Cisco Firewall :: 6513 Switch - Multicast Inside A Single VLAN In FWSM
Dec 6, 2009
I am trying to make the multicast working between few hosts inside a single vlan. Host are running mysql cluster and Multicast is used to send master/slave status information to the IP 228.10.10.10 on port 45566.The vlan is defined in FWSM and the host are connected via the core-switch(6513). (hosts-->core-sws--->fwsm)I have tried searching the documentation, but couldn't find specific info to enable multicast between hosts residing in same vlan. FWSM is running code 3.1(4). since the hosts are residing in the same vlan, I am thinking of applying the <multicast-routing> just for that SVI in FWSM.
View 6 Replies
ADVERTISEMENT
Nov 7, 2012
My corporate internal network is currently fire walled by an FWSM module on a 6513 switch. We have each security zone (we have eight) assigned to a FWSM context and have ACLs set up between the contexts and the enterprise LAN/WAN. Is it possible to support fire walling between these zones within a single security context? The reason I am asking is that we would like to purchase a second FWSM for use as a standby, but do not want to cough up the ~ $12K for the context license. We will ultimately be transitioning to ASAs for internal security, so do not want to spend more than we need to.
View 3 Replies
View Related
Sep 3, 2012
I am working on Multicast scenario, There is one 6513E switch one 2960 switch. Two VRF's are configured in core switch (6513) IPTV-SRV and Villa-VRF IPTV-SRV vrf has IPTV server and Villa-VRF has IPTV i.e. client.
V LAN 30 is mapped to IPTV-SRV vrf with subnet address 192.168.30.0/24
V LAN 12 is mapped to Villa-VRF with sub net address 192.168.12.0/24
I did the following configuration for VRF but its not working . i am not an expert in multicast design but seems i did most of the configs.
ip vrf IPTV-SRV
rd 30:1
mdt default 232.1.1.1
route-target export 30:1
route-target import 10:1
[code]...
View 3 Replies
View Related
Feb 5, 2013
I need your opinion regarding moving of IDSM -2 and FWSM Module from 7613 to 6513 chassis.Currently these two modules are in 7613 and we are not using either of them now we have to configure them in 6513 chassis. As you can see from the figure that traffic of all 3 core router i.e 7613 go to 6513 - to proxy ISA 2004 - 6513 - to Internet.
There are also some network attached with 6513 and we want to move both of modules to 6513 so that NetworkA/B/C/D/E which are attached to 6513 can also be configured for FWSM and IDSM -2.
I have a query regarding this migration:Do we need license for these two modules again for 6513 chassis?
View 2 Replies
View Related
Apr 18, 2013
As I am planning to deploy FWSM Module in 6513 chassis and need your valuable comments regarding the strategy that I create for this deployment.Initially (Without FWSM Deployment) all internal traffic moves in this manner.
7613(G9/5) --> 6513(G10/4) --> ISA (Internal Int.) [NATing] (ISA External Int.) -->
6513(G9/45){This is L2 port in VLAN 164} --> VLAN 164(SVI Int,IP:192.168.40.20) -->
(G9/44){This is L2 port in VLAN 164}--> ASR 1002 -->Router -->Internet.
As you can see from the Image that I am planning to deploy FWSM in transparent mode in between VLAN 164(SVI Int,IP:192.168.40.20) -[FWSM here]->(G9/44){This is L2 port in VLAN 120}By putting Inside interface of FWSM in VLAN 164 and create a new VLAN on 6513 i.e VLAN 120 and put G9/44 in it.know will this configuration will work regarding the passing of traffic through FWSM ? what improvement I have to made in this design. You can check the attached diagram.
View 3 Replies
View Related
Apr 24, 2012
Today i received FWSM from cisco (RMA), I need to configure it as standby unit for existing FWSM active/standby setup.
IOS on RMAed FWSM is 2.3.4 and cisco VSS supports FWSM IOS 4.0.4 and later.My issue is, I cannot access FWSM (IOS 2.3.4) via session command from cisco 6513 but could successfully consoled it without any problem. I have reloaded it twice and also tried to disable and enable power on it.
VSS#sh module switch 2
Switch Number: 2 Role: Virtual Switch Standby
Mod Ports Card Type Model Serial No.
--- ----- -------------------------------------- ------------------ -----------
2 6 Firewall Module WS-SVC-FWM-1 -----------
[code]....
why I cannot access FWSM through session command ?Whether this is because of older IOS ? If yes then how to upgrade its IOS ?Is it possible to upgrade IOS via FWSM console ? if yes, Do i need to test on different slot ?
View 2 Replies
View Related
Oct 29, 2012
We have a customer who has 4 x 'WS-SVC-FWM-1' modules installed within 2 x 6513 chassis. The FWSMs are all running version 3.1(16) with failover group 1 and 2 enabled.After a few recent planned and un-planned power outages the FWSMs have come up without a full configuration. Is this a common fault? If so it there any kind of workaround that can be implemented?
View 5 Replies
View Related
Aug 12, 2012
We have 6509 VSS with FWSM Module and we have created two context on it, one is INTERNALL CONTEXT othe is EXTERNALL Context? We have spanned various VLANS in switches and FWSM context level. All VLAN Gateways are configured in context level.
Activity description : We had planned migration of these devices into a new Datacenter, it was a planned activity. During migration of devices from one Dc to a new DC we broke the VSS and kept the primary running and removed the secondary switch and migrated this secondary to new DC and powered this device ON in the new DC and checked all the config was very much fine but this device was OFF network as secondary was brought to new DC just to limit the downtime during the primary switch movement.
During the activity ( Primary switch movement )We powered off the Primary switch and mean time before shifting into new Data center We had brought up secondary switch which was already existing in the DC was put live in the network and it was working fine without any issues.
Later we had moved Primary into new data center and tried to put into VSS with the secondary , during this period the secondary device into went into RECOVERY MODE and primary device was not responding and devices went off network and immediatly we removed the VSL link and brought up primary into production network without secondary online in the network ( Without VSS just stand alone switch ) network started working, but bringing up the primary we found that some of the VLANS in the FWSM was deleted and some VLAN had misconfiguration ( example : say original VLAN ip 10.200.112.1 has become 10.300.13.1 ) also some of the access list as well as SVI was deleted making configuration mismatch.
Wanted to know while syncronization b/n primary and secondary switch in VSS if we pull out VSL link would create this type of issues.
View 1 Replies
View Related
May 22, 2012
i have fwsm in cat6500, i have one firewall vlan group which is in firewall module 1 vlan group 10. I need tocreate another vlan group and add to firewall module 1 vlan group 10, 20. i need to have zero downtime.
View 2 Replies
View Related
Jan 29, 2012
Is it possible for me to create 2 vlan interfaces on the 6500 and have them both in the same subnet?
For a specific customer requirement I would like to have a vlan interface on the 6500 as default gateway, sat in it's own vrf, and then route all traffic inbound and outbound to this vlan through the FWSM interface, preferably in the same subnet. I don't think this will be possible so just looking for confirmation either way.
As I will be running EIGRP between a pair of central 6500's and 2 remote offices it will make things much easier for me advertise the connected FWSM interfaces in to EIGRP for access in/out of all my VRF'd subnets. If I need another subnet for each VRF FWSM next hop then I'll have to reditribute a list of statics which I don't really want to do.
The reason I am not just using the FWSM as gateway is because I need to run HSRP across 3 different devices (another 6500 in a second suite), and failover FWSM will only give me 1 level of redundancy for those gateways.
View 3 Replies
View Related
Mar 12, 2012
I would like to know if it is possible to assign a 3rd IP address to my end user vlan. Basically the 45xx acts as my end user gateway and has been confirgured as below
interface VlanXX
description Main Vlan
ip address 2.X.X.X 255.255.255.0 secondary
ip address 1.X.X.X 255.255.252.0
[Code].....
Here, due to IP address exhaustion in my end-user network, i want to add one more subnet X.X.X.X/22 to my network and assign one IP more from this range to the above vlan to act as the gateway IP.
View 1 Replies
View Related
Nov 11, 2011
I have FWSM v4.0 installed on Cisco 7609 router and when I want to configure FWSM services on it, VLAN traffic is not passing through the FWSM or not Reaching upto fwsm
View 1 Replies
View Related
Aug 8, 2012
i have been facing strange issue on FWSM (6509 switch). we have created a vlan inteface for server farm on fwsm and its stop responding automatically and we need to give shut/ no shut command under that interface to back into normal .
View 11 Replies
View Related
Dec 20, 2007
My company has acquired a Catalyst 6513 with a FWSM module installed on it. I have been reading lot of documentation on [URL], but still have some problems configuring the FWSM:
The 6513 has 10 SVIs configured, each of them with an IP address. These 10 SVIs are binded to 10 VLANs which I need to secure. These SVIs are used for routing all the Inter-VLAN traffic inside the switch. The documentation says it is recommended to use just one SVIs for connecting the switch to the FWSM, although you can use more than one using the command "firewall multiple-vlan-interfaces". I don't want to use this command because it seems a pretty more difficult configuration, since you have to use policy routing after using this command (or that is, at least, what documentation says).
When I try to "send" to the FWSM more than one VLAN that are configured as SVIs on the switch I get this error message:
"No more than one svi is allowed, command rejected."
If I delete the IP address of those SVIs, then I can to "send" those SVIs to the switch with no problem at all. But I need the SVIs to have IP address configured, since they are needed for routing Inter-V LAN traffic.
So, the question is: how can I route all the inter-VLAN traffic using just one SVI on the switch? Should I use the FWSM for inter-VLAN traffic routing?
View 15 Replies
View Related
Aug 1, 2007
I am running a network comprising of Catalyst 6513's with SUP7203B's. at present we have 800 VLAN's as we make use of a VLAN per access layer switch model.
I know have a problem that as soon as I enable multicast routing my SUP720's CPU runs at 100% and the system goes into a slowdown.where I can find information on the scalability of Multicast?
View 15 Replies
View Related
Mar 21, 2011
This issue is a bit confounding for me, but hopefully simple for one of you. I have two sites, one in Alaska and one in California, connected via 10mb QinQ service from an ISP in Alaska. The ISP is utilizing Verizon from Seattle south who is delivering the circuit on a DS3 here in California. The ISP gear on site here is a Tasman. The Tasman is directly connected to a Cisco 3845 G0/1 with a routing sub interface. In Alaska, the ISP is directly connected to a 6513 which in turn is connected to a 7206 with a routing sub interface. I cannot seem to get the 7206 and 3845 to come up as neighbors.
The 7206 receives the 3845's Hello and the 7206 shows the 3845 as a neighbor until the hold time expires. It does not see updates from the 3845 since the 3845 never sees a Hello from the 7206 and comes up as a neighbor to send an update. The 3845 does see EIGRP updates from the 7206, but no Hello. Pinging 224.0.0.10 from the 7206 does not get a response from the 3845, but it does get a response from many other sites/neighbors, including another site here in California with a nearly identical setup (same provider and gear). I am ableto ping between the devices' routing interfaces. Being QinQ, I don't believe the ISP could possibly be the issue (the circuit is clean and stable) as they don't filter any of our packets. There are no ACLs applied to these interfaces. The 3845 does have other EIGRP neighbors from sites over a TLAN around here in SoCal.
Why the Hellos may not be reaching the 3845? I have verified they're being sent from the 7206.
View 6 Replies
View Related
Aug 15, 2011
I am having FWSM in active /standby mode deployed on two different cat 6k chassis. Unable to access the fwsm module from switch using ' session module mod_no processor 1 ", it throws error " % telnet connections not permitted from this terminal" Running Version 3.2.6 on fwsm, Cat 6k is running 12.2.33.SXH1,
switch#session slot 3 processor 1
The default escape character is Ctrl-^, then x.
You can also type 'exit' at the remote prompt to end the session
% telnet connections not permitted from this terminal
---------------------------------------------------------------------------
have allowed telnet on line vty, configuration on Line vty is simple allowing all transport protocols
line vty 0 4
exec-timeout 5 0
transport input all
transport output all
line vty 5 15
exec-timeout 5 0
transport input all
transport output all
View 3 Replies
View Related
Jun 17, 2012
It is my understanding that the FWSM for the 6500 series switches uses a 6 port Etherchannel on the backplane to communicate with the 6500 series switch.Can you shutdown vlan1 on the switch and still communicate with the FWSM? I was under the impression that you could not (although I am looking at a config with it shutdown)
View 1 Replies
View Related
Mar 6, 2011
We have a client wanting us to support multicast across our network(They have multiple tails in single vrf, connected to our P/PE's(All 7200's)
(Customer is running there own RP)
As we are only providing multicast support to a single customer, On our P/PE routers is it still necessary to enable multicast routing globally, MP-BGP Loop Interfaces and tag-switching/mpls interfaces? (I'm guessing it would be as the client has tails terminating on multiple P/PE's?)
i.e.
Loop0 is MP-BGP loop
Router-PE1(config)#ip multicast-routingRouter-PE1(config)#interface Loopback0Router-PE1(config-if)#ip address 10.0.0.2 255.255.255.255Router-PE1(config-if)# [ code].....
Or, is it sufficient to enable it only within the vrf, and all Interfaces in that vrf?
Router-PE1(config)#ip multicast-routing vrf NetworkARouter-PE1(config)#ip vrf NetworkARouter-PE1(config-vrf)#rd 100:1Router-PE1(config-vrf)#route- [ code]...
Also, is the MDT default IP an address that we (client+provider) agree on?
View 3 Replies
View Related
Apr 23, 2012
I am connecting the inside interface to an upstream switch and therefore will need to assign a static IP address to the inside address as I did below:
#sho int ip brief
Vlan1 123.123.123.123 YES manual up up
I will also use this to manage the ASA. I am having a problem with the network configuration of the inside interface as I can't ping the gateway and/or the in IP of the inside interface.Do I need to add any routes?
View 3 Replies
View Related
Apr 6, 2011
I have a pair of 5505's in transparent mode and connected them to C2960S. The inside interface (which is VLAN5 on the switchport) keeps dropping, going in to error state. There is no log reference in the switch and the interface shows as UP. The standby ASA has no problem, both interfaces on the switch is up. As soon as I failover the units over, the active node inside interfaces drops.
View 2 Replies
View Related
Jan 10, 2012
Between our hosting and a customer we have an extended vlan, traveling on a fiber, between two cisco 3560 switches.The thing is, that we want to create one or more vlans inside that extended vlan, in some way if possible?
View 3 Replies
View Related
Apr 22, 2013
Actually I am new to this ASR , in my environment my 6513 is connected ASR , I want to know how can we access and configure VLAN on Gigabit interface which is connected to 6513.
View 9 Replies
View Related
Nov 8, 2011
Currently we have a 6513 core (running IOS and doing limited routing) with VLAN Trunking to about a dozen 3560 edge switches, with various VLANs going to each of the edge switches. All works well. We are downsizing and replacing the 6513 core with a 3750G stack. We have the stack up and running in the lab, and want to slowly (as we move floors) migrate all of the edge switching to the 3750 stack.
The plan is to connect the 3750 stack to the 6513, then slowly migrate the edge switches to the stack (from the 6513). I would like to put in place 4 x 1GB trunk links between the 6513 and the 3750 stack before I start moving edge switches to ensure adequate bandwidth. Once all of the edge switches are on the new 3750 stack, I will start to decommission the 6513.
What is the best way to configure the links between the cores (old 6513 and new 3750 stack)? I can easily get the edge switches configured to the 3750, but am worried about the core links. I really want to avoid having to perform an all-at-once cutover of the cores. Another question is when do I try and migrate the VTP server role from the 6513 to the 3750 stack? I could simply make everything transparent, and ditch server-based VTP, as we rarely change or creat VLANs.
View 3 Replies
View Related
May 10, 2013
I want to use Multicast TV VLAN with my SG300-10 to join Multicast Groups in different Data VLAN's. It's working fine, but the problem is that it isn't possible to add all the Multicast Groups to the Multicast VLAN because each TV channel use other groups. For me it's only to handle if I can use wildcards to add a specific range of multicast traffic to the Multicast TV VLAN. Is that possible with that Switch?
View 1 Replies
View Related
Oct 28, 2012
I'm trying to configure multicast between 2 VLANs on a Cisco 886VA running IOS 15.2 (3) T1 (advanced security). While I can set the global "ip multicast-routing" I cannot "ip pim sparse-mode" on my interfaces - ip pim is actually unknown and also doesn't appear in the interface's ip subcommand list when using "?".
The feature navigator says pim is supported on my platform and IOS version.
My config looks like this:
interface FastEthernet3
switchport access vlan 103
no ip address
[Code].....
View 2 Replies
View Related
Dec 12, 2012
is it possible to multicast between 2 different SSID's that are associated to 2 different VLAN's?
View 2 Replies
View Related
Feb 20, 2012
We have 2 6513 switches with SUP720/PFC3A and various POE modules and a 6748-GE-TX facing our servers. Additionally, we have a 4Gbps portchannel trunk interconnecting the switches. We have approximately 300 Nortel IP 1140e phones in use between the two switches.For the purpose of call recording, we've attempted to mirror the voice vlan using various approaches and have been met with limited success. We mirrored the VLAN using tx, rx, and both. When using both we appear to get duplicate packets at the destination interface.We seem to lose packets completely going in one direction or another for a given call. Packets are lost before they get to the destination interface?
View 2 Replies
View Related
Oct 31, 2012
I need to create a DMZ Vlan. Core switch is a 6509. FW is an ASA5520. Need to create a VLAN for DMZ purposes for outside facing servers. NAT is used on ASA.
View 7 Replies
View Related
Aug 22, 2011
I would like to push route for admin services (Vlan20) to bypass the firewall via an other connection (CSI to CSE). So my first choice was to create a route-map in (CSI) but I don't know how to do it. On my Firewall ASA, I don't have any Context License, that is why I would like to do it like this.
I have included some part of my initial configuration CSI and CSE and diagram.
CSI configuration (Switch L3 3750) {
interface GigabitEthernet1/0/1
description To ASA
no switchport
[Code]....
View 1 Replies
View Related
Oct 29, 2012
we have a chassis 6513-E and a module WS-X6748-GE-TX, I'd like to know if could I put this module in any slot, since the documentation from Cisco says that any slot from a chassis 6500-E Series can support this module. And then in the documentation of WS-X6748-GE-TX says that this module is not compatible in the slots 1-8 of the 6513 chassis, only from 9th to 13th slots, in those slots from the 6513-E we already have 4x WS-X6748-GE-TX, and we'd like to know if could we put the module in the rest of the slots. The 6513, and 6513-E is kind of confusing.
View 4 Replies
View Related
Apr 28, 2012
We have Communication Media Module (WS-SVC-CMM) mounted on 6513 switch. It went down twice and we brought it up by applying "power enable module".
View 4 Replies
View Related
Mar 20, 2013
Need your expert input in sorting out the below problem.I have a cisco 6513 switch which is going into SP mode after a reboot whci i have done during BCP activity in my organization.Below are the log for your reference.
Code...
View 1 Replies
View Related
