[c-nsp] traffic flow in 6500 switch with FWSM and MPLS VPN

Fred Reimer freimer at ctiusa.com
Thu Nov 15 13:49:29 EST 2007 

Yes, it works fine.  You would need to configure the option on
the SUP to allow multiple SVI's to be configured when they are
assigned/trunked to the firewall.  See here:

http://www.cisco.com/en/US/docs/security/fwsm/fwsm32/configuratio
n/guide/switch_f.html


Fred Reimer, CISSP, CCNP, CQS-VPN, CQS-ISS
Senior Network Engineer
Coleman Technologies, Inc.
954-298-1697




> -----Original Message-----
> From: Vikas Sharma [mailto:vikassharmas at gmail.com]
> Sent: Thursday, November 15, 2007 6:20 AM
> To: Fred Reimer; cisco-nsp at puck.nether.net; Oliver Boehmer
> (oboehmer)
> Subject: Re: [c-nsp] traffic flow in 6500 switch with FWSM
> and MPLS VPN
> 
> Hi,
> 
> on the same line i have few more doubts. pls help me to
> solve this.
> 
> I have 5 vlans namely data, voice , video and CCTV. Packet
> coming out of access switch will go to SVI and then come to
> FWSM as firewall-group has been configured. Now I want to
> integrate this LAN to my MPLS cloud. I have created two vrf
> (one for voice/data and video) and another for CCTV and
> importing and exporting to all remote sites.
> My question is how does FWSM behave when default gateway is
> on MSFC svi (i have created dot1 q  interfaces on svi and
> assign vrf forwarding to respective interfaces).  Since on
> svi i have configured vrf forwarding, will FWSM understand
> the firewall-group in this case?
> 
> any help is greatly appreciated....
> 
> Regards
> Vikas Sharma
> 
> On 11/12/07, Vikas Sharma <vikassharmas at gmail.com> wrote:
> 
> 	Hi,
> 
> 	Can I configure FWSM as a default gateway for my
> internal vlans (similar to HSRP configuration on MSFC for
> vlans)? i.e inside packet will first hit fwsm then MSFC !!!
> 
> 	If u have some doc on this pls share if possible..
> 
> 	Regards
> 
> 	Vikas Sharma
> 
> 
> 
> 	On Nov 7, 2007 7:00 PM, Fred Reimer
> <freimer at ctiusa.com> wrote:
> 
> 
> 		There are many ways that you can configure the
> 6500 with a FWSM
> 		and IDSM.  It depends on what you want to do
> with it.  You can
> 		place the MSFC (routing entity) inside or
> outside of the FWSM.  I
> 		prefer inside unless there is a really good
> reason to have it
> 		outside (such as routing sessions to providers,
> etc) as you don't
> 		need to secure it quite as much as when it is on
> a publically
> 		accessible address.  You could also use VRF on
> the MSFC and have
> 		one instance on the outside and one on the
> inside (or a bunch of
> 		instances and one on each DMZ interface of the
> FWSM also).  For
> 		the IDSM you also have an option of in-line mode
> or not.  You
> 		want in-line mode if you want IPS functionality,
> and promiscuous
> 		mode if you want IDS functionality.  Again, you
> can place the
> 		IDSM inside or outside the FWSM, but it really
> makes sense to
> 		drop malicious traffic before it even reaches
> your FW.  Perhaps
> 		have it look like Internet -- IDSM -- MSFC --
> FWSM -- MSFC -
> 		inside networks.  You really need to talk to, or
> hire, a security
> 		specialist.
> 
> 		Fred Reimer, CISSP, CCNP
> 		Senior Network Engineer
> 		Coleman Technologies, Inc.
> 		954-298-1697
> 
> 
> 
> 
> 
> 		-----Original Message-----
> 		From: cisco-nsp-bounces at puck.nether.net
> 		[mailto: cisco-nsp-bounces at puck.nether.net
> <mailto:cisco-nsp-bounces at puck.nether.net> ] On Behalf Of
> Vikas
> 		Sharma
> 		Sent: Wednesday, November 07, 2007 3:14 AM
> 		To: cisco-nsp at puck.nether.net; Oliver Boehmer
> (oboehmer)
> 		Subject: [c-nsp] traffic flow in 6500 switch
> with FWSM and IDSM
> 
> 		Hi,
> 
> 		I have FWSM and IDSN-2 on 6500 switch. Since I
> am not a security
> 		guy I am
> 		not able to visualize how traffic flow will take
> place in this
> 		situation. My
> 		requirement is to secure internal traffic from
> external / DMZ
> 		traffic and
> 		inspect malicious traffic. Can someone give me
> the logical
> 		picture how
> 		packet will flow inside 6500 switch? whether it
> will first go to
> 		FWSM then
> 		to MSFC or first to MSFC then firewall? I have
> vlan (SVIs)
> 		created on msfc
> 		and these ips are default gateway for my
> internal traffic.
> 
> 		Any help is appreciated...
> 
> 		Regards
> 		Vikas Sharma
> 
> 		_______________________________________________
> 		cisco-nsp mailing list   cisco-
> nsp at puck.nether.net
> 		https://puck.nether.net/mailman/listinfo/cisco-
> nsp <https://puck.nether.net/mailman/listinfo/cisco-nsp>
> 		archive at
> http://puck.nether.net/pipermail/cisco-nsp/
> 
> 
> 

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3080 bytes
Desc: not available
Url : https://puck.nether.net/pipermail/cisco-nsp/attachments/20071115/d7c26868/attachment.bin

More information about the cisco-nsp mailing list