Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

FWSM transparent

The customer'demand:The core has two 6500 with FWSM. IDF has many 3560s, every 3560 has two link to each 6500. vlan 2 is used for network device,including interconnecting to WAN router;vlan5 for users;vlan6 for production.FWSM (transparent)is used for protecting production subnet with failover.The configuration is Following :

1) primary6500:

firewall multiple-vlan-interfaces

firewall vlan-group 1 6,10,16

firewall vlan-module 1 1

inter vlan 2

ip add 10.209.33.3 255.255.252.0

standby 16 10.209.33.2

standby 16 pri 105

standby 16 pre

inter vlan 16

ip add 10.209.40.2 255.255.252.0

standby 16 10.209.40.1

standby 16 pri 105

standby 16 pre

inter vlan 6

inter vlan 10

inter range gig 2/21-24

switch trunk en dot1q

channel-group 1 mode active

ip route 0 0 10.209.32.1

2) secondary6500:

firewall multiple-vlan-interfaces

firewall vlan-group 1 6,10,16

firewall vlan-module 1 1

inter vlan 2

ip add 10.209.33.4 255.255.252.0

standby 16 10.209.33.2

standby 16 pri 85

standby 16 pre

inter vlan 16

ip add 10.209.40.3 255.255.252.0

standby 16 10.209.40.1

standby 16 pri 85

standby 16 pre

inter vlan 6

inter vlan 10

inter range gig 2/21-24

switch trunk en dot1q

channel-group 1 mode active

ip route 0 0 10.209.32.1

3)primary FWSM

transparent

nameif vlan16 outside security0

nameif vlan6 inside security100

ip add 10.209.40.4 255.255.252.0 second 10.209.40.5

monitor-inter inside

monitor-inter outside

router outside 0 0 10.209.40.1 1

access-list BPDU ethertype permit bpdu

access-group BPDU in interface inside

access-group BPDU in interface outside

failover lan interface faillink vlan 10

failover link statelink vlan 11

failover lan unit primary

failover interface ip faillink 10.209.40.33 255.255.255.252 standby 10.209.40.34

failover interface ip statelink 10.209.40.49 255.255.255.252 standby 10.209.40.50

failover interface-policy 1

failover replication http

failover

4)primary FWSM

transparent

failover lan unit secondary

failover lan interface faillink vlan 10

failover interface ip faillink 10.209.40.33 255.255.255.252 standby 10.209.40.34

failover

My question: The log of FWSM shows the failover is Ok .But the channel-port1 and gig 2/21-24 is auto down .The interface gig 2/21-24 of one 6500 shows err-disable ,other 6500 show noncontect .The log of 6500 show channel-misconfig and reduplicate ip add 10.209.40.2 in vlan16 in one 6500,and reduplicate ip add 10.209.40.3 in vlan16 in other 6500. And I shutdown port-channel1 and no shutdown it,the port-channel1 and gig2/21-24 is up .BUt After a few minutes ,the port-channel1 and gig2/21 -24 is auto down again. The trunk and port-channel is used for communicating failover and vlan other informain.if the trunk and port-channel is down,should failover is not work ? Please help me .

And now I test as following:If I only allow vlan 5 through port-channel1 trunk ,namely not allow vlan6,16,10 ,the question is resolved .But now I find many PC auto drop connection to network (the network connection icon on desktop disply Media disconnected ). after a few seconds it auto connect network normal . Why ?

2 REPLIES
fly
New Member

Re: FWSM transparent

i found some problem which is related to spanning loop when using FWSM, one is that you have to config BPDU pass through, another this is to pay attention to ios version and FWSM version. some version of switch software can't support BPDU passthrough.

my version is 12.2.18SXF, FWSM version is 3.1

12.2.17SXD has some problem.

New Member

Re: FWSM transparent

you should disable "spanning-tree portfast bpduguard default" on the cat6k using bpdu acl.

This should work.

188
Views
0
Helpful
2
Replies
CreatePlease login to create content