[c-nsp] traffic flow in 6500 switch with FWSM and IDSM

Vikas Sharma vikassharmas at gmail.com
Mon Nov 12 03:31:46 EST 2007


Hi,

Can I configure FWSM as a default gateway for my internal vlans (similar to
HSRP configuration on MSFC for vlans)? i.e inside packet will first hit fwsm
then MSFC !!!

If u have some doc on this pls share if possible..

Regards
Vikas Sharma

On Nov 7, 2007 7:00 PM, Fred Reimer <freimer at ctiusa.com> wrote:

> There are many ways that you can configure the 6500 with a FWSM
> and IDSM.  It depends on what you want to do with it.  You can
> place the MSFC (routing entity) inside or outside of the FWSM.  I
> prefer inside unless there is a really good reason to have it
> outside (such as routing sessions to providers, etc) as you don't
> need to secure it quite as much as when it is on a publically
> accessible address.  You could also use VRF on the MSFC and have
> one instance on the outside and one on the inside (or a bunch of
> instances and one on each DMZ interface of the FWSM also).  For
> the IDSM you also have an option of in-line mode or not.  You
> want in-line mode if you want IPS functionality, and promiscuous
> mode if you want IDS functionality.  Again, you can place the
> IDSM inside or outside the FWSM, but it really makes sense to
> drop malicious traffic before it even reaches your FW.  Perhaps
> have it look like Internet -- IDSM -- MSFC -- FWSM -- MSFC -
> inside networks.  You really need to talk to, or hire, a security
> specialist.
>
> Fred Reimer, CISSP, CCNP
> Senior Network Engineer
> Coleman Technologies, Inc.
> 954-298-1697
>
>
>
>
> -----Original Message-----
> From: cisco-nsp-bounces at puck.nether.net
> [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Vikas
> Sharma
> Sent: Wednesday, November 07, 2007 3:14 AM
> To: cisco-nsp at puck.nether.net; Oliver Boehmer (oboehmer)
> Subject: [c-nsp] traffic flow in 6500 switch with FWSM and IDSM
>
> Hi,
>
> I have FWSM and IDSN-2 on 6500 switch. Since I am not a security
> guy I am
> not able to visualize how traffic flow will take place in this
> situation. My
> requirement is to secure internal traffic from external / DMZ
> traffic and
> inspect malicious traffic. Can someone give me the logical
> picture how
> packet will flow inside 6500 switch? whether it will first go to
> FWSM then
> to MSFC or first to MSFC then firewall? I have vlan (SVIs)
> created on msfc
> and these ips are default gateway for my internal traffic.
>
> Any help is appreciated...
>
> Regards
> Vikas Sharma
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>


More information about the cisco-nsp mailing list