[c-nsp] traffic flow in 6500 switch with FWSM and MPLS VPN

Vikas Sharma vikassharmas at gmail.com
Thu Nov 15 06:19:54 EST 2007


Hi,

on the same line i have few more doubts. pls help me to solve this.

I have 5 vlans namely data, voice , video and CCTV. Packet coming out of
access switch will go to SVI and then come to FWSM as firewall-group has
been configured. Now I want to integrate this LAN to my MPLS cloud. I have
created two vrf (one for voice/data and video) and another for CCTV and
importing and exporting to all remote sites.
My question is how does FWSM behave when default gateway is on MSFC svi (i
have created dot1 q  interfaces on svi and assign vrf forwarding to
respective interfaces).  Since on svi i have configured vrf forwarding, will
FWSM understand the firewall-group in this case?

any help is greatly appreciated....

Regards
Vikas Sharma

On 11/12/07, Vikas Sharma <vikassharmas at gmail.com> wrote:
>
> Hi,
>
> Can I configure FWSM as a default gateway for my internal vlans (similar
> to HSRP configuration on MSFC for vlans)? i.e inside packet will first hit
> fwsm then MSFC !!!
>
> If u have some doc on this pls share if possible..
>
> Regards
> Vikas Sharma
>
>
>  On Nov 7, 2007 7:00 PM, Fred Reimer <freimer at ctiusa.com> wrote:
>
> > There are many ways that you can configure the 6500 with a FWSM
> > and IDSM.  It depends on what you want to do with it.  You can
> > place the MSFC (routing entity) inside or outside of the FWSM.  I
> > prefer inside unless there is a really good reason to have it
> > outside (such as routing sessions to providers, etc) as you don't
> > need to secure it quite as much as when it is on a publically
> > accessible address.  You could also use VRF on the MSFC and have
> > one instance on the outside and one on the inside (or a bunch of
> > instances and one on each DMZ interface of the FWSM also).  For
> > the IDSM you also have an option of in-line mode or not.  You
> > want in-line mode if you want IPS functionality, and promiscuous
> > mode if you want IDS functionality.  Again, you can place the
> > IDSM inside or outside the FWSM, but it really makes sense to
> > drop malicious traffic before it even reaches your FW.  Perhaps
> > have it look like Internet -- IDSM -- MSFC -- FWSM -- MSFC -
> > inside networks.  You really need to talk to, or hire, a security
> > specialist.
> >
> > Fred Reimer, CISSP, CCNP
> > Senior Network Engineer
> > Coleman Technologies, Inc.
> > 954-298-1697
> >
> >
> >
> >
> > -----Original Message-----
> > From: cisco-nsp-bounces at puck.nether.net
> > [mailto: cisco-nsp-bounces at puck.nether.net] On Behalf Of Vikas
> > Sharma
> > Sent: Wednesday, November 07, 2007 3:14 AM
> > To: cisco-nsp at puck.nether.net; Oliver Boehmer (oboehmer)
> > Subject: [c-nsp] traffic flow in 6500 switch with FWSM and IDSM
> >
> > Hi,
> >
> > I have FWSM and IDSN-2 on 6500 switch. Since I am not a security
> > guy I am
> > not able to visualize how traffic flow will take place in this
> > situation. My
> > requirement is to secure internal traffic from external / DMZ
> > traffic and
> > inspect malicious traffic. Can someone give me the logical
> > picture how
> > packet will flow inside 6500 switch? whether it will first go to
> > FWSM then
> > to MSFC or first to MSFC then firewall? I have vlan (SVIs)
> > created on msfc
> > and these ips are default gateway for my internal traffic.
> >
> > Any help is appreciated...
> >
> > Regards
> > Vikas Sharma
> >
> > _______________________________________________
> > cisco-nsp mailing list  cisco-nsp at puck.nether.net
> > https://puck.nether.net/mailman/listinfo/cisco-nsp
> > archive at http://puck.nether.net/pipermail/cisco-nsp/
> >
>
>


More information about the cisco-nsp mailing list