Cisco Catalyst 6500 Series Configuration Manual page 36

How the Firewall Services Module Works
Using the MSFC
The switch includes a switching processor (the supervisor) and a router (the MSFC). Although you need
the MSFC as part of your system, you do not have to use it. If you choose to do so, you can assign one
or more VLAN interfaces to the MSFC (if your switch software version supports multiple SVIs; see
Table 1-1 on page
behind the firewall (see
The location of the MSFC depends entirely on the VLANs that you assign to it. For example, the MSFC
is behind the firewall in the example shown on the left side of
VLAN 201 to the inside interface of the FWSM. The MSFC is in front of the firewall in the example
shown on the right side of
FWSM.
In the left-hand example, the MSFC routes between VLANs 201, 301, 302, and 303, and no inside traffic
goes through the FWSM unless it is destined for the Internet. In the right-hand example, the FWSM
processes and protects all traffic between the inside VLANs 201, 202, and 203.
Figure 1-2
Inside
Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide
1-10
1-2). In single context mode, you can place the MSFC in front of the firewall or
Figure
Figure 1-2
MSFC Placement
MSFC Behind the FWSM
Internet
Switch
VLAN 200
FWSM
VLAN 201
MSFC
VLAN 301 VLAN 303
VLAN 302
DMZ
Chapter 1
1-2).
because you assigned VLAN 200 to the outside interface of the
MSFC In Front of the FWSM
Switch
VLAN 201
HR
Inside
Introduction to the Firewall Services Module
Figure 1-2 because you assigned
Internet
VLAN 100
MSFC
VLAN 200
FWSM
VLAN 203
HR
VLAN 202
DMZ
OL-6392-01