Cisco Security :: Mini Data Center Design Of 6500 With FWSM
Mar 2, 2012
I have some doubts about the best solution for the design of a mini data center.In the data center there is a 6500 with FWSM module installed, there are some vlans created, all of them in the fwsm module. For example, a back end server to communicate with a server in the front end must always pass through the firewall. My question is, all these flows passing in the firewall does not degrade the speed of communication?What is the best practice, just pass the communications with the WAN in the firewall, and the vlan communication between front end and back end is only set up in 6500?
View 6 Replies
ADVERTISEMENT
Sep 7, 2011
I have some doubts about the best solution for the design of a mini data center.In the data center there is a 6500 with FWSM module installed, there are some vlans created, all of them in the fwsm module. For example, a back end server to communicate with a server in the front end must always pass through the firewall. My question is, all these flows passing in the firewall does not degrade the speed of communication?What is the best practice, just pass the communications with the WAN in the firewall, and the vlan communication between front end and back end is only set up in 6500?
View 13 Replies
View Related
Apr 8, 2013
I have Cisco 6500 with FWSM and ACE module which are in one central DC. Also we have four different Datacenter (Hub & spoke) and in our FWSM we have configured four contexts in central DC FWSM for each DC. Each DC servers are different VLAN and IP subnet. Now we have to configure ACE module for load balancing among those different subnet servers. What will be the design and configuration for this solution? Like routed or one-arm mode design.
Scenario Example:
1. App Server01
IP:192.168.11.5/24
GW: 192.168.11.1 in FWSM
FWSM Context: DC1
Physical Location:DC1
VLAN:11
[code].....
Now customer requirement is we have to load balance using ACE between these App Servers which are in different context s in FWSM and one Server is not FWSM. how to configure or design or placement of ACE and FWSM for above scenario.
View 4 Replies
View Related
Feb 26, 2012
What are the list require for setting up Data Center for either University or Government?
View 4 Replies
View Related
Mar 9, 2007
how to configure FWSM module in cisco core switch 6500
View 2 Replies
View Related
Jul 2, 2011
We are in middle of deploying WiSM2s on our network, from a design point of view i am confused on where to position the WiSM2s. We have 2 DCs and from best practice architecture view WLC should not be placed on the Data Center segment, but it seems that is the only option i have.
DCs host 6509s, i am planning to host 1 WiSM in each DC, all clients will be on seperate subnet. Do you foresee any issues with this deployment or any security issues? authentications are followed as per cisco recommendation, clients authenticated against AD through ACS so it is fairly secure.
View 3 Replies
View Related
Feb 22, 2012
How to trace firewall and load balancers placed in data center.
View 6 Replies
View Related
Oct 21, 2011
We have had this issue for a long time in our enterprise. I don't work all the time in networking. I did a CCNA a while ago. We used to have a network manager who set everything up but he left the company. Basically we have this issue that if you connect to Cisco L2TP Remote Access VPN you can't access any resources at our Data Center. Also if you connect directly to the LAN.
View 10 Replies
View Related
Apr 4, 2011
We are planning to purchase an ASA 5505 for a VPN solution for one of our offices. The office has 50-60 user at peak load who would be connecting over the S2S VPN to the datacenter.
From a hardware standpoint, can the ASA 5505 handle this load. The licence is for unlimitedf inside hosts but what is the actual limit on this platform?
View 1 Replies
View Related
Jan 11, 2012
Any recommendations for top of rack switch for within our data centre.Dual power is a requirement, but bandwidth and through put will not be huge as such I have been looking atthe WS-C3560X-48T-L and the Nexus 3048.
View 1 Replies
View Related
Nov 4, 2012
We will be moving to a new data center in the very near future and with them our WAN IP addresses will be changing. Any best course of action for changing the IP addresses throughout the firewall configuration? Would it be possible/suggested to export the running-config, make the neccessary changes, then import the config? I am familiar with the ASA 5510 only so far as changes are required. It is not something I work with on a regular basis.
View 5 Replies
View Related
Oct 11, 2012
We have backup data center where I am now planning to provide backup internet service ( in the case where there is internet down or power outage at main server room) . I have a pair of Cisco ASA's 5540, one of which I need to move to backup data center ( BDC), Presently I have ADSL router at disaster serve room with static public IP from ISP.
Currently, I am publishing all my internal resources through ASA. Now my questions, if I move Standby ASA to Disaster Server Room. How I can publish the same internal resources through standby ASA and make it standby as active during the down time of main server room
View 6 Replies
View Related
Apr 17, 2012
is it possible to run hsrp on two routers (not l3 switch) connected to a l2 switch ? if so does the two routers need a back to back connection ?
i know if use two l3 switches (instead of routers) and connect to a LAN switch then we need a back to back connection between the L3 switches
also can we use hsrp on vss on 6500?
design
1800 router 1800 ROuter
| |
| |
|---------- L2 switch-------------------------------|
if the above design is acceptable how does the routers know which one is active and which one is standby ? if we need a direct connection between two routers they have to be on a seperate subnet and routers dont allow broadcasts - so how will hsrp work on routers ?
L3 switch --------------------------l3 switch
| |
| |
|---------------L2 switch---------------|
View 8 Replies
View Related
Aug 14, 2011
We have a pair of 6500s with Sup720 running 12.2(33)SXI3. Each has an ACE-20 (s/w A2(2.0)) and FWSM (s/w v3.2(15)). We have reached a limit on the number of rules we can configure on the FWSM, and have determined that we shall upgrade to 4.1(5), with ASDM to 6.2(2)F. A question has been raised regarding the s/w on the ACE-20 modules. Do we need to upgrade them as well?
View 2 Replies
View Related
Feb 3, 2012
I have had a strange issue with a pair of FWSM's in 2 6500's, it seems there was a failover but both module's have been reset.
CAT1
Feb 03 17:08:46.525: %SNMP-5-MODULETRAP: Module 8 [Down] Trap Feb 03 17:08:46.522: SP: The PC in slot 8 is shutting down. Please wait ...Feb 03 17:09:01.525: SP: shutdown_pc_process:No response from module 8 Feb 03 17:09:11.382: %C6KPWR-SP-4-DISABLED: power to module in slot 8 set off (Reset) Feb 03 17:10:56.093: %DIAG-SP-6-RUN_MINIMUM: Module 8: Running Minimal Diagnostics...Feb 03 17:10:59.796: %SVCLC-5-FWVTPMODE: VTP
[Code]...
View 1 Replies
View Related
Dec 20, 2012
We run a 6500 with an FWSM with multiple security contexts as well as cascading contexts with a "shared V LAN" . There is a problem with regards to Linux machines and our shared network.
For example, we have three Linux machines in production, each in three separate V LAN's. For me to communicate to these boxes from one V LAN to another I must first ping the server. If I do not ping the server it will not bring up a connection like ssh or HTTP, etc. Below is the error I get from the FWSM that hosts the Linux server, but like I said once I ping the server the error goes away. We only have this problem with Linux machines, and it is a problem for all three of them. Is the FWSM having issues understanding something with all three Linux boxes? Below is the error I get at first, when I try to SSH from one V LAN to another V LAN with the Linux machine.
6 Dec 21 2012 16:33:54 106015 10.255.12.109 22 10.255.1.30 63000
Deny TCP (no connection) from 10.255.12.109/22 to 10.255.1.30/63000 flags SYN ACK on interface inside.
Below is what happens when I initiate a ping to the Linux Server and then ssh again. Notice it builds the connection with no problem after the ping. During the ping it builds the dynamic translation, and then when I ssh it builds the TCP connection. Do you know why this could be?
6 Dec 21 2012 16:35:08 305009 10.255.12.109 10.255.12.109
[Code]....
View 7 Replies
View Related
Oct 8, 2012
Lucien is a customer support engineer at the Cisco Technical Assistance Center. He currently works in the data center switching team supporting customers on the Cisco Nexus 5000 and 2000. He was previously a technical leader within the network management team. Lucien holds a bachelor's degree in general engineering and a master's degree in computer science from Ecole des Mines d'Ales. He also holds the following certifications: CCIE #19945 in Routing and Switching, CCDP, DCNIS, and VCP #66183
View 1 Replies
View Related
Feb 21, 2013
I have a problem to solve in our data center, see attached drawing. HW: Our core switches consists of two stacked C3750 with ip routing. What I want to do is probably simple but I haven't been able to figure out the best method.
VLAN10 and VLAN20 should not be able to communicate with each other. (ACLs?)VLAN10 will have it's own default route/firewall. Both VLAN10 and VLAN20 should be able to send server backups to server in VLAN30. All 3 V LANs come in on a trunk from a pair of stacked C2960-S. I need it to be able to scale if we have 50 VLANs for instance, hopefully without long complicated ACLs. I've been considering VRF's, PBR but can't decide what's the simplest solution to this problem. I have never done this before so I would prefer to start off on the right foot.
View 1 Replies
View Related
Aug 29, 2012
There is a 6500 switch with fwsm. We have extended 2 vlans from the ISP into the FWSM. Also there are atleast 10 other vlans for our internal network. We would like say half of the internal vlans to go out of the 1st ISP vlan and the remaining half from the 2nd ISP vlan. Is there a way we can do this in the FWSM?
View 2 Replies
View Related
Oct 23, 2012
Firstly is this the right forum to post threads about FWSM's. We have 2 FWSM's in two seperate 6500 switches. There are a number of contexts on each FWSM.I want to fail a context from one FWSM over to the other 6500 and FWSM. Can you tell me how I can do that? Do I need to do it in the admin context and do I need to do it on the admin context of each 6500?
View 7 Replies
View Related
Jan 3, 2013
We are thinking of introducing ASA's into our setup instead of using FWSM for our firewalls with our 6500. Currently we use multiple contexts with the FWSM, as we provide hosting services for multiple clients and want them behidn their own firewall. My question is how can we make this happen with an ASA. Since with the FWSM we use the backplane of the 6500 and SVI's for all interfaces between them. For example if we have 20 clients what will be the ideal setup for us to use with an ASA. If we can infact use mutiple contexts how can we? Is there a way we can maybe bundle all the ports in the ASA into the 6500 as a layer two trunk port and continue to use SVIs to manage all the clients.
View 3 Replies
View Related
Dec 3, 2012
I have just joined a networks team and will be working on two fwsm versions 4.0(8) in two 6500 routers. Now the fwsms seem to be virtualised with multiple contexts. The server team want a new context setup for a group of servers behind a vlan. [code]
This context just seems to have two Vlans and a BVI interface. What is the function of this context and why we have 2 admin contexts?
Also another important question is on which 6500 do I create the new context? Is the admin context active on one 6500 just like other contexts and will sync across or do I have to create the new context on both 6500s.
View 7 Replies
View Related
Jan 29, 2012
Is it possible for me to create 2 vlan interfaces on the 6500 and have them both in the same subnet?
For a specific customer requirement I would like to have a vlan interface on the 6500 as default gateway, sat in it's own vrf, and then route all traffic inbound and outbound to this vlan through the FWSM interface, preferably in the same subnet. I don't think this will be possible so just looking for confirmation either way.
As I will be running EIGRP between a pair of central 6500's and 2 remote offices it will make things much easier for me advertise the connected FWSM interfaces in to EIGRP for access in/out of all my VRF'd subnets. If I need another subnet for each VRF FWSM next hop then I'll have to reditribute a list of statics which I don't really want to do.
The reason I am not just using the FWSM as gateway is because I need to run HSRP across 3 different devices (another 6500 in a second suite), and failover FWSM will only give me 1 level of redundancy for those gateways.
View 3 Replies
View Related
Feb 24, 2011
I need to remove FWSM from a prodcution 6509. This FWSM is a standby. What's the best way to remove without powering down the switch or impacting antyhing?
View 3 Replies
View Related
Jan 19, 2011
I had a problem with a FWSM of 6500 because the FWSM primary change to standby and after back to active.
View 1 Replies
View Related
Mar 26, 2012
I'm having problems getting FTP to work through two FWSM virtual contexts which are connected via a vrf. All this is configured on a 6500 switch with the FWSM running 3.1(4)
CLIENT-----CONTEXT_1-------VRF------CONTEXT_2--------FTP_SERVER
At the moment we can make the control connection but when we issue commands the connection times out.
Looking at the logs we can see the initial connection made to the server on port 21 from the client, this is also seen on the second firewall context (nearest the FTP server). The data channel is then seen on the first context, made using high src & dst port numbers and initiated from the client, successfully passing the ACL/Inspection, then on the second context we see the connection being denied by the incoming ACL on the second contexts interface connected to the VRF instance.
The rules are identical on the contexts and have been made by copying and paste the rule using CSM, we are using the predefined service group 'FTP-Group' which contains both tcp 20 & 21. FTP inspection is at default on both contexts.
We have tested with Win XP (capable of Active FTP only) & Firefox 3.6.12 which is the connections we are seeing in the logs trying to do Passive FTP.
Is this a problem with teh contexts randomizing sequence numbers or TCP Normalization? Or do we just have a problem with the Inspection engine on one of the contexts (I would have expected to see this on both contexts if it was a bug).
View 1 Replies
View Related
Jun 28, 2011
I am just designing a solution where a FWSM consists of 2 contexts initially and has a shared outside interface pointing to the 6500 switch. There are 3 subnets connected to each of the FWSM contexts. So if anyone wants to access these 6 subnets then a route would be needed pointing to the interface vlan of the shared interface on the switch. But that would not be enough to access the subnets.. I am sure we have to define static NATS to point them to the right context where these subnets reside.
The FWSM is running version 3.x code So say 1.1.1.0(shared), 10.10.0.0(inside1), 10.20.0.0(inside2) and 10.30.0.0(inside3) reside in Context 1 and 1.1.1.0(shared), 20.10.0.0(dmz1), 20.20.0.0(dmz2) and 20.30.0.0(dmz3) reside in Context 2 in each of the context we would have to make three static NATS
static(inside1,shared) 10.10.0.0 10.10.0.0 netmask 255.255.255.0
static(inside2,shared) 10.20.0.0 10.20.0.0 netmask 255.255.255.0
static(inside3,shared) 10.30.0.0 10.30.0.0 netmask 255.255.255.0
The same would go for context 2 as well
static(dmz1,shared) 20.10.0.0 20.10.0.0 netmask 255.255.255.0
static(dmz2,shared) 20.20.0.0 20.20.0.0 netmask 255.255.255.0
static(dmz3,shared) 20.30.0.0 20.30.0.0 netmask 255.255.255.0
By creating these NAT statements, would the outside users be able to access the subnets residing in the context?
View 1 Replies
View Related
Mar 20, 2011
I have a customer that has a FWSM on a 6500, I want to create a read only account for them, i believe user privelage of lvl_3 When I log into the firewall it prompts me for a password straight away.
Is there a way that i can create a login that when it prompts me for a password, I can have a password setup to put into that prompt to get a certain level of access, instead of the standard lvl_15 access
View 9 Replies
View Related
Aug 24, 2011
I'm looking at upgrading our FWSM modules in our 6500's. They're the WS-SVC-FWM-1 modules.
We're running on version 3.2(12) at the moment and I'm looking to jump up to 4. Any recommendations around whether I should to go to 4.1(6) or 4.0(16)? There aren't any features in particular that I would need in 4.1 but want a good stable base to sit on for 12 months until I look at this exercise all over again.
View 5 Replies
View Related
Mar 10, 2011
What the support for WCCP on a FWSM running 4.0(7) is like, if there is any at all ?
I've read that the earliest PIX release that supports WCCP was 7.2(1) but I'm not sure how FWSM 4.0(7) aligns with the PIX versions.The only doc's i can find refrencing WCCP on a 6500 with FWSM is in the 6500 12.2 IOS guide.
View 1 Replies
View Related
May 10, 2012
i do have two 6500 in VSS mode , and one FWSM module on each 6500, i want to configure these modules as Active/Standby, how do i start , should i follow this (not in VSS mode): url..
View 1 Replies
View Related
May 15, 2013
I have a Dell Studio PC with a Dell Wireless 1397 WLAN Mini-Card. OS is Windows 7 with SP1. Intel Core 2 Duo T5800 2.00 GHz
In general I have no problems with my WIFI with simple browsing and most of my routine activities online. But any time I stream video (like youtube), music or download a large file, my WIFI spontaneously turns off. I need to either restart the computer or put the computer to sleep/wake it up for the WIFI to work again.
I have the latest drivers for the Wireless card. I scanned the forums and didn't see this problem reported elsewhere. I realize this is an old computer so I may have to install an external wireless adaptor, but I wanted to ask around before doing so.
View 8 Replies
View Related
Mar 12, 2013
The network gods recently updated our 6500 and upon reboot, the FWSM booted to CF:1 maintence partition,which caused an immediate outage. On the router, I ran the following command to set the default FWSM boot partition to the configuration with:Router#boot device module 4 cf:5 However, it appears the "show boot device" command has been replaced with "show bootvar" which doesn't show me which partition the router will boot the FWSM to. Is there a command I can run from the Router that will actually confirm the boot partition for the FWSM if the router reloads.
View 1 Replies
View Related