07-24-2008 04:52 PM - last edited on 03-25-2019 05:40 PM by ciscomoderator
I am really confused about when to use single context or when to run multiple contexts on the FWSM.
We are experimenting with MPLS and I have multiple VRFs. We would like to apply policy between different VRFs on the FWSM.
Looks like this can be done with single context. But it also raises a question of when will multiple context be useful?
07-24-2008 09:45 PM
Multiple security contexts is useful : -
- For a Manages Security Secvice Provider selling firewall services to many customers. You can have individual virtual FW's for each customer which functions independently with security policies based on each customers requirements..
- When you have multiple departments and you want to have 1 FW per dept. with different Security policies / config for each dept.
07-24-2008 09:47 PM
interesting question
lets consider ur case as an example
let say you have multiple customers and as in your case you have VRFs
so one of your customers need the firewall be in transperant mode L2 and other customer need it to be L3 and each on ehave deffrent security policies requerment
so i the case the best way to deal with it is deploying Firewall with multiple context
it will work exactly like you have multiple Firewalls each with interfaces and policies
and also with deferent IP addresing
while this separation is all vitualy
so lets say VRF one have static route to internet trough the ip address of FWSM contex 1
and VRF 2 has static route to the internet through FWSM ip address of FWSM context 2
so briefly it is virtal separation to your firewall
can run one context in L2 mode, other one in layer three mode
also with FWSM multiple context and MSFC
u can make a cusomer connect to ur MSFC then the FWSM while other context connected directly to other customer
customer---FWSM context1---MSFC--internet
customer2---MSFC--FWSM context2--internet
thanks
Rate If helpful
07-25-2008 10:35 AM
sounds like you can run both transparent and routed mode contexts concurrently on the same fwsm, using 3.1?
I couldn't find the white page for this
thanks, kevin
07-26-2008 01:32 AM
i think i have put this concept mistakenly!
the firewall should operate in one mode because the firewall mode is selected on the global firewall mode not on the context level thats why
however, as i mentioned above with FWSM and multiple context design u can achive alot more flexablity when u have more than one customer
in a ddition to the flexablity to the FWSM placemnt
before the MSFC or after the MSFC
also if u have any loadbalancing module u can achive more flexablity with multiple contxt because u might have an application servers which need loadbalancing so u make the context1 behined the loadbalancer module
and u have at the same time database servers that only comunicat with the applications not with users directly in this case u dont need loadbalancing for those database servers
so in context2 there will be no comunication between the firewall and the loadbalncer
at the same time the comunication between the application server and the database server will be between context through the MSFC which is more secur
without multiple context u cant achive this
i mentioned this because this is another example to those i have mentioned earlier
this is apply to data center design
thank you
Rate if helpful
07-26-2008 02:08 AM
Hi,
With the introduction of FWSM 3.1, mixed-mode operation is also supported. This allows the capability to have both transparent and routed contexts operate simultaneously on the same FWSM.
http://www.cisco.com/en/US/docs/security/fwsm/fwsm31/configuration/guide/fwmode_f.html#wp1220586
07-26-2008 02:14 AM
cool
then i sound rushed in this topic
all things i have mentioned ok, but the modes thing disapointed me this time
but i rmeber i read it before somewhere about mixed-mode
07-27-2008 01:22 PM
hello, very good.... this is what I was wanting to verify, thank you
I am to configure one routed mode context and one transparent mode context on the same 6509 fwsm, which is has v3.1
there with be two vlans per context
each context's pair of vlans with be used to connect to adjoining equipment
any other suggestions would be appreciated
thanks, again
07-27-2008 06:32 PM
Thank you for all the responses. I am running 2.3(4) on the FWSM, but after reading all the posts, I am going to upgrade it to 3.1 and lab test the multiple context.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide