I am aware that this question has been asked in several formats before. I have read through some of the previous postings and the documentation as well. However, since I am new to this, I thought it best to submit a new posting.
I have two FWSMs in two 6509 switches . Each SVI on the 6509 uses GLBP for NHRP and load balancing. My goal with the FWSMs is to provide firewalling services as seamlessly as possible between hosts in the different subnets. The 6509s are being used solely as Services Switches so most or all of the communicating hosts are servers.
I believe the transparent mode using multiple contexts will work best in this scenario. Some contexts may have multiple VLANs (servers performing the same function) so I will need multiple BVIs in each context. (I think up to 8 are allowed). I will also like to implement Active/Active Load Balancing and failover between the FWSMs.
Here's what I want to clarify:
1. For every user VLAN, I have to define another VLAN that will be used to bridge traffic between the hosts and the MSFC. Is this accurate? Does this VLAN need an SVI on the switch?
2. The examples in the configuration guide use HSRP. Is there an issue with using GLBP?
Thanks for your help.
generally when u configure FWSM in a routed mode with multiple contexts we can use one outside vlan that has an SVI on the fwsm this outside vlan called in this case shared outside interface between contexts
with trransparante mode this is NOT applicale
so in your case u need a sprate outside vlan interfaces assigned to firewall-vlan group and created on the switch as well
and in trasnparante mode the firewall will not be the defaultgate way because it will act as layer two device
so u need a interface within the same outside interface vlan context so for each outside context interface (vlan) creat an SVI and make it the default gateway for the servers belongs to that context
about the GLBP it is applicaple any where hsrp applicable almost
but with GLBP there is assue with symetric routing (the returning path not same from leaving ) only this issue if it is ok with ur case then no problem
please, if helpful rate
I don't mind creating the additional VLANs on the switch and the asymmetric routing. Supposedly, there is a way to ensure failover support with asymmetric routing.
Let's suppose my server VLAN is 90 and I create vlan 290 for the outside interface. These are the two VLANs that will be part of the BVI on the firewall, right? VLAN90 has an SVI on the switch with GLBP configured and is the default gateway . Does VLAN 290 need an SVI on the switch as well?
let consider this example
server vlan90--90 FWSM transparant context1 290 ---MSFC SVI vlan290--
and the default gateway of the server will be VLAN290 SVI
FWSM(config)# int vlan 90
FWSM(config-if)# bridge-group 1
FWSM(config-if)# int vlan 290
FWSM(config-if)# bridge-group 1
FWSM(config-if)# int bvi 1
FWSM(config-if)# ip address 10.290.1.2 255.255.255.0
FWSM(config)# route outside 0 0 10.290.1.1
where 10.290.1.1 the vlan 290 SVI ip
***keep in mind if u creat any SVI for vlan 90 u gonna bypass the firewall and the traffic will not go throught but will go dirctly though the MSFC****
if hlepful Rate
But isn't 10.290.1.1 an invalid IP address?
VLAN 90 is the actual server VLAN. Let's assume that the SVI for VLAN 90 has an IP address of 10.90.1.1. VLAN 290 will be specifically created for the purpose of the bridge-group.
Will VLAN 290 also have an SVI on the MSFC?
let me make more clear
u can configure ur topology one of the two ways
servers vlan90--MSFCvlan90 SVIvlan90 with (hsrp or glbp)--90 context1 FWSM transparant 290--outside connection
server vlan 90--90 FWSM context1 290---MSFC SVI 290 u can here make glbp or hsrp for outside---outside
for case ine i describe it to u prvously
the servers will be connected to the inside FWSM vlan
while if u wanna run glbp or hsrp with server vlan u could use the topology two
in this case the server will be connected to vlan 90 and MSFC directly then the msfc will send the traffic to the inside FWSM vlan interface in the case vlan 90 and the FWSM will be connected to the outside not the MSFC!!
which one suit u ?
if u need mmore details let me know
the IP address i have put for example not must!!
just let me know what is gonna be connected to the outside of the 6500
and do u want the outside link be connected to the FWSM, MSFC or any one of them work for u ?
becuase u have to decide where to put the MSFC and FWSM logicaly not physicaly ok
I need a your kind input on the same. My logical NW is attached along with. I would like to run FWSM on Transparent mode with same case Active/Active Load balencing and Failover.
I hav 1 vlan for server, 1 vlan for Useres, 1 Vlan for Management in the network.
(In FWSM routed mode i would prefer to run like this -
Inside is Server Vlan, User Vlan DMZ with same Security Level as inside, Outside will connect to MSFC back and will forward to Flex WAN)
Can i do this in Transparent mode?
In my scenario do i have to run multiple bridge groups?
Can I run this in a single context mode (I would prefer)?
in regard to transparante mode
according to cisco press
With the FWSM configured for transparent mode, it acts as a âbump in the wire.â This
configuration, known as a bridge group, supports only an inside and outside interface,
essentially bridging the networks together, as shown in Figure 3-1. Up to eight bridge
groups are supported on the FWSM, unless it's configured for multiple contexts; then it's
eight bridge groups per context. Any attempt to configure more than eight will result in the
following error message:
ERROR: Maximum number of interfaces already configured.
whihc mean you can use one context but the grouping of vlans and interfaces will be in pairs of two inside and outside only
in ur case u have about three or four
the question here why you prefere to implimit transparant mode
do u have IP addressing issue or routing issue ?
let me know
if you wanna go with routed mode we can discuss it here as well
good luck :)
Thanks for the reply. I was decided to go with routerd mode, which i have did before once.
I was just thinknig to see difference and also for the ongoing maintanance point of view i thought to go for transparent mode. No issue with the ip addressing.
But i would like to know more about the transparent mode only.
i didnt get clarity on this part.
Say i have a vlan Server VLAN 50, ports are configured in vlan 50, ip 192.168.50.x/24. preferd inside of the fwsm. i want to filter / do the firewalling between the user vlan and the server farm. user vlan 10, ports confgured in 10. with 192.168.10.0/24.
How the configuration would be in this case ?
thanks a lot
based on ur requirment u need one more vlan for firewall outside
let me describe it for u
first off all in transparante mode there will be no ip address in the firewall interfaces
there will be only brigded group ip address for managment called bvi interface this one will be in the same subnet as the outside vlan
ur case could be configured like
servrs vlan50 --inside--fwsm--outside vlan 51--msfc svi vlan 51
now for vlan 50
u will not configure any svi or ip address but vlan 51 will have the ip addressing and subnet exactly as vlan 50
in this case the firewall will bridge between interfaces and vlans only not routing
and the comunication between the serve and users will be through the fwsm and routed by the msfc
the defual gateway of the servers will be vlan 51 svi
thats why transparant mode useful when u need a firewall inbetween of devaces or vlans without changing ip addressing or routing topology
it is L2 device with L3/4 intelegance
if helpful rate