configuring SVI between FWSM and MSFC?

Discussion in 'Cisco' started by dexx, Nov 2, 2005.

  dexx

    dexx Guest

    I'm trying to configure the link between the MSFC and FWSM in a 6509.
    Using Catos on the Sup3 ive created a number of vlans and allocated
    them to the firewall. eg

    set vlan 320
    set vlan 7-17
    set vlan 7-17,320 firewall-vlan 8

    vlan 320 is to be the SVI

    On the FWSM ive configured:
    nameif vlan320 outside security50
    ip address outside

    On the router module, ive configured:
    int vlan320
    ip address
    no shut

    The Sup3 and FWSM say vlan320 is up. The MSFC says vlan320 is
    Furthermore, in the examples in the cisco documentation, a 'show int
    vlan320' lists "Hardware is EtherSVI". On my router module it describes
    vlan320 as "Cat6k RP virtual ethernet".

    Any suggestions on why the SVI isnt working?
    dexx, Nov 2, 2005
  dexx

    Merv

    try placing a 6500 port into vlan 320 and enable the port.

    The MSFC will show a vlan interface as down/down until there is a least
    one active port in the VLAN.
    Merv, Nov 2, 2005
  dexx

    dexx Guest

    Putting a physical port in the vlan would be a normal practice. But
    this isnt a normal vlan. Its an SVI link between two hardware modules.
    As such, the modules themselves should make it up/up. The main
    question i have is how to make this vlan of type EtherSVI?
    dexx, Nov 4, 2005
  dexx

    Merv

    Did you configure the MSFC (IOS) with the following commands:

    firewall vlan-group firewall_group vlan_range

    firewall module module_number vlan-group firewall_group
    Merv, Nov 4, 2005
  dexx

    dexx Guest

    Thanks again Merv for the reply. We are running Hybrid mode; CATOS on
    the Sup and IOS on the MSFC.
    Therefore the MSFC doesnt have a "firewall ..." command. Ive used the
    equivalent commands in
    CATOS to assign the vlans.
    dexx, Nov 7, 2005
  dexx

    Merv

    What is the IOS version and CATOS version in use ?
    Merv, Nov 7, 2005
  dexx

    Merv

    Merv, Nov 7, 2005
  dexx

    dexx

    We are running CATOS 8.4(5) on the Sup and IOS 12.2(17d)SBX10 on the
    Vlan 1 exists on the Sup. But we have no vlan1 configured on the
    When i issue "set firewall multiple-vlan-interfaces enable" on the sup,
    vlan320 on
    the MSFC goes from down/down to up/up. However its still of type "RP
    ethernet". Giving ip addresses to vlan320 on the msfc and the fwsm
    takes, but
    they cant ping each other. Its almost as if the vlan320 on the router
    is not
    the same vlan320 as on the firewall.

    As a quick test, i created an "int vlan1" on the msfc. This came up
    showing as
    type "RP virtual ethernet" rather than ethersvi. There are only 3 vlans
    configured on the router. None of them are of type ethersvi.
    dexx, Nov 8, 2005
  dexx

    dexx Guest

    Thanks again Merv. I finally found what was missing. When assigning a
    vlan to the fwsm module, you normally use the catos command "set vlan
    ## firewall-module #". However, if the vlan is to be used as a link
    between FWSM and MSFC, you need to add an undocumented argument to the
    command. ie "set vlan ## firewall-module # msfc-fwsm-interface".
    dexx, Nov 9, 2005
