For the FWSM to communicate to other devices on the network, a connection must be made from logical interfaces of the FWSM to VLANs assigned to the host-chassis.
Referring to Figure 6-3, notice that the FWSM is logically connected to VLANs. This is accomplished through the following process.
Step 1 Determine in which slot the FWMS is installed with the show module command:
:
host-chassis# sssshhohhooowwww mmommodooddduuluulllee ee
Mod Ports Card Type Model Serial No. --- --- --- --- --- 1 48 48 port 10/100 mb RJ-45 ethernet WS-X6248-RJ-45 SAD03150942 5 2 Supervisor Engine 720 (Active) WS-SUP720-3BXL SAD080705DC 9 6 Firewall Module WS-SVC-FWM-1 SAD0707015S
Mod MAC addresses Hw Fw Sw Status --- --- --- --- --- --- 1 00d0.c0c8.3080 to 00d0.c0c8.30af 1.0 4.2(0.24)VAI 8.5(0.46)RFW Ok 5 000d.6536.1390 to 000d.6536.1393 3.0 7.7(1) 12.2(18)SXF9 Ok 9 0002.7ee4.f640 to 0002.7ee4.f647 1.1 7.2(1) 3.2(1) Ok
Mod Sub-Module Model Serial Hw Status ---- --- --- --- --- --- 5 Policy Feature Card 3 WS-F6K-PFC3BXL SAD0808084G 1.1 Ok 5 MSFC3 Daughterboard WS-SUP720 SAD0807060G 2.0 Ok
Mod Online Diag Status ---- --- 1 Pass
5 Pass 9 Pass
The output of the show module command shows that the FWSM is installed in slot 9.
Assigning Interfaces 93
Step 2 Create VLANs on the host-chassis, using the vlan command in configuration mode:
host-chassis(config)# vvvlvlllaanaannn 110110-00---22220000 Thisvlan command creates VLANs 10 to 20.
If you are using VLAN Trunking Protocol (VTP), VLANs can be added only to devices that are “servers” or operating in “transparent” mode. Use the show vtp status command to determine which mode the host- chassis is in:
host-chassis# ssshshohhoooww ww vvtvvtpttp pp ssssttattataatttuuuuss ss VTP Version : 2 Configuration Revision : 0 Maximum VLANs supported locally : 1005 Number of existing VLANs : 16
VTP Operating Mode : Transparent VTP Domain Name :
VTP Pruning Mode : Disabled VTP V2 Mode : Disabled VTP Traps Generation : Disabled
MD5 digest : 0xB4 0xCB 0x9F 0x39 0x03 0x38 0x6C 0xCE Configuration last modified by 127.0.0.51 at 0-0-00 00:00:00
If necessary, use the vtp mode command in configuration mode to change the behavior.
Step 3 Associate the newly created VLANs with a VLAN group.
VLAN groups are used to organize the distribution of VLANs across single or multiple FWSMs, and maximum of 16 groups are allowed. A VLAN is unique to a firewall group, and a group or multiple groups can be associated to single or multiple FWSMs. A group number is any numeric value from 1 to 65535, and the VLAN range includes VLANs 2 to 1001 and 1006 to 4094:
host-chassis(config)# ffffiiiirrerreweewwwaaaallllllll vlan-group vlan_range
For example, the following command assigns VLANs 10 through 20 to vlan-group 9:
Step 4 Assign the VLAN group(s) to a specific FWSM:
host-chassis(config)# ffiffiirirerreweewwawaaallllll ll mmmmoodoodudduuulllleeee slot_number vlan-group group_or_group_range
In the following case, the FWSM is installed in slot 9 (see Step 1) and the VLAN group associated to it is vlan-group 9:
host-chassis(config)#ffiffiiirrrreeweewwwaaaallllll ll mmmmoodoodudduluulllee ee 99 99 vvvvllallanaan-nn-g--gggrrrroouoouuupppp 9999
There is no correlation between using the same vlan-group as the slot number; it just makes it easier from an administrative view to correlate the VLAN group to the FWSM.
Step 5 Verify the configuration with the show firewall vlan-group and the show firewall module commands:
host-chassis# sssshhohhooowwww ffiffiriirrreeweewwwaalaalllllll vvlvvlallaaannnn--g--grggrrroooouuuupp pp
Display vlan-groups created by both ACE module and FWSM
Group Created by vlans --- --- --- 9 FWSM 10-20 host-chassis# sssshhohhooowwww ffiffiriirrreeeewwawwalaalllllll mmommodooddduuuullelle ee Module Vlan-groups --- --- 09 9
From the output of the previous commands, VLANs 10 to 20 are assigned to group 9, and group 9 is assigned to module 9.
To assign VLAN interfaces to the FWSM, see Chapter 7, “Configuring the FWSM.” The host-chassis provides a great deal of flexibility in how the FWSM communicates with the outside world. As you consider how to implement the FWSM in your network, be sure to take advantage of the routing and switching capabilities of the host-chassis.