configuring SVI between FWSM and MSFC?

Discussion in 'Cisco' started by dexx, Nov 2, 2005.

  1. dexx

    dexx Guest

    I'm trying to configure the link between the MSFC and FWSM in a 6509.
    Using Catos on the Sup3 ive created a number of vlans and allocated
    them to the firewall. eg

    set vlan 320
    set vlan 7-17
    set vlan 7-17,320 firewall-vlan 8

    vlan 320 is to be the SVI

    On the FWSM ive configured:
    nameif vlan320 outside security50
    ip address outside 10.1.1.92 255.255.255.240

    On the router module, ive configured:
    int vlan320
    ip address 10.1.1.82 255.255.255.240
    no shut

    The Sup3 and FWSM say vlan320 is up. The MSFC says vlan320 is
    down/down.
    Furthermore, in the examples in the cisco documentation, a 'show int
    vlan320' lists "Hardware is EtherSVI". On my router module it describes
    vlan320 as "Cat6k RP virtual ethernet".

    Any suggestions on why the SVI isnt working?
     
    dexx, Nov 2, 2005
    #1
    1. Advertisements

  2. dexx

    Merv Guest

    try placing a 6500 port into vlan 320 and enable the port.

    The MSFC will show a vlan interface as down/down until there is a least
    one active port in the VLAN.
     
    Merv, Nov 2, 2005
    #2
    1. Advertisements

  3. dexx

    dexx Guest

    Putting a physical port in the vlan would be a normal practice. But
    this isnt a normal vlan. Its an SVI link between two hardware modules.
    As such, the modules themselves should make it up/up. The main
    question i have is how to make this vlan of type EtherSVI?
     
    dexx, Nov 4, 2005
    #3
  4. dexx

    Merv Guest

    Did you configure the MSFC (IOS) with the following commands:

    firewall vlan-group firewall_group vlan_range

    firewall module module_number vlan-group firewall_group
     
    Merv, Nov 4, 2005
    #4
  5. dexx

    dexx Guest

    Thanks again Merv for the reply. We are running Hybrid mode; CATOS on
    the Sup and IOS on the MSFC.
    Therefore the MSFC doesnt have a "firewall ..." command. Ive used the
    equivalent commands in
    CATOS to assign the vlans.
     
    dexx, Nov 7, 2005
    #5
  6. dexx

    Merv Guest

    What is the IOS version and CATOS version in use ?
     
    Merv, Nov 7, 2005
    #6
  7. dexx

    Merv Guest

    Merv, Nov 7, 2005
    #7
  8. dexx

    dexx Guest

    We are running CATOS 8.4(5) on the Sup and IOS 12.2(17d)SBX10 on the
    MSFC.
    Vlan 1 exists on the Sup. But we have no vlan1 configured on the
    router.
    When i issue "set firewall multiple-vlan-interfaces enable" on the sup,
    vlan320 on
    the MSFC goes from down/down to up/up. However its still of type "RP
    virtual
    ethernet". Giving ip addresses to vlan320 on the msfc and the fwsm
    takes, but
    they cant ping each other. Its almost as if the vlan320 on the router
    is not
    the same vlan320 as on the firewall.

    As a quick test, i created an "int vlan1" on the msfc. This came up
    showing as
    type "RP virtual ethernet" rather than ethersvi. There are only 3 vlans
    currently
    configured on the router. None of them are of type ethersvi.
     
    dexx, Nov 8, 2005
    #8
  9. dexx

    dexx Guest

    Thanks again Merv. I finally found what was missing. When assigning a
    vlan to the fwsm module, you normally use the catos command "set vlan
    ## firewall-module #". However, if the vlan is to be used as a link
    between FWSM and MSFC, you need to add an undocumented argument to the
    command. ie "set vlan ## firewall-module # msfc-fwsm-interface".
     
    dexx, Nov 9, 2005
    #9
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.