Im installing a new FWSM and I have a couple of questions. Currently I have several VLANs defined with SVI's on my Cat 6500's and they can all pass traffic to one another. Now I need to segment 3 VLANS (Currently Layer3) from each other and everything else. So from my understanding of this statement "For security reasons, by default, only one SVI can exist between the MSFC and the FWSM. For example, if you misconfigure the system with multiple SVIs, you can accidentally allow traffic to pass around the FWSM if you assign both the inside and outside VLANs to the MSFC."
Does this mean that I would....
1. Have a layer 3 vlan on the Cat6500 that would be the inside interface that is attached to the FWSM (this will route traffic from the segmented VLANS)
2. The 3 interfaces that I want segmented I would convert to layer 2 vlans by removing the current SVI's
3. And I would assign all 4 vlans to my firewall vlan-group on the switch?
1) Not sure about it being the inside interface. Usually the outside interface of the FWSM is on a vlan that the MSFC has a L3 SVI for. So all traffic to any other vlans behind the FWSM are routed by the MSFC to the outside interface of the FWSM.
2) Correct - you remove the SVI's and create interfaces on the FWSM for these vlans.
3) Correct altho if memory serves you don't need to allocate the outside vlan to the FWSM but it doesn't hurt not to as long as this vlan is only used for communication between the MSFC and the FWSM.
Thanks for your reply. Your right about the first part, it would be the outside interface, I was thinking of another scenario here that would require it to be the inside interface. Can you run OSPF on the FWSM? If not would I just use static routes to point the layer3 int on the FWSM for the switch to be able to route traffic?
Yes the FWSM will support OSPF. If you do run OSPF make sure you make the OSPF priority on the FWSM interfaces 0 so they cannot become the DR/BDR as if the 6500 switches failover things are a lot quicker.
Alternatively you can just use statics as you say. How you get these statics into the rest of your network is up to you but usually you simply redistribute them into your IGP.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :