

may i create the outside vlan with no ip address? as i dont have an ip address currently on the inside vlan.

and use a routing statement to route the traffic?

Once again thanks for the help.


Re: 6500 FWSM with multi context, trans. mode.

You dont give ip adresse to the fwsm, you give it to the sup in your 6500.

L2(100) Vlan - Transparent FWSM - L3(200) Vlan MSFC (IP is here) - other network/vlan

The L2 and L3 vlan can be inside or outside. All those vlan are in the same 6500

Re: 6500 FWSM with multi context, trans. mode.


I got you boss, the coin just fell as they say.

thanks for the help, and now its time for the fun part.....


