Cisco Cisco Catalyst 6500 Cisco 7600 Router Anomaly Guard Module Weißbuch
All contents are Copyright © 1992–2008 Cisco Systems, Inc. All rights reserved. This document is Cisco Confidential Information. 1
White Paper
FWSM Cluster Deployment Across Two VSS Domains
Executive Summary
Interconnected Virtual Switching Systems (VSSs) are commonly deployed in the distribution layer
of many networks. Cisco supports the deployment of Firewall Services Modules (FWSMs) within
the same Catalyst 6500 or within the same VSS, to maintain network security (for more information,
refer to the white paper entitled “
of many networks. Cisco supports the deployment of Firewall Services Modules (FWSMs) within
the same Catalyst 6500 or within the same VSS, to maintain network security (for more information,
refer to the white paper entitled “
FWSM4.0(4): Virtual Switching System (VSS) Integration
”).
However, two alternate configurations were proposed, which required validation before being
supported:
supported:
●
Deployment of FWSM clusters across two different VSSs
●
Deployment of FWSM clusters inside a Catalyst 6500 connected to each VSS
The Cisco Enhanced Customer Aligned Testing Services (ECATS) team conducted the
verification/validation of these FWSM cluster deployment options, in a very specific VSS
environment. The validation included some FWSM and VSS features, as well as a combination of
these FWSM cluster modes: active/active, active/standby, routed and transparent mode, and
multiple contexts.
verification/validation of these FWSM cluster deployment options, in a very specific VSS
environment. The validation included some FWSM and VSS features, as well as a combination of
these FWSM cluster modes: active/active, active/standby, routed and transparent mode, and
multiple contexts.
This white paper describes these two FWSM cluster deployment options, and presents the ECATS
recommendations. It provides high-level guidance on how to properly configure your network to
deploy VSS with the FWSM. Links to additional information about these products are provided in
appropriate sections.
recommendations. It provides high-level guidance on how to properly configure your network to
deploy VSS with the FWSM. Links to additional information about these products are provided in
appropriate sections.
To understand this document, you should have at least basic working knowledge of Cisco VSS and
FWSM.
FWSM.
Introduction
VSS is a Cisco technology that binds together two Catalyst 6500 switches to form one virtual switch
entity. Once the virtual entity is formed, only one of the two supervisors is active at a time. The
other remains in standby mode. The virtual entity is perceived as one Catalyst 6500 switch by any
device connected to it, or in communication with it.
entity. Once the virtual entity is formed, only one of the two supervisors is active at a time. The
other remains in standby mode. The virtual entity is perceived as one Catalyst 6500 switch by any
device connected to it, or in communication with it.
For more information on VSS, please refer to the “Configuring Virtual Switching Systems” chapter
of the Catalyst 6500 Release 12.2SXH and Later Software Configuration Guide:
of the Catalyst 6500 Release 12.2SXH and Later Software Configuration Guide:
http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SX/configuration/guide/vss.html
The FWSM cluster refers to two peered FWSMs, with one being active and the other standby, for
any given security context.
any given security context.
For more information on FWSM, please refer to the Catalyst 6500 Series Switch and Cisco 7600
Series Router Firewall Services Module Configuration Guide, 4.0
Series Router Firewall Services Module Configuration Guide, 4.0
:
http://www.cisco.com/en/US/docs/security/fwsm/fwsm40/configuration/guide/fwsm_cfg.html