[c-nsp] traffic flow in 6500 switch with FWSM and MPLS VPN

Fred Reimer freimer at ctiusa.com
Fri Nov 16 10:07:34 EST 2007 

That's correct.  The FWSM is just a (fast) PIX on a blade that is
connected to the switch with a hidden 6-port Etherchannel.  You
configure the VLANs on this hidden trunk (po272) with the
firewall commands on the SUP.  As far as routing and any other
traffic, consider it as a totally separate device.  You can have
multiple VLANs in different VRF's trunked to the FWSM, which will
just see them as different VLANs.  The FWSM has no concept of
VRF, it just sees the VLANs as separate interfaces.

Fred Reimer, CISSP, CCNP, CQS-VPN, CQS-ISS
Senior Network Engineer
Coleman Technologies, Inc.
954-298-1697



> -----Original Message-----
> From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-
> bounces at puck.nether.net] On Behalf Of Ramcharan, Vijay A
> Sent: Friday, November 16, 2007 9:20 AM
> To: Peter Rathlev; cisco-nsp
> Subject: Re: [c-nsp] traffic flow in 6500 switch with FWSM
> and MPLS VPN
> 
> Vikas, I've found it immensely helpful to think of the FWSM
> as a
> separate device (as in PIX) that is just connected to the
> switch by
> means of the associated VLANs rather than physical cables.
> In my early
> experience with the FWSM I had trouble separating the FWSM
> from the
> switch when thinking of traffic flow.
> 
> Whatever layer 3 config you have on the switch as such,
> won't be
> associated with the FWSM and will work if you consider the
> FWSM as just
> another next hop. There are probably scenarios where this
> may not hold
> true but I have not run into one of those as yet.
> 
> Vijay Ramcharan
> 
> 
> 
> -----Original Message-----
> From: cisco-nsp-bounces at puck.nether.net
> [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of
> Peter Rathlev
> Sent: Friday, November 16, 2007 5:56 AM
> To: cisco-nsp
> Subject: Re: [c-nsp] traffic flow in 6500 switch with FWSM
> and MPLS VPN
> 
> On Fri, 2007-11-16 at 12:28 +0530, Vikas Sharma wrote:
> > The link shows me the option of configuring multiple SVIs
> but my
> >  question is if i assigned these vlans to VRF created on
> 6509, will
> >  fwsm understand this?
> 
> I don't know if it's depends on HW/Supervisor/IOS, but yes,
> you can put
> your local SVI's in VRF's. We have a setup with a Cat6506E
> with Sup32
> running IOS 12.2(18)SXF6 with VRF-enabled SVI's in firewall
> vlan-groups.
> 
> Technically I don't think the FWSM cares whether the
> interface is
> VRF-enabled or not. I just sees some ethernet traffic on
> some VLANs. But
> test it first. :-)
> 
> Regards,
> Peter Rathlev
> 
> 
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3080 bytes
Desc: not available
Url : https://puck.nether.net/pipermail/cisco-nsp/attachments/20071116/5e67340c/attachment.bin

More information about the cisco-nsp mailing list