Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
New Member

Firewall Service Module Cat6k


We are trying to install a Firewall Service Module in a Cat6k with Sup2 and MSFC2. We must do it with CatOS (7.5(1)).

MSFC2 works like an inside router and routes traffic between its connected vlans. Firewall module routes traffic between secure segments (inside-outside, dmz-outside, etc...)

But we don't know how to connect msfc with firewall module. In other words, we need a default route in msfc pointing to inside IP of the firewall.

You can not configure a vlan in msfc if this vlan is a firewall-vlan, so how could we configure one vlan between msfc and firewall modules?

Thanks in advance.


Re: Firewall Service Module Cat6k

I think its possible to configure a firewall-Vlan, you must configure a controlled VLAN (SVI) on the MSFC or you will be unable to configure VLANs on the module. For a complete configuration step take a look at the following URL

Cisco Employee

Re: Firewall Service Module Cat6k

Are you sure you wouldn't connect to the outside interface? If you think of it logically you are going from LAN->router->outside->inside->LAN right?

If that's the case you need to use the outside VLAN and create a route from that network to the inside network's VLAN.

Say your inside VLAN is VLAN 10 and your outside VLAN is VLAN 20.

Your private inside LAN is

(Sorry, this is IOS, not CatOS, but you should see the idea)


firewall module 6 vlan-group 10

firewall vlan-group 10 10,20


interface GigabitEthernet1/2

no ip address


switchport access vlan 10


interface Vlan10

no ip address


interface Vlan20

ip address


ip route

and in the FWSM PIX looks like this:

nameif vlan10 inside security100

nameif vlan20 outside security0

ip address inside

ip address outside

route outside 1

Whenever I need to get to the private LAN I get routed through the network, which is a network that's only used to route the traffic through the MSFC into the FWSM.

New Member

Re: Firewall Service Module Cat6k


at last we have the solution, see above the steps for configuration:

1- Create routable VLAN interfaces in MSFC(interface vlan x) and put it to inactive state by shutdown.

2- Use "set vlan x firewall-vlan mod" to secure vlan x.

3- Makes a reset in the firewall module. (This was the step that we did not kneew)

4- Then, in MSFC, put vlan x to active state by "no shut".

Then, interface vlan 50 comes to up and we have connectivity between MSFC an FWSM.


CreatePlease to create content