Guys
I would like to accomplish the following packet flow, [ 6509 >FWSM > Cisce
ACE Module > Server ]. What should my configuration be in order to have
VLAN 410 shared between module 4 (ACE LB) and module 1 (FWSM)? This is a
live environment and I have never done a configuration of this sort with
this many vlans. I am concerned on the impact to other clients (vlans) on
this 6509.
*
I require Vlan 410 to reside on both the FWSM and CISCO ACE LB, my current
configuration is as follows: *
ndcbbnpendc0101#show run | i svc
svclc multiple-vlan-interfaces
svclc module 4 vlan-group 110
svclc vlan-group 110
9,14,72,110,115,185,189,210,211,221,223-225,281,305,356
svclc vlan-group 110 385,387
ndcbbnpendc0101#show run | i firewall
firewall multiple-vlan-interfaces
firewall module 1 vlan-group 1
firewall vlan-group 1
3,10-13,15,17,20-22,30,34,79-81,84,90-94,98-103,105-108
firewall vlan-group 1
122,123,150,186-188,192,200-203,205,207,209,226,229,238
firewall vlan-group 1
239,250-256,282-288,298-304,306-312,314,316-321,323,328
firewall vlan-group 1
330,331,350,400,401,408,410,415,417-421,423-426,428-435
firewall vlan-group 1
441,450-452,499-502,505,506,510-517,519,523,524,532,537
firewall vlan-group 1 540,599-620,631,633,725,909,1192,1209,2077,2079
firewall vlan-group 1 2100-2102
*Cisco documentation states the following:*
*Figure 5.* VLANs Shared Between Cisco Catalyst 6500 Series MSFC, Cisco
Firewall Services Module, and Cisco ACE Module
*VLAN Names*
*Common names for Data Center VLANs*
*VLAN ID*
Internet Facing VLAN
FWSM outside
VLAN 10
DMZ VLAN
FWSM inside
VLAN 20
DMZ VLAN
Cisco ACE client VLAN
VLAN 20
Private VLAN
Cisco ACE server VLAN
VLAN 30
In this example intuitively VLANs 10 and 20 need to be allocated to the
FSWM and VLANs 20 and 30 allocated to the Cisco ACE module. Due to the VLAN
group constraint, an additional VLAN group must be allocated for the shared
VLAN between the FWSM and Cisco ACE modules.
svclc multiple-vlan-interfaces
firewall module 1 vlan-group 3
firewall module 1 vlan-group 5
svclc module 2 vlan-group 5
svclc module 2 vlan-group 7
firewall vlan-group 3 10
firewall vlan-group 5 20
svclc vlan-group 7 30
Notice either firewall or svclc commands can be used to define a VLAN
group. However, the firewall command must be used to allocate VLAN groups
to a FWSM, and the svclc command must be used to allocate VLAN groups to a
Cisco ACE module. Once VLANs have been allocated to the module, the process
of virtualization and resource allocation can begin.
Each Cisco ACE module has a single virtual partition, created by default,
which is known as the Admin virtual partition. This partition is a member
of the default resource class. The default resource class has no defined
minimal resources, and is permitted to use any available resources. All
VLANs allocated to the module are accessible in the Admin virtual
partition. These default settings allow the Admin virtual partition to be
used when operating the Cisco ACE module in a traditional single-use and
single-purpose design.
In a virtualized configuration the Admin virtual partition is used to
create new virtual partitions and dedicate client and server VLAN traffic
to the appropriate virtual partitions (Figure 6). This way you can deploy
the Cisco ACE module in a single-use design and then add new virtual
partitions as needed.
Blogs and organic groups at http://www.ccie.net
Received on Fri Aug 10 2012 - 11:41:42 ART
This archive was generated by hypermail 2.2.0 : Sat Sep 01 2012 - 08:41:18 ART
