Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
438
Views
0
Helpful
1
Replies

Two FWSMs on the same 7609 chasis sharing the same dmz vlan

javiercastro
Level 1
Level 1

‎10-17-2005 09:08 AM - edited ‎03-09-2019 12:44 PM

I have DHCP/DNS servers in vlan X in a 7609 and I have two FWSMs in that same chasis. Is it possible that both FWSMs could share that vlan X for a DMZ in each FWSM in order to share those DHCP/DNS servers for the clients in both FWSMs??

Labels:
0 Helpful
1 Reply 1

gfullage
Cisco Employee
Cisco Employee

‎10-17-2005 05:17 PM

Yes that's fine, the only issue you'll run into is that you can't configure the same VLAN in two separate vlan-groups on the MSFC side of things.

For example (assuming vlan20 is your DMZ):

SV4-10(config)#firewall vlan-group 2 20,30,35

SV4-10(config)#firewall vlan-group 3 20,40,45

Vlan 20 is already tied to group 2

So you need to create a separate vlan-group just for vlan20, then assign each firewall module to that vlan-group separately as follows:

firewall vlan-group 2 30,35

firewall vlan-group 3 40,45

firewall vlan-group 100 20

firewall module 7 vlan-group 2,100

firewall module 8 vlan-group 3,100

Other than that it should be fine to share the vlan amongst the modules. Just make sure that you PAT or NAT traffic going to vlan 20 from each module to a different IP address, that way the return traffic will know which of the two FWSM's to go back to.

0 Helpful
Customers Also Viewed These Support Documents