I have some questions regarding FWSM and CSM. Thank you in advance for your feedback.
I am using a pair of 6513 with one fwsm and csm in each. I am setting up a dmz environment with these units. fwsm is the second tier firewall (a pair of PIX 525 are in perimeter).
1. Do I have to use MSFC? I am connecting PIXes to the outside VLAN of the FWSM and two inside routers to inside VLAN of the FWSM. FWSM has a DMZ VLAN as well. I don't see any reason to involve MSFC in the picture. Is this correct? Is there any reason in the future that I may need MSFC (i.e. changing from single context to multiple or using load balancing for DMZ servers)?
2. I am going to extend outside and inside VLANs of FWSM between two 6513 switches. Should I do this for DMZ as well? As I do not use gateway redundancy for my DMZ servers and it is a pure firewall configuration of 6513/FWSM, I don't think it is required.
3. My understanding is with extending outside VLAN, if the link between primary PIX and primary 6513 fails or if primary PIX fails over to secondary for any reason, secondary PIX will have a way to get to the outside interface of primary FWSM. Is this correct? If not, then how I can make sure that PIX fail over will be transparent to primary 6513/FWSM which is not connected to secondary PIX?
4. Any difference in spanning-tree configuration between this environment and a regular dual homed server based config?
1) No you should be fine if you leave out the MSFC. Certainly you don't want the MSFC between your perimeter pix firewalls and the FWSM's as you could end up routing around the firewalls. You could have the MSFC on the inside of the FSWM's.
Changing to multiple context will not requre that you need the MSFC for the above. It is quite feasible to have a separate context where the MSFC is involved and still have your above setup where you haven't involved the MSFC. You dictate this by how you allocate vlans to the FWSM.
2) You will have to extend the DMZ, or at least you will have to allocate the DMZ vlan on both switches under the "firewall vlan-group .. " command. If you don't allocate the same vlans on each switch to the FWSM your failover will not work properley. If the DMZ servers are physically connecting into the 6500 chassis i would look to dual hone and include the DMZ in failover if you can. Can't see the reason not to use failover between chassis's if you can. (Of course depends on your have 2 NIC's in DMZ servers ).
3)Assuming your 6500's are connected with a layer 2 trunk yes the secondary pix should still be able to get to the outside interface of the FWSM primary.
4) For the FWSM not really. Just make sure you use a dedicated layer 2 trunk/etherchannel for the FWSM between the 2 switches.
Hope this has answered some of your queries
Thanks a lot for your response. Actually based on my research in the postings I was hoping to see a feedback from you as your postings are pretty helpful ... Lucky me!
A couple of points/elaboration on items 2 and 4:
2) I am going to have exact switch L2 VLAN and FWSM setup (obviously using different IPs at FWSM) on secondary 6513, so I will have DMZ ports and they will be connected to the DMZ servers (they have dual NICs). Based on your comments, then I do NOT need to span DMZ VLAN. Right? (Note that I do not need to worry about 6500 switch fail over because in case it happens it will be dealt with in the same fashion as FWSM fail over, which is covered the way I am going to do it.)
4) I am going to use a etherchanneled trunk between switches which will carry outside FWSM, inside FWSM, new native VLAN and two VLANs for FWSM fail over and state. I mean do I have to have a dedicated trunk only for FWSM failover as recommended is some documents?
Thanks for your help.
Thanks for the compliment.
Could you elaborate on point 2. The DMZ will be based on the FWSM's , correct ? Not sure what you mean by SPAN the DMZ.
As for the dedicated trunk link. It really depends on how much other traffic ie. non-firewalled traffic you are passing between the 2 6500's. If you are only using the 6500 chassis's to host the FWSM's and a couple of DMZ's then you should be fine. But if the switches also host a number of non-firewalled vlans with servers then you need to be careful that the trunk does not get overloaded otherwise stateful packets for the FWSM, routing updates, keepalives etc. can get lost.
Regarding point 2 I think I was wrong about not extending DMZ VALN. I try to explain it a bit more clear:
My MDZ is based on FWSM. There is no other VLANs with interfaces on MSFC. Servers in this DMZ are dual homed with one link to primary 6513/FWSM and one link to secondary. Let's consider my plan to avoid extending DMZ VLAN. That means my L2 trunk carries only inside and outside FWSM VLANs as well as FWSM fail over and state VLANs (plus a native VLAN).
Now, if I lose primary FWSM, traffic comes from ouside PIX to primary 6500, gets to secondary 6500 via trunk, goes through secondary FWSM and gets to the server. If I lose the whole primary 6513, then outside PIX will fail over, traffic gets to secondary 6500 and FWSM and finally DMZ server.
However, if I lose the connection of a DMZ server to primary switch, FWSM will not fail over (because the other servers in DMZ are alive). Although the disconnected server will still have connectivity to secondary 6500/FWSM DMZ VLAN, it would not help because that FWSM is standby and passing no traffic. For this reason, I probably need to extend the DMZ VLAN and add it to the trunk as well.
Please let me know if my understanding above is correct ...
Thanks a lot
Could you just clear up a point for me.
You are creating the DMZ vlan on both of your 6500 chassis's and allocating it to the FWSM on each respective switch.
So when you talk about not spanning the DMZ you don't mean only having the DMZ on one of the switches, you actually mean not adding the DMZ vlan to the allowed list of vlans on the trunk between the 2 6500's.
Have i understood correctly because it makes a big difference to your above questions ?
Yes, DMZ VLAN exists on both 6500 switches. The question is whether or not to include it in the L2 trunk between the 6500s.
As mentioned before, first I thought I should exclude it but now I believe it should be included ...
Yes i agree you should allow this vlan across your layer 2 etherchannel trunk. If you don't then the failure scenario you described could indeed happen.
I have never set up a redundant pair of FWSM's like this where on each FWSM you have the same vlan but you do not pass the traffic along the trunk. I suspect it could create unforseen problems but without setting it up i'm not sure. However as discussed it would be best to allow all FWSM vlans across the trunk link.