12-04-2012 02:21 AM - edited 03-11-2019 05:31 PM
Hi Folks,
Sorry for the stupid question that will follow but I have just joined a networks team and will be working on two fwsm versions 4.0(8) in two 6500 routers. Now the fwsms seem to be virtualised with multiple contexts. The server team want a new context setup for a group of servers behind a vlan.
I presume I do this in the admin context first, something like this:
interface Vlan10
interface Vlan110
context New-Context
allocate-interface Vlan10
allocate-interface Vlan110
config-url disk:/New-Context
join-failover-group 1
Then I head into the context itself and start configuring it? However when I am in the current admin context and do a changeto context admin it seems to bring me to a new admin context:
admin# changeto context admin
admin/admin# sh run
admin/admin# sh running-config
This context just seems to have two Vlans and a BVI interface. Can anyone tell me the function of this context and why we have 2 admin contexts?
Also another important question is on which 6500 do I create the new context? Is the admin context active on one 6500 just like other contexts and will sync across or do I have to create the new context on both 6500s.
Sorry for these questions I am sure they are basic but I have basically been landed on this new team and need to get a good understanding of this.
Thanks,
Solved! Go to Solution.
12-04-2012 02:46 AM
Hi,
Never seen a BVI interface on FWSM. I guess its configured as a Transparent firewall. All of ours are in Routed mode so I'm afraid I'm not the best person to comment on configuring the device. I will try to give some general information related to what you asked.
Admin Context
New Vlan interfaces, New Contexts
I guess you have a Active/Standby setup of the FWSMs?
You should only need to configure the new Context on the Active unit. Trying to configure something on the Standby unit should generate a warning message on the CLI that any configurations you issue after that wont be replicated to the other unit (since you are attempting to configure the Standby unit)
Naturally on the C6500 side you will have to configure the "same things" on both devices manually. I can't give any specific advice as I' not 100% sure on what kind of setup you have.
If you've just started with the FWSM I suggest asking advice from co-workers mainly. Also going through existing configurations by yourself will eventually give you insight how things work. Personally I kind of had to learn most of the things by myself but never really risked configuring something I didnt understand.
Hope this helps a bit. Please rate if it was helpfull and ask more if needed.
- Jouni
12-04-2012 04:58 AM
Hi,
I suggest reading through a Cisco document about FWSM configuration called "Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide Using the CLI". There is probably several versions. You should also be able to find a Command Reference for the same FWSM software to get detailed information about any command and their uses.
Easiest way to get the document is just Google for them. You can then download them in PDF format from the Cisco site.
To be honest I have never had to configure ASA or FWSM as bridged so I'm not gonna say anything about that matter from either the FWSM or the C6500 side
It would seem that you have Active/Active failover.
To check Failover configurations use the following commands
Heres link to the Configuration Guide and Command Reference for FWSM 4.0
Configuration Guide: http://www.cisco.com/en/US/docs/security/fwsm/fwsm40/configuration/guide/fwsm_cfg.html
Command Reference:http://www.cisco.com/en/US/docs/security/fwsm/fwsm40/command/reference/fwsm_ref.html
Please rate the answers if you have found the information helpfull
- Jouni
12-04-2012 09:02 AM
Hi,
The "preempt" works in a samekind of way like the router HSRP preempt.
An example situation might be following
In other words, "preempt" (and the related timer) defines that the Context will return as Active to the original FWSM device after its has been up for the configured timer value. (Unless I have mistaken)
- Jouni
12-04-2012 02:46 AM
Hi,
Never seen a BVI interface on FWSM. I guess its configured as a Transparent firewall. All of ours are in Routed mode so I'm afraid I'm not the best person to comment on configuring the device. I will try to give some general information related to what you asked.
Admin Context
New Vlan interfaces, New Contexts
I guess you have a Active/Standby setup of the FWSMs?
You should only need to configure the new Context on the Active unit. Trying to configure something on the Standby unit should generate a warning message on the CLI that any configurations you issue after that wont be replicated to the other unit (since you are attempting to configure the Standby unit)
Naturally on the C6500 side you will have to configure the "same things" on both devices manually. I can't give any specific advice as I' not 100% sure on what kind of setup you have.
If you've just started with the FWSM I suggest asking advice from co-workers mainly. Also going through existing configurations by yourself will eventually give you insight how things work. Personally I kind of had to learn most of the things by myself but never really risked configuring something I didnt understand.
Hope this helps a bit. Please rate if it was helpfull and ask more if needed.
- Jouni
12-04-2012 03:21 AM
Hi JouniForss,
Thanks for the brilliant detailed answer. I think you have hit the nail on the head with most things.
Spot on, it seems our system context is called admin which is causing me confusion and this is where I add conexts. Clears this up nicely.
Yes it does seem we are in transparent/bridged mode. Not sure of the difference between transparent and routed mode?
Again you are right I need to config 6500 first. So vlan 10 already exists and then I create a vlan 110 the fwsm vlan then I add them as follows:
svclc vlan-group ? 101,102,103,110
firewall vlan-group ? 1,2,3,10
Yes again you are right then I go to the system context and create the context in here like you have shown. I found out the system context is actually live on one of the 6500's as I tried to do a conf t on the system context of the other 6500 and got the warning CLI message.
Just wondering more on the Active/Standby setting. This seems to be what we have. We have a group 1 and a group 2 and one FWSM seems to handle group one and the other seems to handle group 2. So are our FWSMs actually Active/Active?
Or what command do I use to show this and to make sure failover is working and contexts are sync'ing?
Thanks.
12-04-2012 04:58 AM
Hi,
I suggest reading through a Cisco document about FWSM configuration called "Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide Using the CLI". There is probably several versions. You should also be able to find a Command Reference for the same FWSM software to get detailed information about any command and their uses.
Easiest way to get the document is just Google for them. You can then download them in PDF format from the Cisco site.
To be honest I have never had to configure ASA or FWSM as bridged so I'm not gonna say anything about that matter from either the FWSM or the C6500 side
It would seem that you have Active/Active failover.
To check Failover configurations use the following commands
Heres link to the Configuration Guide and Command Reference for FWSM 4.0
Configuration Guide: http://www.cisco.com/en/US/docs/security/fwsm/fwsm40/configuration/guide/fwsm_cfg.html
Command Reference:http://www.cisco.com/en/US/docs/security/fwsm/fwsm40/command/reference/fwsm_ref.html
Please rate the answers if you have found the information helpfull
- Jouni
12-04-2012 06:49 AM
Thanks JouniForss,
Yes it seems we have active/active failover the system context is a member of group 1 so is active on one 6500. So I need to configure my new context on this 6500. We have preempt 300 is configured under each failover group. What exactly does this mean?
admin# sh running-config failover
failover
failover lan unit primary
failover lan interface FLINK Vlan901
failover link SLINK Vlan902
failover interface ip FLINK 192.168.1.1 255.255.255.252 standby 192.168.1.2
failover interface ip SLINK 192.168.2.1 255.255.255.252 standby 192.168.2.2
failover group 1
preempt 300
failover group 2
secondary
preempt 300
admin#
12-04-2012 09:02 AM
Hi,
The "preempt" works in a samekind of way like the router HSRP preempt.
An example situation might be following
In other words, "preempt" (and the related timer) defines that the Context will return as Active to the original FWSM device after its has been up for the configured timer value. (Unless I have mistaken)
- Jouni
12-06-2012 08:20 AM
Thanks Again JouniForss,
Last questions I promise. when I do a write mem on the system context or any context I take it I just need to do it on the router thats active and not hop over and do it on the standby 6500 as well? Presume it sync's across and saves.
Also I am confused about this BVI line:
interface BVI10
ip address 192.168.0.251 255.255.255.0 standby 192.168.0.250
This line also exists on the standby context. I am confused as to where IP address 192.168.0.250 actually lives if you get me?
I thought the standby router would be like this:
interface BVI10
ip address 192.168.0.250 255.255.255.0 standby 192.168.0.251
Similar in design to HSRP.
12-06-2012 08:46 AM
Hi,
Provided the Failover is working and up, you only need to issue "write mem" on the Active unit/context.
Think there is also a command called "write standby" which copies the whole configuration to the standby unit. The command "write mem" saves the changes you have made to both units and usually should be enough.
Notice the following things while saving configurations
If you for example just make a new Context with new Vlan interface and only save configurations under the Context and the FWSM happens to reboot, the System Context configurations will be missing from the FWSM. (In other words the Context wont be there when the FWSM has booted and would have to be configured again even though you might have saved its configuration under the actual New-Context)
In a Failover pair the units have indentical configurations. Usually the only difference between the units can be found in the "failover" configuration line which defines primary/secondary unit.
The IP address configurations simply means that the first IP address belongs to the Active unit and the standy IP address to the Standby unit.
Take this situation for example
Don't worry about asking more questions. Will try to answer them if I can.
- Jouni
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide