[c-nsp] traffic flow in 6500 switch with FWSM and IDSM

Peter Rathlev peter at rathlev.dk
Mon Nov 12 03:52:56 EST 2007


On Mon, 2007-11-12 at 14:01 +0530, Vikas Sharma wrote:
> Can I configure FWSM as a default gateway for my internal vlans (similar to
> HSRP configuration on MSFC for vlans)? i.e inside packet will first hit fwsm
> then MSFC !!!

Yes you can. :-) If you avoid creating the SVI ("interface Vlan"), but
still send the VLAN to the firewall, the MSFC doesn't interfere. Like
this:

! *** 6503-fwsm-rp ***
vlan 100
 name fwsm-test
 exit
!
interface range GigabitEthernet1/1 - 2
 description LAN-facing interfaces
 switchport trunk allowed vlan add 100
 exit
!
firewall vlan-group 1 100
!
firewall module 2 vlan-group 1
!
! (Maybe "no interface Vlan100" to delete it)
!

! *** fwsm sys context ***
context admin
 allocate-interface vlan100
 exit
!

! *** fwsm admin context ***
nameif vlan100 fwsmtest security50
! ... etc.

> If u have some doc on this pls share if possible..

It depends on your software version. This is for 3.1:

http://www.tinyurl.dk/2175
(http://www.cisco.com/en/US/docs/security/fwsm/fwsm31/configuration/guide/fwsm_cfg.html)

Take a look at the "Configuring the Switch for the Firewall Services
Module" chapter.

Regards,
Peter Rathlev




More information about the cisco-nsp mailing list