1. Home
  2. Cisco Systems
  3. configuring SVI between FWSM and MSFC?

configuring SVI between FWSM and MSFC?

I'm trying to configure the link between the MSFC and FWSM in a 6509. Using Catos on the Sup3 ive created a number of vlans and allocated them to the firewall. eg

set vlan 320 set vlan 7-17 set vlan 7-17,320 firewall-vlan 8

vlan 320 is to be the SVI

On the FWSM ive configured: nameif vlan320 outside security50 ip address outside 10.1.1.92 255.255.255.240

On the router module, ive configured: int vlan320 ip address 10.1.1.82 255.255.255.240 no shut

The Sup3 and FWSM say vlan320 is up. The MSFC says vlan320 is down/down. Furthermore, in the examples in the cisco documentation, a 'show int vlan320' lists "Hardware is EtherSVI". On my router module it describes vlan320 as "Cat6k RP virtual ethernet".

Any suggestions on why the SVI isnt working?

Reply to
dexx
Loading thread data ...

try placing a 6500 port into vlan 320 and enable the port.

The MSFC will show a vlan interface as down/down until there is a least one active port in the VLAN.

Reply to
Merv

Putting a physical port in the vlan would be a normal practice. But this isnt a normal vlan. Its an SVI link between two hardware modules. As such, the modules themselves should make it up/up. The main question i have is how to make this vlan of type EtherSVI?

Reply to
dexx

Did you configure the MSFC (IOS) with the following commands:

firewall vlan-group firewall_group vlan_range

firewall module module_number vlan-group firewall_group

Reply to
Merv

Thanks again Merv for the reply. We are running Hybrid mode; CATOS on the Sup and IOS on the MSFC. Therefore the MSFC doesnt have a "firewall ..." command. Ive used the equivalent commands in CATOS to assign the vlans.

Reply to
dexx

What is the IOS version and CATOS version in use ?

Reply to
Merv

Does interface VLAN 1 shows as EtherSVI ?

If so and if you want VLAN 320 to also be EtherSVI, thenI think you will need to configure the IOS command on the MSFC:

firewall multiple-vlan-interfaces

If the command does not take, you may need to upgrade the IOS version on the MSFC.

see Cisco doc:

formatting link

Reply to
Merv

We are running CATOS 8.4(5) on the Sup and IOS 12.2(17d)SBX10 on the MSFC. Vlan 1 exists on the Sup. But we have no vlan1 configured on the router. When i issue "set firewall multiple-vlan-interfaces enable" on the sup, vlan320 on the MSFC goes from down/down to up/up. However its still of type "RP virtual ethernet". Giving ip addresses to vlan320 on the msfc and the fwsm takes, but they cant ping each other. Its almost as if the vlan320 on the router is not the same vlan320 as on the firewall.

As a quick test, i created an "int vlan1" on the msfc. This came up showing as type "RP virtual ethernet" rather than ethersvi. There are only 3 vlans currently configured on the router. None of them are of type ethersvi.

Reply to
dexx

I am wondering whether only certain IOS streams support the FWSM.

I would suggest that you open a Cisco TAC cases to find out.

Also for the longer term you may wish to consider migrating to native mode IOS for the switch in question; it will simply the configuration.

Reply to
Merv

Thanks again Merv. I finally found what was missing. When assigning a vlan to the fwsm module, you normally use the catos command "set vlan ## firewall-module #". However, if the vlan is to be used as a link between FWSM and MSFC, you need to add an undocumented argument to the command. ie "set vlan ## firewall-module # msfc-fwsm-interface".

Reply to
dexx

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.