https://community.cisco.com/t5/network-security/multi-context-fwsm-dhcp-relay-problem/m-p/962835#M954379 <P>I have two FWSM's, one each in redundantly connected 6500's. The FWSM's are in multi-context routed mode, and active/active failover.</P><P></P><P>I have 3 contexts, Admin, students, labs. Each context shares interface vlan925 as the connection to the core for routing. The problem I have is that contexts students and labs each have 20+ interfaces I'm treating as "outside" interfaces, but I want to be able to relay DHCP requests to DHCP servers on the inside which is interface vlan925(the shared interface). This is not allowed because it's a shared interface. I cannot use the firewall as the DHCP server according to other requirements. How can I pass DHCP requests?</P><P></P><P>I had originally thought to give each context it's own SVI for the inside interface to allow routing to the core, but that doesn't seem to be allowed either.</P><P></P><P>Core1(config)#firewall vlan-group 1 900,925</P><P>Found svi for vlan 900</P><P>Found svi for vlan 925</P><P>No more than one svi is allowed, command rejected.</P><P></P><P></P><P> </P><P></P> Mon, 11 Mar 2019 12:10:53 GMT NotMeHere 2019-03-11T12:10:53Z https://community.cisco.com/t5/network-security/multi-context-fwsm-dhcp-relay-problem/m-p/962835#M954379 <P>I have two FWSM's, one each in redundantly connected 6500's. The FWSM's are in multi-context routed mode, and active/active failover.</P><P></P><P>I have 3 contexts, Admin, students, labs. Each context shares interface vlan925 as the connection to the core for routing. The problem I have is that contexts students and labs each have 20+ interfaces I'm treating as "outside" interfaces, but I want to be able to relay DHCP requests to DHCP servers on the inside which is interface vlan925(the shared interface). This is not allowed because it's a shared interface. I cannot use the firewall as the DHCP server according to other requirements. How can I pass DHCP requests?</P><P></P><P>I had originally thought to give each context it's own SVI for the inside interface to allow routing to the core, but that doesn't seem to be allowed either.</P><P></P><P>Core1(config)#firewall vlan-group 1 900,925</P><P>Found svi for vlan 900</P><P>Found svi for vlan 925</P><P>No more than one svi is allowed, command rejected.</P><P></P><P></P><P> </P><P></P> Mon, 11 Mar 2019 12:10:53 GMT https://community.cisco.com/t5/network-security/multi-context-fwsm-dhcp-relay-problem/m-p/962835#M954379 NotMeHere 2019-03-11T12:10:53Z https://community.cisco.com/t5/network-security/multi-context-fwsm-dhcp-relay-problem/m-p/962836#M954380 <HTML><HEAD></HEAD><BODY><P>Hi Paul</P><P></P><P>By default the FWSM will only allow on vlan with an SVI ie. L3 vlan interface, to be allocated to the firewall module. This is a precautionary measure because if you have multiple vlans that have SVI's on the MSFC you could, if you are not careful route "around" the FWSM from one vlan to another thus defeating the purpose of the FWSM.</P><P></P><P>However if you enter this command on the 6500 switch </P><P></P><P>6500(config)# firewall multiple-vlan-interfaces</P><P></P><P>this will then allow you to assign more than one SVI. As ling as you are careful with your vlan layout it won't be a problem.</P><P></P><P>HTH</P><P></P><P>Jon</P></BODY></HTML> Fri, 29 Feb 2008 17:50:32 GMT https://community.cisco.com/t5/network-security/multi-context-fwsm-dhcp-relay-problem/m-p/962836#M954380 Jon Marshall 2008-02-29T17:50:32Z https://community.cisco.com/t5/network-security/multi-context-fwsm-dhcp-relay-problem/m-p/962837#M954381 <HTML><HEAD></HEAD><BODY><P>Thanks, I think this will fix my problem.</P></BODY></HTML> Fri, 29 Feb 2008 19:34:32 GMT https://community.cisco.com/t5/network-security/multi-context-fwsm-dhcp-relay-problem/m-p/962837#M954381 NotMeHere 2008-02-29T19:34:32Z https://community.cisco.com/t5/network-security/multi-context-fwsm-dhcp-relay-problem/m-p/962838#M954382 <HTML><HEAD></HEAD><BODY><P>I believe you will still have a problem relaying DHCP from the 20+ VLAN onto the SVI.</P><P></P><P>I had hit this problem before. Instead you need to split all the routes back to the core router into seperate Border Vlans.</P><P></P><P>Hope this help.</P><P></P><P>Regards</P><P>John </P><P></P><P> </P><P></P></BODY></HTML> Sat, 01 Mar 2008 20:43:51 GMT https://community.cisco.com/t5/network-security/multi-context-fwsm-dhcp-relay-problem/m-p/962838#M954382 john.mcmanus 2008-03-01T20:43:51Z https://community.cisco.com/t5/network-security/multi-context-fwsm-dhcp-relay-problem/m-p/962839#M954383 <HTML><HEAD></HEAD><BODY><P>What I should have said was, I assume you are using the Firewall to perform DHCP forwarding?</P><P></P><P>John</P></BODY></HTML> Sat, 01 Mar 2008 21:15:38 GMT https://community.cisco.com/t5/network-security/multi-context-fwsm-dhcp-relay-problem/m-p/962839#M954383 john.mcmanus 2008-03-01T21:15:38Z