I have a Transparent FWSM with about 13 contexts. All works fine except when trying to Firewall an interface that's trunked (with phone and PC on different VLANs) by changing the native VLAN. Access remains to the phone, but is lost to the host:
VLANs 300 and 350 are outside the FWSM context
VLANs 400 and 450 are inside
Not Firewalled and Works:
interface FastEthernet1/4 switchport switchport trunk encapsulation dot1q switchport trunk native vlan 350 switchport mode trunk no ip address power inline auto max 7000 spanning-tree portfast
Firewalled and Works:
interface GigabitEthernet5/8 switchport switchport access vlan 400 switchport mode access no ip address power inline auto max 7000 spanning-tree portfast
Firewalled and doesn't work:
interface FastEthernet1/4 switchport switchport trunk encapsulation dot1q switchport trunk native vlan 450 switchport mode trunk no ip address power inline auto max 7000 spanning-tree portfast
Is it possible to firewall a Trunked Interface? I haven't found any information indicating one way or another.
Thanks for the reply, but I'm still not clear if it's possible to have a use a context with a device connected to a interface that is configured as Trunked. I realize that the FWSM has no concept of Trunks and is connected by a Trunk itself, but the traffic going to the two devices is "switched" going into the Interface. Why can't the action be that the Tagged traffic go to the FWSM and then back to the interface (and then Trunked), as it would if the interface was configured as switched?
You also state: "If the pc and phone are in different vlans then both would need to be pushed to FWSM and "firewalled".", Are you just stating to move to different ports? I'm unclear what your meaning is here.
Let's say you have a pc that connects to vlan x and a phone that is vlan y.
There is a trunk that passes vlans x,y.
The phone packets have vland id x and the phone vlan id y.
They come into the switch. The switch routes or switches them depending on the setup. If they are destined to the L3 vlanx,y ip address it routes, if they are destined to a vlanx or y mac that is not the switches then it just switches the packet at L2. In any case the packet will need to be picked up by the FWSM if you want it firewalled.
In other words if the FWSM has vlan x and y as interfaces (L3 mode) and if need be the switch has next hop for the traffic sourced from the phone or pc (switch routing scenario) it should forward the packets to the FWSM and that should act accordingly. If was are a L3 and the switch just switches the packets it should just pass them at layer 2 to the FWSM and that should pass them. Trunk or non trunk, the switch reads the tags and does its job for the vlan the packets are coming in on.
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...