cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
414
Views
0
Helpful
7
Replies

does FWSM transparent in 6509 support medium or large Enterprise

fly
Level 2
Level 2

someone said FWSM transparent mode in 6509 can only support small business.can't support large or medium enterprise.

we have 3 zone connect by vitual FWSM. and one internet access.

about 1500 computers

in this situation we can only use routed mode in FWSM?

Thank you!

7 Replies 7

a.kiprawih
Level 7
Level 7

Hi,

Putting FWSM in Cat6509 does not necessary meany it is meant for small business.

It is very much depending on the design, size or traffic load that need to pass through FWSM due to intensive inbound/outbound resources access and so on.

FWSM (2.x or higher) itself is capable to handle large volume of traffic or load with its 5-Gbps throughput, 100,000 CPS, and 1M concurrent connections.

Depending on your requirements, you can always add another FWSM module to your Cat6509 (max 4 x FWSMs for 20GB firewall throughput for chassis/switch), or if you have 2 x Cat6509, you can installed each unit with FWSM. Having 1,500 users/clients/hosts doesn't mean FWSM cannot handled to traffic load. It's very much depending on you want to control the traffic flow, access between segments and what kind of services, applications, bandwidth and expected or maximum connections/sessions.

For your FWSM design that need to host internet segment together with other more secure (higher security level) internal segments, routed mode is more recommended. Routed mode is similar to have dedicated firewall to segregate secure and insecure segment (inside vs outside/internet). You can have translation to hide your internal address and so on.

More FWSM details can be found at:

http://www.cisco.com/en/US/products/hw/modules/ps2706/products_data_sheet0900aecd80281886.html

FWSM design placement:

http://www.cisco.com/en/US/products/sw/cscowork/ps4565/products_user_guide_chapter09186a0080231cb4.html

Rgds,

AK

Hi,

Thank you for your answer!

we don't put FWSM to access internet. We use FWSM in the internal enterprise and connect to different department.

so we don't need nat, in this situation, i found a document on cco, tranparent mode is well.

but we connect to two FWSM in two 6509, we are afraid of loop around two 6509, we found when we misconfigured FWSM and 6509, It is easy to creat loop in network.

thank you!

FWSM support routed and transparent mode, but can only run one at anytime.

Since you need FWSM to control internal connectivity and require no address trans, transparent mode is a better way to do it.

We do have experiences commissionning 2 x Cat6509 and 2 x Cat6513 running redundancy, with boxes running hybrid and native IOS.

If you used DOT1Q trunk between them, make sure both boxes configured properly, especially with the spanning tree, plus HSRP for HA.

Rgds,

AK

I think transport mode is better.

but when we test it, connect 3 departments through two FWSM on Two 6509, each department has two 4506, using trunk and redundancy links and devices, we found cpu ultilization on FWSM and switch is very high.

someone said transport mode is not good in large enterprise envirment. But the traffic in customer network is not high, connection numbers is under 8000.

now we change to routed mode by expert's suggestion, But we must config many static routes on mfsc and 4506.

thank you!

Hi AK,

how many contexts you configured in you work, and and how many department network connected by FWSM, Do you use transport mode in 2 x6509 and 2 x6513. does it work well?

have you met some problems!

Thank you!

Cheers

Tom

2 x Cat6513 (native IOS) with FWSM running in routed mode. We assigned many VLANS behind FWSM, and use one VLAN as 'trunk' VLAN connecting switch/MSFC to the FWSM with OSPF for routing.

Here, we do not implement any address but simply use for connectivity

static (inside,outside) x1.x1.x1.0 x1.x1.x1.0 netmask nn.nn.nn.nn

static (dmz,outside) x2.x2.x2.0 x2.x2.x2.0 netmask nn.nn.nn.nn

static (inside,dmz) x1.x1.x1.0 x1.x1.x1.0 netmask nn.nn.nn.nn

Between the Cat6513 is 4 x dot1q trunk ports. VLANs are divided equally between boxes (use spanning tree priority + HSRP standby priority).

For the transparent FWSM, 2 x Cat6509 (native IOS) with 2 x dot1q trunk ports between them. All Vlans, - user and other Vlans, such as Server Vlan logically sititng behind FWSM. Routing (or inter-vlan routing) is handled at switch/MSFC level. No NAT between all Vlans.

All working fine.

Rgds,

AK

Thank you!

we just have 3 vlan behind FWSM,some said it is not very well to use tranparent mode.

it seems it is not a problem.

customer's traffic and connection number is not very high;

I don't know why.

you give me some confidence.thank you!

Tom

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: