Port Security


Cisco FWSM Q & A

What is the minimum version of code that I need to run in order to support my FWSM, Intrusion Detection system Module 2 (IDSM2), and VPN Service Module (VPNSM)?

            The appropriate version of code depends on the type of Supervisor Module in your 6500 or 7600 chassis, as well as the type of software you run (Cat OS or Cisco IOS). See this table for specific code versions for your module and Multilayer Switch Feature Card (MSFC).



Sup1 (with MSFC)

 Sup2 (with MSFC)


Cisco IOS

Cat OS

Cisco IOS

Cat OS

Cisco IOS

Cat OS






















Note: N/S - Not Supported

Does FWSM support SNMPv3?


How many VLANs does the FWSM support?

FWSM version 1.1 supports 100 VLANs and FWSM version 2.1 supports 250 VLANs.

Does the FWSM support the access−list compiled command?

Since the FWSM automatically compiles access lists into hardware after 10 seconds of inactivity at the CLI, there is no need for turbo access lists. FWSM version 2.1 offers the additional functionality of being able to nominate when the access lists are compiled.

Does the FWSM support the IOS Open Shortest Path First (OSPF) auto−cost reference−bandwidth command?

No. The FWSM is not aware of the physical ports connected to it. OSPF cost must be configured manually for each interface with the ospf cost command.

Can I run Open Shortest Path First (OSPF) protocol in a topology where two different interfaces of the FWSM connect to the same network?

Yes. This functionality is supported in versions 2.1 and later.

Can I terminate VPN connections on my FWSM?

VPN functionality is not supported on the FWSM. Termination of VPN connections is the responsibility of the switch and/or VPN Services Module

Are there any limitations in the implementation of multicast in FWSM?

Yes. FWSM does not support 232.x.x.x subnet as a group name, as it has been already reserved for Security Services Module (SSM).

Does FWSM support multiple shared interfaces?

FWSM does not support multiple shared interfaces, but instead you can have one VLAN across multiple contexts. Refer to Sharing Resources and Interfaces Between Contexts for more information

Why am I unable to ping my FWSM on a directly connected interface?

By default, each interface denies Internet Control Message Protocol (ICMP). Use the icmp command to allow this traffic to the interface.

Can I configure failover between two FWSMs that run different versions of code?

No. Failover requires that both FWSMs run the same version of code. A mechanism within the failover feature verifies the peer version and prevents failover if the versions of code are different. For this reason, you must upgrade both FWSMs at the same time.

Can I configure failover between two FWSMs in different chassis?

A. Yes. But the FWSMs must be connected by Layer 2 on all interfaces. In other words, all interfaces must be able to exchange Layer 2 broadcast packets [Address Resolution Protocol (ARP), and so forth] with each other. Failover protocol packets cannot be routed at Layer 3.

I have set up failover between two FWSMs, but they are not syncing. What could be the problem?

Ensure that your configuration meets these requirements for successful failover.

  • Both FWSMs must run the same version of code.
  • Both FWSMs must have the same number of VLANs.
  • A Layer 2 connection must exist between all VLANs on the FWSMs. If the FWSMs exist in different chassis with a trunk configured between them, verify that all VLANs exist and are allowed on the trunk.

