Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

FWSM vlan interface

Hello, quick question I hope someone can help with.

Is it possible for me to create 2 vlan interfaces on the 6500 and have them both in the same subnet?

For a specific customer requirement I would like to have a vlan interface on the 6500 as default gateway, sat in it's own vrf, and then route all traffic inbound and outbound to this vlan through the FWSM interface, preferably in the same subnet. I don't think this will be possible so just looking for confirmation either way.

As I will be running EIGRP between a pair of central 6500's and 2 remote offices it will make things much easier for me advertise the connected FWSM interfaces in to EIGRP for access in/out of all my VRF'd subnets. If I need another subnet for each VRF FWSM next hop then I'll have to reditribute a list of statics which I don't really want to do.

The reason I am not just using the FWSM as gateway is because I need to run HSRP across 3 different devices (another 6500 in a second suite), and failover FWSM will only give me 1 level of redundancy for those gateways.

Hope that makes sense, let me know if you have further questions.

Thanks

1 ACCEPTED SOLUTION

Accepted Solutions
Hall of Fame Super Silver

FWSM vlan interface

If I understand your question, you'd like inside hosts to send all traffic to the 6500 SVI, a 3-way HSRP virtual IP. The routing table of the VRF where that SVI (and the standby addresses) lives could (and should) then have a default route to the FWSM HA pair's inside address. So far that's all fine and can be done with a single VLAN. Remember the VLAN is a layer 2 construct and, while usually equated with Layer 3 routing domain, routing flows can move around among hosts within a given VLAN.

The FWSM pair's outside interface would of course be on a separate VLAN with an outside IP address assigned at Layer 3.

I'm not quite sure what a third 6500 in the HSRP standby group is giving you if you're dependent on one of the two FWSMs for your end to end flows to work.

3 REPLIES
Hall of Fame Super Silver

FWSM vlan interface

If I understand your question, you'd like inside hosts to send all traffic to the 6500 SVI, a 3-way HSRP virtual IP. The routing table of the VRF where that SVI (and the standby addresses) lives could (and should) then have a default route to the FWSM HA pair's inside address. So far that's all fine and can be done with a single VLAN. Remember the VLAN is a layer 2 construct and, while usually equated with Layer 3 routing domain, routing flows can move around among hosts within a given VLAN.

The FWSM pair's outside interface would of course be on a separate VLAN with an outside IP address assigned at Layer 3.

I'm not quite sure what a third 6500 in the HSRP standby group is giving you if you're dependent on one of the two FWSMs for your end to end flows to work.

FWSM vlan interface

Thanks Marvin. You do understand the question, and it occurred to me after writing the above that I could just use a single FWSM inside interface and route in and out of each VRF via that 1 interface (All VRF's belong to a single customer, just required for segregation of internal traffic).

The third 6500 running HSRP will be located in a DC 100km away connected via dual 1Gb circuits (3ms latency), and has it's own default route to a pair of ASA 5520's. If both FWSM's go down then the gateway will go live in the second site and traffic will be switched over our SP qinq tunnel to that gateway. Relevant BGP bits (MED), etc. will also be in place for seemless failover and traffic flow to and from the /23 pi range peered with the same ISP in each location..

Thanks again.

Chris

Hall of Fame Super Silver

FWSM vlan interface

You're welcome.

I figured there must be more to the picture with respect to the 3rd member of the HSRP standby group.

So, yes, we seem to be in agreement that it should work as disussed above.

Once you confirm it operationally, please provide feedback and/or rate and mark the question as answered.

473
Views
0
Helpful
3
Replies