GroupStudy.com GroupStudy.com - A virtual community of network engineers
 Home  BookStore  StudyNotes  Links  Archives  StudyRooms  HelpWanted  Discounts  Login
RE: 6500 firewall module [7:95519] posted 12/27/2004
[Chronological Index] [Thread Index] [Top] [Date Prev][Date Next] [Thread Prev][Thread Next]


The FWSM can speak full OSPF with your DMZ router and the MSFC, no problem 
here. You can however have more than one MSFC  FWSM connection if you 
use "firewall multiple-vlan-interfaces". This enables some neat designs, 
for instance you can carve out VRFs on your MSFC, and have an "Internet" 
VRF talking BGP "on top" of the MSFC, a "Private" VRF talking OSPF with a 
bunch of routers hooked in a DMZ off the FWSM, and so on...

Have fun, go wild :)

JF



At 27/12/2004, DW wrote:

>JF/Greg,
>
>Thanks for your input. I have one quick question for you though. I
>understand that a single VLAN connects the MSFC and the FWSM so I'm
>assuming an OSPF adjacency can be formed over that VLAN connecting the
>two devices. Would there be any problems with a router (primary DMVPN
>hub) on a outside(DMZ) FWSM interface and a router on an inside MSFC
>interface passing routing protocol (OSPF) reachability information
>between each other. If anything went down at the primary site that
>prevented connectivity to an internal subnet, I want the remote sites to
>use the backup DMVPN hub located at different site (which has a backdoor
>to the subnets at the primary). I know that the FWSM supports OSPF and I
>don't think this would be a problem, but I don't have experience with
>the FWSM and understand it has some limitations.
>
>Thanks,
>dave
>
>
>From: Jean-Francois Vaillancourt [mailto:hans@xxxxxxx]
>Sent: Thursday, December 23, 2004 9:05 PM
>To: DaveW; cisco@xxxxxxxxxxxxxx
>Subject: Re: 6500 firewall module [7:95519]
>
>I have recently installed several of them beasties, and they can be
>quite
>deceptive. Just enough like a PIX that you get confident and then some
>difference or nonfeature bites you. Quite a bit more buggy than PIXes,
>too.
>
>The FWSM is better than a standalone PIX if you need 4.7 Gbps, lots of
>interfaces, and/or many security contexts. But, you lose IDS, VPN (and
>the
>VPN module is Alien Technology incarnate), the features typically lag
>behing those of a PIX. I like the FWSM quite a bit, but would strongy
>advise you to research their limitations thoroughly before investing
>time &
>money. You should be able to arrange some play time in the lab with your
>
>local Cisco office and see if it fits your needs.
>
>Cheers,
>
>JF #11874
>
>At 22/12/2004, DaveW wrote:
> >Does anyone have any experiences they can share with the Cisco Firewall
> >Services Module for the 6500? I'm thinking about using the firewall
>module in
> >place of  two PIX 535s needed for gigabit throughput. Originally I was
> >planning on placing the two 535s in front of a 6509. Any pros/cons on
>the
> >firewall module in place of a PIX?
> >
> >Dave




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=95581&t=95519
--------------------------------------------------
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html