Info

Host-chassis

Outside VLAN (Switch)

Outside VLAN (Switch)

Outside i

FWSM

Inside

Inside VLAN (Switch)

FWSM

Inside

Inside VLAN (Switch)

Host-chassis

Establishing a neighbor relationship between routers on the inside and outside of the transparent firewall, as shown in Figure 3-3, eliminates the need to run a dynamic routing protocol on the FWSM. Because the FWSM doesn't support a dynamic IGP routing protocol in multiple-context mode, this is a great solution. Using a dynamic routing protocol also allows the IGP to quickly determine whether the path through the FWSM is operational. Taking advantage of multi-VPN routing/forwarding instance (VRF) or MPLS, the 6500 or 7600 Multilayer Switch Feature Card (MSFC) can support routing processes minimizing the need for additional routers.

NOTE

Use VRF-lite to create routing instances on the inside and outside.

Figure 3-3 Transparent Mode IGP Support

Host-chassis

Outside VLAN (Switch)

VRF Outside

Outside VLAN (Switch)

Outside

FWSM

Inside

Inside VLAN (Switch)

Inside VLAN (Switch)

VRF Inside

NOTE Intermediate System to Intermediate System (IS-IS) and Cisco Discovery Protocol (CDP) are not supported with transparent firewalls.

If you are supporting traffic types other than IP (for example, IPX or allowing multicast through the FWSM with minimal configuration), transparent mode is an easy solution. Other options could include Policy-Based Routing (PBR), generic routing encapsulation (GRE), Multi-Topology Routing (MTR), and so on; however, these might require additional hardware and make the network configuration more difficult to manage.

Was this article helpful?

0 0

Post a comment