If Router/MSFC is performing inter-VLAN routing between the VLANs, the
firewall is not going to see that traffic.
Figure 6-22. Router Placement in Single Context
For example, in Figure 6-22, the Router is placed behind the firewall on the left, routing packets among VLANs
10, 20, 30, and 101. In addition, inter-VLAN traffic does not go through the FWSM unless traffic is destined for
the Internet. Hence, traffic flow among VLANs (inter-VLAN) is not protected. On the right-side example of Figure
6-22, the router is placed in front of the firewall, and the switch is configured to push VLANs 10, 20, and 30
traffic to the FWSM, thereby protecting all traffic among these VLANs (inter-VLAN) and traffic going to the
Internet.
In Multiple Context Mode
In multiple context mode, the recommended placement for the router is in front of all the contexts to route
traffic among the Internet and switched networks, as shown in Figure 6-23. Placing the router behind the FWSM
results in routing among the multiple contexts, which forfeits the concept of multiple context and segment
isolation.
Figure 6-23. Router Placement in Multiple Context
[View full size image]
Configuring the FWSM
After the logical network flow and topology is determined, it is time to configure the switch, the Router/MSFC,
and the FWSM.
Pages:
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332