1-10
Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide
OL-6392-01
Chapter 1 Introduction to the Firewall Services Module
How the Firewall Services Module Works
Using the MSFC
The switch includes a switching processor (the supervisor) and a router (the MSFC). Although you need
the MSFC as part of your system, you do not have to use it. If you choose to do so, you can assign one
or more VLAN interfaces to the MSFC (if your switch software version supports multiple SVIs; see
Table 1-1 on page 1-2). In single context mode, you can place the MSFC in front of the firewall or
behind the firewall (see Figure 1-2).
The location of the MSFC depends entirely on the VLANs that you assign to it. For example, the MSFC
is behind the firewall in the example shown on the left side of Figure 1-2 because you assigned
VLAN 201 to the inside interface of the FWSM. The MSFC is in front of the firewall in the example
shown on the right side of Figure 1-2 because you assigned VLAN 200 to the outside interface of the
FWSM.
In the left-hand example, the MSFC routes between VLANs 201, 301, 302, and 303, and no inside traffic
goes through the FWSM unless it is destined for the Internet. In the right-hand example, the FWSM
processes and protects all traffic between the inside VLANs 201, 202, and 203.
Figure 1-2 MSFC Placement
FWSM
Switch
MSFC Behind the FWSM MSFC In Front of the FWSM
MSFC
VLAN 200
VLAN 201
VLAN 302
VLAN 303VLAN 301
DMZ
Internet
Inside HR
FWSM
MSFC
VLAN 200
VLAN 100
VLAN 201
VLAN 202
VLAN 203
DMZ
Internet
Inside HR
Switch
104657
To Next Page
Loading...
Need help?
General