Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1463
Views
0
Helpful
1
Replies

Cisco 6513 with FWSM Configuration Example

jfraasch
Level 3
Level 3

‎11-03-2009 11:32 AM - edited ‎03-11-2019 09:35 AM

I am trying to post some examples of this type of thing so that people might be able to avoid some of the problem I run into in configuring my stuff.

I have redundant 6513s. I had not up until now the FWSM so I was at a loss as to how to configure them to work in a scenario where I wanted my users/servers to use a virtual address as their default gateway (kinda like HSRP or VRRP).

In my example I have about 12 VLANs that are going to be behind the firewall and two that will not be. One of the ones that will not be is one that is used by special workstations that need to get IRDP packets to discover their default gateway.

A couple of things to keep in mind on configuring this Hot/Standby FWSM:

1) Make sure your svclc vlan-group configuration on each core device match perfectly. You need to same number of VLANs being serviced by the FWSM or the active/passive configuration wont work.

2) Make sure you create the failover and statful VLANs on each FWSM and then TRUNK them across your core. In my case I trunked them across a four port port-channel

3) You need to issue only very minimal configuration commands on the secondary FWSM. The rest of the configuration will be pushed to the standby FWSM from the primary.

All in all pretty cool. I have everything working in the lab. I just have to play around with the access-lists on the FWSM to fine tune access.

Please let me know if you have any questions or suggestions.

On Switch-CoreA:

svclc vlan-group 1 2,10,11,100,110,120,130,140,200,210,220,230,240,300,310

svclc vlan-group 1 320,330,340

firewall module 1 vlan-group 1

On Switch-CoreB:

svclc vlan-group 1 2,10,11,100,110,120,130,140,200,210,220,230,240,300,310

svclc vlan-group 1 320,330,340

firewall module 1 vlan-group 1

On FWSM-CoreA:

failover

failover lan unit primary

failover preempt

failover lan interface faillink Vlan10

failover replication http

failover link statelink Vlan11

failover interface ip faillink 192.168.253.1 255.255.255.252 standby 192.168.253.2

failover interface ip statelink 192.168.253.5 255.255.255.252 standby 192.168.253.6

On FWSM-CoreB:

failover

failover lan unit secondary

failover preempt

failover lan interface faillink Vlan10

failover replication http

failover link statelink Vlan11

failover interface ip faillink 192.168.253.1 255.255.255.252 standby 192.168.253.2

failover interface ip statelink 192.168.253.5 255.255.255.252 standby 192.168.253.6

The standby address in this example gets assigned to the secondary FWSM. In the event of failover, the users will still be able to to get to the primary (re: non-standby) address.

The other thing you need to keep in mind is that you need a SVI to interface between the FWSM and the MSFC on the 6513. In my case I have VLAN 2 configured all in the 10.0.2.0/24 subnet on the MSFC and FWSM for both the 6513. Put a default route in the FWSM to point to the MSFC, ping it, and you should be good to go. If you get a bunch of ??????'s then you don't have a route to the MSFC.

Also, don't forget the icmp any any command to allow for easy testing.

James

Labels:
0 Helpful
1 Reply 1

Kureli Sankar
Cisco Employee
Cisco Employee

‎11-21-2009 05:54 AM

Thanks for posting this.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card