Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

6509 with Firewall Service Module (FWSM)

Status
Not open for further replies.
MJewell

MJewell

MIS
Jul 5, 2001
143
US
has anyone purchased one of these yet? We were planning on installing ours but was told there was a bug in the internal code that prevented DHCP from passing from one subnet to another on the protected vlans...

Out Network is: Internet
|
6509/MSFC2 (Dual Sup)
|
5 Internal VLANS

Now, I was told that if I configured the FWSM to be between Internet and the MSFC2's then I wouldn't have any problems, however if I installed it between the MSFC and the vlans I would get better functionallity and easier configurability but it would prevent DHCP from passing between the vlans... Now keep in mind I can't just remove the vlans as I have over 2000 active network jacks in my building (educational institution)

Any suggestions anyone?

-Mike

-Mike
 
Sort by date Sort by votes
This is a FAQ about this matter by RouterGod. I believe the ip helper-address could be used in your case also.

How do clients find a DHCP server on another subnet?
faq557-988

Let’s look at how DHCP works to begin with. When a client workstation initializes and the TCP/IP stack is loaded, code is initiated to locate an IP address.

An IP packet is sent out. It’s a “normal” IP packet with the following parameters:

protocol type: UDP

source address: 0.0.0.0 (because it’s not known)

destination address: 255.255.255.255 (broadcast!)

source port: 68 (BOOTPc/DHCP)

destination port: 67 (BOOTPc/DHCP)

Being that the packet is sent to an all-subnets-broadcast, it won’t normally be forwarded by a router. This means if you don’t have a DHCP server on the local subnet, then the request will be lost.

To solve this problem, routers can set up an “ip helper-address,” used to intercept and forward certain types of broadcasts on to a specific device on a separate subnet that knows how to handle the requests.

The IP helper will forward UDP broadcast packets of the following types:

* Trivial File Transfer Protocol (TFTP)

* Domain Name Service (DNS)

* Network Time Service

* NetBIOS Name Server

* NetBIOS Datagram Server

* BootPC and DHCP

* TACACS requests

With an IP helper-address in place, the router forwards packets on to the designated server. When this occurs, the encapsulated packet can be identified as originating from the network segment where the router was. Responses sent back are again intercepted by the router and passed to the workstation just as if the transaction were happening locally.

On the DHCP server, separate subnet records need to be set up. Within each subnet, a range of addresses to allocate is specified. Again, the DHCP server will learn the appropriate subnet to allocate from based on the IP address of the router forwarding the packets.

The specific setup of the DHCP server will depend on what software/platform you are running. If you’re running a Unix version of DHCPD (DHCP Daemon), then you can type “man dhcpd.conf” to view the manual pages for the configuration file of the DHCP server.




 
Upvote 0 Downvote
No... This is an actual problem with the Firewall, the firewall is missing the code to actually pass the DHCP requests through the vlans, Cisco said they were going to try to either get it in the next bug release as a bug fix, or in the next full revision as a feature addition.

I allready use ip-Helper on my msfc for DHCP...

-Mike

-Mike
 
Upvote 0 Downvote
We purchased one back in December and I still haven't deployed it. I was faced with similar limitations with it and had to rethink how it should sit in the network. Like yourself it would be easy to situate the FWSM between the outside and the
6509 like a traditional Firewall but we already have one of those. It would be very nice to deploy it so it would function as a Firewall between VLAN's as well as the outside. *Wrong answer sound* Apparently Cisco designed this device with a certain set of customers in mind and I wasn't one of them. :|

My problem was that we have secondary Layer 3 interfaces associated with most of our VLan's on the MSFC but the FWSM doesn't support secondary interfaces. Anyway instead of redesigning our campus network I will deploy it and still gain much of the functionality it was purchased for. By luck alone I don't have to forward DHCP through it.

BTW Did they release a patched version for you fixing that problem?
 
Upvote 0 Downvote
Do you have a DHCP server on each vlan?

No, they haven't released an updated OS for it yet... It's still sitting packed in it's box under my desk....

-Mike
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

WinstonCH
  • Locked
  • Helpful tip
What is wrong with the diagram, there are people who will help to fix it? How do i do the configurat 1
Replies
1
Views
153
BIS
BIS
inlsp05
  • Locked
  • Question
2811 ios start with cf
Replies
0
Views
86
inlsp05
inlsp05
khashyar2021
  • Locked
  • Question
Problem with cisco switch after upgrading
Replies
1
Views
125
Geraldine Souza
Geraldine Souza
Mogles49
  • Locked
  • Question
Firewall ACL question
Replies
1
Views
97
burtsbees
burtsbees
NavinNet
  • Locked
  • Question
Why 2 different mac addresses of a server are being shown of CISCO 6509E Layer-3 Switch ?
Replies
0
Views
71
NavinNet
NavinNet

Part and Inventory Search

Sponsor

Back
Top