Just wanted to know basically if a requirement is supported in the FWSM or not.
There is a FWSM 3.1 blade on the 6500. The main intention of purchasing it was to protect traffic to and from Server VLAN's. There are totally about 12-13 servers grouped into 2-3 server VLAN's.
What is unique about the customer's requirement is that:
1. there are servers on the same SUBNET that also need to be protected from each other!!! I am wondering if this is every possible. Moreover, these servers are not connected to the 6500 directly. They are connected to an access switch and the access switch connects to the core. So, the traffic will never pass to the core at all. Is there a possibility that I can physically segment such servers to separate switches and put the FWSM in between them. I heard that there is something called bridging VLAN's? I am not sure about this.
2. the second unique requirement is that there are vendors who login to the servers remotely to provide remote application support. These vendors should not be able to access other servers just because they have reachability to one server. I am wondering if this kind of protection can be provided at network level? At host level, may be there is a possibility.
I am very sorry if i am asking any dumb questions. But if its possible, i would really appreciate any pointers to further directions in this regard.
Thanks a lot
Well, the traffic will come back to the 6500 to communicate within the VLan. But off the top, I can't think of how to control traffic within the VLan, except maybe for CSA or some other form of HIPS. I will take a look a few things to brush up on that. Obviously it would be more secure to create multiple VLan and secure them with ACLs. You wouldn't impede traffic this way either. Just think over that option and see if it could remain viable.
Regarding the second option, you can control the vendor?s access. Just put statements on your firewall/routers to only allow the specific vendors to go to specific IP addresses. This may create more lines in your ACLs, but it is a more secure way of doing business.
Respond back if you need assistance with setup.
Thanks a lot for your quick reply. With regards to 6500 getting the traffic, i am keen to know how will this happen when the access switch is connected to the servers and not to the core directly.
With regards to controlling vendor access, lets say for example that a vendor has access to server1 but not to server 2. But server 1 has access to server 2. Now if the vendor has access to server 1, he should not be able to access server2 FROM server1. THis is the requirement.
Thanks a lot
You are correct in what you say. If server1 wants to talk to server2 and they are both on the same access switch and in the same vlan then the traffic will not go to the 6500 core switch.
You can use the FWSM in routed or transparent mode. Transparent mode is layer2 and the FWSM bridges between 2 vlans. However even this will probably not help you.
If you want to protect servers from each other on the same vlan then you could look at private vlans. Private vlans work by having 3 categories of ports. Here is a link to a doc for this.
Even this might not solve your problem if server1 needs to communicate to server2 on the same vlan. You could look at vlan maps/access-lists
In the end if none of these support what you need then the only way to do what you want effectively is to look into moving the servers into their own vlans and using the FWSM to firewall between them but readdressing may not be something you can do.
I have used 3750 example docs. I don't know what your access-layer switches are so you would need to check if they support the features i've listed.
Thanks a lot everyone for your wonderful help as always.
In the case of private VLAN's, I am left with the only option of deploying FWSM in routed mode. This is because Private VLAN's require Layer 3 intervention for communication between the secondary VLAN's? Am I right?
One more question on the link given by Jon for configuring Private lans on 3750 :
It is mentioned that I need to configure Layer 3 SVI for the Primary VLAN's if I want Inter-VLAN routing. Does it mean routing between a Private VLAN and other VLAN's? Or does it mean VLAN routing between secondary VLAN's? In other words, my question is "Is Layer 3 interface required for routing between ports belonging to one single Private VLAN or is Layer 3 required for ports between separate vlan's?
Thanks a lot
Just one more question on this setup. When I connect the servers physically to the access switch and the switch to the 6500, I can create private VLAN's on the access switch that will be trunked to the core switch. But should i create the private VLAN's on the core switch also? i am supposed to create the same VLAN's on the core before I can assign them to the fwsm. Right?
If the servers are connected to the core directly, then it is straightforward. But when the private VLAN's are created on the access switch, then how should the 6500 core be configured to act as a passthrough between the servers and FWSM?
Thanks a lot
Lets say that I configure private
VLAN's on the access switch (3560) and trunk its link to the core. What
exactly do I need to configure on the core 6500 switch to accept private VLAN information from the access switch? Ultimately, only the VLAN's in the core can be added to the FWSM. Right? So, I need to configure VLAN's on the core too. But do i need to assign ports also to the created VLAN's before they can be assigned to the FWSM?
Thanks a lot
As far as i know you will need to create the private vlan on the core 6500 as well as the access layer switches.
You then assign the primary vlan to FWSM. The FWSM then handles all secondary vlan traffic. Please note that private vlan support on the FWSM only started in v3.1 so you will need that.
I don't believe you will have to assign any access ports into the vlan before allocating it to the FWSM, you don't with normal vlans so i can't see why you would with this.
As far as the use of the SVI for the primary vlan. Remember that all your devices in your priavte vlan are using the same subnet range so the SVI will not be used for one community vlan to talk to another within the same private vlan. Indeed if you needed this then you should not place both communities within the same private vlan.
I have used private vlans before but not on the FWSM, i'd bet interested to know how you get on.
Thanks a lot for your very helpful responses. I will create private VLAN's on the core switch as well.
The FWSM blade that I will use runs 3.1 code. So hopefully it should be fine.
I will also be trying configuring private VLAN's on 4948 switch which has scanty support for Private VLAN's (no community VLAN's). I will certainly let you know the outcome of the test setup tomorrow where I will be configuring the FWSM with the 3560 and the 4948.
One thing that I overlooked while reading the chapter on "Configuring Private VLAN's" is that only one isolated VLAN is supported per private VLAN.
How do I create multiple isolated VLAN's? Do I need to create multiple private VLAN's? But each private VLAN has its own IP segment. Right? I dont want to modify the existing addressing scheme. This is the crux of the customer requirement.
As a solution to this, can I keep adding community VLAN's and just assign them uniquely to just one port instead of two or more? I believe creating community VLAN's and assigning them to one port is as good as creating an isolated VLAN. Right?
Thanks a lot
Another thing that I wanted to add about step-by-step server farm migration.
Customer has a server farm in 172.27.3.x segment. There is a Layer 3 interface for this VLAN in the 6500. Now, customer is ready to migrate only two servers behind the FWSM without changing the IP addressing scheme.
Is it possible? To my understanding, unless the Layer 3 interface is removed from the 6500, data will not flow through the FWSM and will always bypass it.
Is there a way where such step by step server migration can happen without readdressing? Even creating test VLAN's looks difficult for this purpose.
Thanks and Regards
You will have to either migrate the entire 172.27.3.x subnet to the FWSM or readdress the servers that you want to place behind the FWSM.
If you leave the SVI on the 6500 then as you say, you will be routing around the firewall.
Why do you need multiple isolated vlans ?. You would want multiple community vlans so that you can group different sets of servers. But in an isolated vlan you are only placing servers than cannot talk to anything else other than the promiscuous port, which in your case will the be the FWSM interface.
So you just place all the servers that you want isolated into the same isolated vlan ?
Does this make sense
Thanks a lot for your clarification. My understanding was that if 10 servers were to be protected from each other, then I would need 10 isolated VLAN's each associated with 1 server. I never knew that having 1 isolated VLAN and associating the 10 servers to it will protect the servers from each other still.
thanks a lot for correcting me on it.
On the access / distribution switch where I am going to configure private VLAN's, how should I configure the port connected to the core ?The core also has the same private VLAN's (primary and secondary) configured.
Also, there is another access / distribution switch configured with the same private LAN (primary and secondary) which is also connected to this access switch.
Should I configure the links to the core and another access switch as normal trunk or promiscious trunk or private VLAN trunk?
I still dont understand the difference between promiscious trunk and private VLAN trunk? Any examples or pointers will be honestly appreciated.
Thanks a lot