RE: FWSM

That is not complete. You will need both firewall module and svclc
module statements. You define vlan-group 1 but don't assign it to the
firewall module. The ACE module can use both firewall vlan-groups and
svclc vlan-groups, but the FWSM can only use firewall vlan-groups. If
FWSM is in slot 1 and ACE is in slot 2, do this:

vlan 10
 name FWSM-outside
vlan 11
 name FWSM-failover
vlan 310
 name FWSM-DMZ-ACE-outside
vlan 311
 name ACE-inside
vlan 312
 name ACE-FT

# for outside interface, failover
firewall vlan-group 1 10,11
# for shared VLANs with ACE
firewall vlan-group 2 310
# for ACE only VLANs
svclc vlan-group 3 311,312
# assign them
firewall module 1 vlan-group 1,2
svclc module 2 vlan-group 2,3

You only need the multiple-vlan-interfaces command if you are going to
be assigning multiple Layer-3 (interface Vlanxxx) interfaces on the SUP.
Unless you are using VRF's this is unlikely, as it would allow the SUP
to route around the FWSM or ACE, which you obviously would not want.

Fred Reimer, CCIE 23812, CISSP 107125
Senior Systems Architect
Coleman Technologies, Inc.
3250 W. Commercial Blvd., Suite 360
Oakland Park, FL 33309
Office: 407-481-8600 x1307
eFAX: 407-284-6681
Cell: 954-298-1697

-----Original Message-----
From: nobody_at_groupstudy.com [mailto:nobody_at_groupstudy.com] On Behalf Of
Nitin Venugopal
Sent: Monday, April 06, 2009 12:23 PM
To: Tomi Amao
Cc: m.a.cairns_at_gmail.com; ccielab_at_groupstudy.com
Subject: Re: FWSM

Hi,

Explained in easy steps, hope it helps

Step 1 - Create Vlan MSFC

Vlan 310
name ACE-CLIENT-DIC-ACE-A

vlan 311
NAME ACE-SERVER-DIC-ACE-A1

vlan 398
NAME ACE-FT-VLAN-1
VLAN 399
NAME ACE-FT-VLAN-2
-------------------STEP 2- (MSFC)---------------------------------
FWSM adding Vlan on the FWSM context
Firewall vlan-group 1 310
-------
Step 3

Allowing ACE vlan specific traffic to be directed towards ACE

svclc multiple-vlan-interfaces
svclc module 3 vlan-group 100

svclc vlan-group 100 310-312

-------------------STEP 4 (FWSM)-------------------------------

SVI on the ACTIVE Context of the FWSM

ACE Client Side VLAN configuration on FWSM
int vlan 310
nameif AceA
description ACE Context A- Client Side VLAN
ip address x.x.x.x 255.255.255.0 standby x.x.x.x
security-level 50
no shut

access-list acl-AceA extended permit ip any any
access-list acl-AceB extended permit ip any any

access-group acl-AceA in interface AceA

route AceA x.x.x.x x.x.x.x x.x.x.

STEP-6 (Routing for ACE on the MSFC)-----------------------
ip route x.x.x.x (server ip range behind ace ) mask X.X.X.X (FWSM
outside
interface)

Regds
Nitin

On Mon, Apr 6, 2009 at 11:29 AM, Tomi Amao <tomiground_at_hotmail.com>
wrote:

> Hi,
>
>
>
> how do you force traffic to flow through the FWSM and then through the
ACE
> module before hitting the application servers behind the ACE module.
> Thanks.
>
> Regards,
>
> Tomi
>
>
>
>
> > Date: Fri, 3 Apr 2009 10:00:10 -0400
> > Subject: Re: FWSM
> > From: m.a.cairns_at_gmail.com
> > To: mousawi.ali_at_gmail.com
> > CC: r.steeneken_at_gmail.com; ccielab_at_groupstudy.com
> >
> > Ali,
> >
> > Ali,
> >
> > VLAN 999 is not being trunked to the FWSM by the switch. Have you
> configured
> > anything on the switch to use vlan 999? An access port in up/up
status?
> > Configured the VLAN and forwarded on a trunk?
> >
> > Check the following command (just like checking a trunk between
> switches):
> >
> > Switch#sh firewall module 1 state
> > Firewall module 1:
> >
> > Switchport: Enabled
> > Administrative Mode: trunk
> > Operational Mode: trunk
> > Administrative Trunking Encapsulation: dot1q
> > Operational Trunking Encapsulation: dot1q
> > Negotiation of Trunking: Off
> > Access Mode VLAN: 1 (default)
> > Trunking Native Mode VLAN: 1 (default)
> > Trunking VLANs Enabled: 4-50,122,342-344,400-699,997,998
> > Pruning VLANs Enabled: 2-1001
> > Vlans allowed on trunk: 4-50,122,342-344,400-699,997-998
> > Vlans allowed and active in management domain:
> >
>
>
4-26,28-30,32,36,39,122,342-344,401-405,410-411,415-416,418,500,600-609,
997-9
> 98
> > *Vlans in spanning tree forwarding state and not pruned:
> >
> >
>
>
4-26,28-30,32,36,39,122,342-344,401-405,410-411,415-416,418,500,600-609,
997-9
> 98
> > *
> > Switch#
> >
> > Mark
> > #17755, Security
> >
> > On Fri, Apr 3, 2009 at 2:07 AM, Ali El Moussaoui
> <mousawi.ali_at_gmail.com>wrote:
> >
> > > firewall module 1 vlan-group 1
> > > firewall vlan-group 1 999-1001,1010,1017,1018,1020,2000
> > >
> > > The vlan i added was 999 and it is in the vlan database. (sh vlan
br)
> > >
> > > Ali
> > >
> > > On Fri, Apr 3, 2009 at 7:13 AM, Robert Steeneken <
> r.steeneken_at_gmail.com
> > > >wrote:
> > >
> > > > did you put the firewall vlan group to the FWSM module?
> > > >
> > > > firewall module X vlan-group X,X,X
> > > >
> > > > On Thu, Apr 2, 2009 at 5:21 PM, Ali El Moussaoui <
> > > mousawi.ali_at_gmail.com>wrote:
> > > >
> > > >> Hello Guys,
> > > >>
> > > >> I am new to this FWSM and when i configure a new vlan under
"xyz"
> > > context
> > > >> i
> > > >> see the following under sh int
> > > >> "Available but not assigned from Supervisor"
> > > >>
> > > >> I added the vlan to the firewall vlan-group and allocated the
vlan
> for
> > > the
> > > >> "xyz" context.
> > > >>
> > > >> what am i missing?
> > > >> Ali
> > > >>
> > > >>
> > > >> Blogs and organic groups at http://www.ccie.net
> > > >>
> > > >>
>
Received on Mon Apr 06 2009 - 12:36:37 ART