[c-nsp] traffic flow in 6500 switch with FWSM and MPLS VPN

Vikas Sharma vikassharmas at gmail.com
Fri Nov 16 01:58:08 EST 2007 

Hi Fred,

The link shows me the option of configuring multiple SVIs but my question is
if i assigned these vlans to VRF created on 6509, will fwsm understand this?


I can do this conf on the switch for fwsm -

firewall vlan-group 50 55-57
firewall module 8 vlan-group 50

but my SVI have to be in vrf for mpls forwarding. Does FWSM support this
kind of vrf functionality?

Regards
Vikas Sharma


On 11/16/07, Fred Reimer <freimer at ctiusa.com> wrote:
>
> Yes, it works fine.  You would need to configure the option on
> the SUP to allow multiple SVI's to be configured when they are
> assigned/trunked to the firewall.  See here:
>
> http://www.cisco.com/en/US/docs/security/fwsm/fwsm32/configuratio
> n/guide/switch_f.html
>
>
> Fred Reimer, CISSP, CCNP, CQS-VPN, CQS-ISS
> Senior Network Engineer
> Coleman Technologies, Inc.
> 954-298-1697
>
>
>
>
> > -----Original Message-----
> > From: Vikas Sharma [mailto:vikassharmas at gmail.com]
> > Sent: Thursday, November 15, 2007 6:20 AM
> > To: Fred Reimer; cisco-nsp at puck.nether.net; Oliver Boehmer
> > (oboehmer)
> > Subject: Re: [c-nsp] traffic flow in 6500 switch with FWSM
> > and MPLS VPN
> >
> > Hi,
> >
> > on the same line i have few more doubts. pls help me to
> > solve this.
> >
> > I have 5 vlans namely data, voice , video and CCTV. Packet
> > coming out of access switch will go to SVI and then come to
> > FWSM as firewall-group has been configured. Now I want to
> > integrate this LAN to my MPLS cloud. I have created two vrf
> > (one for voice/data and video) and another for CCTV and
> > importing and exporting to all remote sites.
> > My question is how does FWSM behave when default gateway is
> > on MSFC svi (i have created dot1 q  interfaces on svi and
> > assign vrf forwarding to respective interfaces).  Since on
> > svi i have configured vrf forwarding, will FWSM understand
> > the firewall-group in this case?
> >
> > any help is greatly appreciated....
> >
> > Regards
> > Vikas Sharma
> >
> > On 11/12/07, Vikas Sharma <vikassharmas at gmail.com> wrote:
> >
> >       Hi,
> >
> >       Can I configure FWSM as a default gateway for my
> > internal vlans (similar to HSRP configuration on MSFC for
> > vlans)? i.e inside packet will first hit fwsm then MSFC !!!
> >
> >       If u have some doc on this pls share if possible..
> >
> >       Regards
> >
> >       Vikas Sharma
> >
> >
> >
> >       On Nov 7, 2007 7:00 PM, Fred Reimer
> > <freimer at ctiusa.com> wrote:
> >
> >
> >               There are many ways that you can configure the
> > 6500 with a FWSM
> >               and IDSM.  It depends on what you want to do
> > with it.  You can
> >               place the MSFC (routing entity) inside or
> > outside of the FWSM.  I
> >               prefer inside unless there is a really good
> > reason to have it
> >               outside (such as routing sessions to providers,
> > etc) as you don't
> >               need to secure it quite as much as when it is on
> > a publically
> >               accessible address.  You could also use VRF on
> > the MSFC and have
> >               one instance on the outside and one on the
> > inside (or a bunch of
> >               instances and one on each DMZ interface of the
> > FWSM also).  For
> >               the IDSM you also have an option of in-line mode
> > or not.  You
> >               want in-line mode if you want IPS functionality,
> > and promiscuous
> >               mode if you want IDS functionality.  Again, you
> > can place the
> >               IDSM inside or outside the FWSM, but it really
> > makes sense to
> >               drop malicious traffic before it even reaches
> > your FW.  Perhaps
> >               have it look like Internet -- IDSM -- MSFC --
> > FWSM -- MSFC -
> >               inside networks.  You really need to talk to, or
> > hire, a security
> >               specialist.
> >
> >               Fred Reimer, CISSP, CCNP
> >               Senior Network Engineer
> >               Coleman Technologies, Inc.
> >               954-298-1697
> >
> >
> >
> >
> >
> >               -----Original Message-----
> >               From: cisco-nsp-bounces at puck.nether.net
> >               [mailto: cisco-nsp-bounces at puck.nether.net
> > <mailto:cisco-nsp-bounces at puck.nether.net> ] On Behalf Of
> > Vikas
> >               Sharma
> >               Sent: Wednesday, November 07, 2007 3:14 AM
> >               To: cisco-nsp at puck.nether.net; Oliver Boehmer
> > (oboehmer)
> >               Subject: [c-nsp] traffic flow in 6500 switch
> > with FWSM and IDSM
> >
> >               Hi,
> >
> >               I have FWSM and IDSN-2 on 6500 switch. Since I
> > am not a security
> >               guy I am
> >               not able to visualize how traffic flow will take
> > place in this
> >               situation. My
> >               requirement is to secure internal traffic from
> > external / DMZ
> >               traffic and
> >               inspect malicious traffic. Can someone give me
> > the logical
> >               picture how
> >               packet will flow inside 6500 switch? whether it
> > will first go to
> >               FWSM then
> >               to MSFC or first to MSFC then firewall? I have
> > vlan (SVIs)
> >               created on msfc
> >               and these ips are default gateway for my
> > internal traffic.
> >
> >               Any help is appreciated...
> >
> >               Regards
> >               Vikas Sharma
> >
> >               _______________________________________________
> >               cisco-nsp mailing list   cisco-
> > nsp at puck.nether.net
> >               https://puck.nether.net/mailman/listinfo/cisco-
> > nsp <https://puck.nether.net/mailman/listinfo/cisco-nsp>
> >               archive at
> > http://puck.nether.net/pipermail/cisco-nsp/
> >
> >
> >
>
>
>

More information about the cisco-nsp mailing list