Re: FWSM with a Trunked interface

gdittman12 · ‎12-11-2009

Hi,

I have a Transparent FWSM with about 13 contexts. All works fine except when trying to Firewall an interface that's trunked (with phone and PC on different VLANs) by changing the native VLAN. Access remains to the phone, but is lost to the host:

VLANs 300 and 350 are outside the FWSM context

VLANs 400 and 450 are inside

Not Firewalled and Works:

interface FastEthernet1/4
switchport
switchport trunk encapsulation dot1q
switchport trunk native vlan 350
switchport mode trunk
no ip address
power inline auto max 7000
spanning-tree portfast

Firewalled and Works:

interface GigabitEthernet5/8
switchport
switchport access vlan 400
switchport mode access
no ip address
power inline auto max 7000
spanning-tree portfast

Firewalled and doesn't work:

interface FastEthernet1/4
switchport
switchport trunk encapsulation dot1q
switchport trunk native vlan 450
switchport mode trunk
no ip address
power inline auto max 7000
spanning-tree portfast

Is it possible to firewall a Trunked Interface? I haven't found any information indicating one way or another.

Thanks

Panos Kampanakis · ‎12-11-2009

The FWSM has no concept of trunks.

Each of its interfaces is a vlan.

Whatever the FWSM sees in a vlan it is trunking it "firewalls" it. Meaning a packet, depending what vlan tag it has it is picked by the correct interface.

So, the FWSM cannot do trunks as you know them.

If the pc and phone are in different vlans then both would need to be pushed to FWSM and "firewalled".

PK

gdittman12 · ‎12-14-2009

Thanks for the reply, but I'm still not clear if it's possible to have a use a context with a device connected to a interface that is configured as Trunked. I realize that the FWSM has no concept of Trunks and is connected by a Trunk itself, but the traffic going to the two devices is "switched" going into the Interface. Why can't the action be that the Tagged traffic go to the FWSM and then back to the interface (and then Trunked), as it would if the interface was configured as switched?

You also state: "If the pc and phone are in different vlans then both would need to be pushed to FWSM and "firewalled".", Are you just stating to move to different ports? I'm unclear what your meaning is here.

Thanks

Panos Kampanakis · ‎12-14-2009

Let's say you have a pc that connects to vlan x and a phone that is vlan y.

There is a trunk that passes vlans x,y.

The phone packets have vland id x and the phone vlan id y.

They come into the switch. The switch routes or switches them depending on the setup. If they are destined to the L3 vlanx,y ip address it routes, if they are destined to a vlanx or y mac that is not the switches then it just switches the packet at L2. In any case the packet will need to be picked up by the FWSM if you want it firewalled.

In other words if the FWSM has vlan x and y as interfaces (L3 mode) and if need be the switch has next hop for the traffic sourced from the phone or pc (switch routing scenario) it should forward the packets to the FWSM and that should act accordingly. If was are a L3 and the switch just switches the packets it should just pass them at layer 2 to the FWSM and that should pass them. Trunk or non trunk, the switch reads the tags and does its job for the vlan the packets are coming in on.

PK