Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

FWSM on 6513 core switch

hi All,

there are 100 vlans (layer 3) and 20 Layre2 vlans on the core switch.

i'd like to add them to FWSM without NATing, what can i do? do i use nat 0? and how can i add the layer 2 vlans to FWSM (without having IP address for them)?

1 ACCEPTED SOLUTION

Accepted Solutions
New Member

Re: FWSM on 6513 core switch

You have to understand that you can have only ONE Layer3 Routing Interface in VLAN network. If you want to use the FWSM you have to shutdown all your Layer3 Vlan interfaces on your switch! So your Switch will only do Layer2 work. HSRP you can't do in this constellation.

You need 2 FWSM. One in the first Chassi and one in the second and than you have to configuring Failover on the FWSM.

I hope I could help you.

13 REPLIES

Re: FWSM on 6513 core switch

You need to run it in transparent mode, check this link,

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a008089f467.shtml

Regards,

~JG

Do rate helpful posts

New Member

Re: FWSM on 6513 core switch

thanks for your reply.

but i have 100 internal interfaces (100 vlans), and transparent mode works only with two interfaces (one interface inside and one interface outside)so i think i can't use the transparent mode in this case.

Cisco Employee

Re: FWSM on 6513 core switch

You can have 8 vlan pairs per context. So if you are in multi-context mode then you will need some context.

In general if you don't want layer 3 interface on the FWSM and you have a 100 of them what you want is a bridge. But the FWSM cannot bridge 100vlans at the same time. It can bridge them only in pairs.

PK

New Member

Re: FWSM on 6513 core switch

i haven't license for using contexts,

i have 100 inside "layer 3" vlans so i cann't use transparent mode. can i nat between the inside interfaces and the outside interface using NAT 0 ?

New Member

Re: FWSM on 6513 core switch

1000 total per service module

256 VLANs per security context in routed mode

you will do it in single mode. Only 100 Layer3 vlans will connected to the FWSM.

(you have to delete the Layer3 interfaces on your Coreswitch config)

The Layer2 vlan haven't any gate to other network/vlans because there is no layer 3 routing interface.

At the FWSM you can route without nating there is an option you can use! But if you want to nat you have to do many entrees ;-)

New Member

Re: FWSM on 6513 core switch

How can i route without nating? can you give me an example?

New Member

Re: FWSM on 6513 core switch

Cisco ASDM User Guide:

You can find it on the Window for Nat Rules

Enable traffic through the firewall without address translation-Allows traffic to pass through

the security appliance without address translation

New Member

Re: FWSM on 6513 core switch

thanks for your reply.

i have another question, can FWSM on Routed mode work with HSRP On 6513 core switch that has 100 vlans (for redundancy) ?

thanks again

Cisco Employee

Re: FWSM on 6513 core switch

Yes, it absolutely can.

Just make sure to point the route on the FWSM to the standby IP on the switch side.

for example

If 10.10.10.2 and 10.10.10.3 are the physical IPs and 10.10.10.1 is the standby IP then, the route on the FWSM should point to 10.10.10.1

New Member

Re: FWSM on 6513 core switch

thanks kusankar for your reply but if i enabled multiple SVI for the 100 interfaces (100 VLANs) for HSRP, the traffic may bypass both the inside and outside VLANs to the core switch (MSFC) so, how can i solve this problem?

Cisco Employee

Re: FWSM on 6513 core switch

You need to do proper routing on the switch side (policy based) otherwise traffic will not hit the FWSM. Like you said, it will route around the firewall.

what is the reason for 100 SVIs between the FWSM and the switch?

Seems like you are looking for some design suggestion. Pls. contact your local Cisco office regarding that.

New Member

Re: FWSM on 6513 core switch

i'm using 100 vlans because we have in our design 100 layer 3 vlan and we make redundancy between them by using HSRP.

today i made a test, i configured multiple SVI on the core then HSRP worked properly but unfortunately the traffic bypass the FWSM!

so, how can i solve this weird problem?

New Member

Re: FWSM on 6513 core switch

You have to understand that you can have only ONE Layer3 Routing Interface in VLAN network. If you want to use the FWSM you have to shutdown all your Layer3 Vlan interfaces on your switch! So your Switch will only do Layer2 work. HSRP you can't do in this constellation.

You need 2 FWSM. One in the first Chassi and one in the second and than you have to configuring Failover on the FWSM.

I hope I could help you.

312
Views
0
Helpful
13
Replies