[c-nsp] traffic flow in 6500 switch with FWSM and IDSM
Peter Rathlev
peter at rathlev.dk
Mon Nov 12 03:52:56 EST 2007
On Mon, 2007-11-12 at 14:01 +0530, Vikas Sharma wrote:
> Can I configure FWSM as a default gateway for my internal vlans (similar to
> HSRP configuration on MSFC for vlans)? i.e inside packet will first hit fwsm
> then MSFC !!!
Yes you can. :-) If you avoid creating the SVI ("interface Vlan"), but
still send the VLAN to the firewall, the MSFC doesn't interfere. Like
this:
! *** 6503-fwsm-rp ***
vlan 100
name fwsm-test
exit
!
interface range GigabitEthernet1/1 - 2
description LAN-facing interfaces
switchport trunk allowed vlan add 100
exit
!
firewall vlan-group 1 100
!
firewall module 2 vlan-group 1
!
! (Maybe "no interface Vlan100" to delete it)
!
! *** fwsm sys context ***
context admin
allocate-interface vlan100
exit
!
! *** fwsm admin context ***
nameif vlan100 fwsmtest security50
! ... etc.
> If u have some doc on this pls share if possible..
It depends on your software version. This is for 3.1:
http://www.tinyurl.dk/2175
(http://www.cisco.com/en/US/docs/security/fwsm/fwsm31/configuration/guide/fwsm_cfg.html)
Take a look at the "Configuring the Switch for the Firewall Services
Module" chapter.
Regards,
Peter Rathlev
More information about the cisco-nsp
mailing list