Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
864
Views
0
Helpful
2
Replies

fwsm with multiple context and multiple SVI????

Go to solution
kamlesh yadav
Level 1
Level 1

‎03-03-2013 12:41 AM - edited ‎03-11-2019 06:08 PM

I am novice to the FWSM teachnology.

We have FWSM which has the multiple context configured for the different business at one site.

On ther site we have FWSM which is configured with multiple SVIs for the different business.

What is the difference between these two types?what are the advantages and disadvantages?

If also you help me out with the architecure of the FWSM in layman language.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni

‎03-03-2013 04:00 AM

Hi,

I personally started at my current job when all of the FWSMs in our network were already installed so I never got to be part of implementing them from the very start into the production enviroment. At the moment I am actually migrating environments out of those same FWSMs into new ASA firewalls at our datacenters.

Now looking at your setups I understood that you have 2 setups

  • One site which separates each customer to their own Security Context
  • One site which has each customer connect to the same FWSM with its own Vlan interface but no separate Security Contexts are involved

The obvious difference with the 2 setups is that in the first one each customer is separated to its own virtual firewall which to in my opinion is the better solution, both from customer security standpoint and keeping the customer environment easy to configure and manage. Naturally for the WAN connection you will be spending 1 public IP address per Security Context opposed to perhaps using only 1 public IP in the second setup. Though naturally even in that case I would probably use 1 public IP address for each customer.

In the second setup all the customers are connected to the same firewall and naturally if the the configurations arent done properly you are potentially creating a security risk for the customers when they have a connection to eachother. Also when each customer is connected to the same firewall there is also a small chance that you run into problem with network address space overlapping on customers while on a Multiple Context Mode this wouldnt be a problem. You might possibly also cause a problem for all the customers when configuring a single firewall to which all of them are connected. Possible missconfiguration can cause network outage for all the connected customer while the same mistake on a Multiple Context Mode FWSM would only affect the single customer.

I dont know if there is much to say about the architecture of the FWSM (From my part atleast).

Configuration wise the FWSM is connected to the actual core device with an 6Gbps Etherchannel. This internal interface between the FWSM and the C6500/7600 carries the Vlans to and from the FWSM module. Theres to my knowledge 3 Processors on the FWSM that handle different tasks related to the FWSM operation.

Here is a good document on these forums about the FWSM Architecture

https://supportforums.cisco.com/docs/DOC-12713

Heres also a link to a page with the Configuration Guides and Command References of the FWSMs. They contain alot of information on different configuration tasks and how the FWSM operates

http://www.cisco.com/en/US/products/hw/modules/ps2706/ps4452/tsd_products_support_model_home.html

Hope the information has been helpfull

- Jouni

View solution in original post

0 Helpful
2 Replies 2

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni

‎03-03-2013 04:00 AM

Hi,

I personally started at my current job when all of the FWSMs in our network were already installed so I never got to be part of implementing them from the very start into the production enviroment. At the moment I am actually migrating environments out of those same FWSMs into new ASA firewalls at our datacenters.

Now looking at your setups I understood that you have 2 setups

  • One site which separates each customer to their own Security Context
  • One site which has each customer connect to the same FWSM with its own Vlan interface but no separate Security Contexts are involved

The obvious difference with the 2 setups is that in the first one each customer is separated to its own virtual firewall which to in my opinion is the better solution, both from customer security standpoint and keeping the customer environment easy to configure and manage. Naturally for the WAN connection you will be spending 1 public IP address per Security Context opposed to perhaps using only 1 public IP in the second setup. Though naturally even in that case I would probably use 1 public IP address for each customer.

In the second setup all the customers are connected to the same firewall and naturally if the the configurations arent done properly you are potentially creating a security risk for the customers when they have a connection to eachother. Also when each customer is connected to the same firewall there is also a small chance that you run into problem with network address space overlapping on customers while on a Multiple Context Mode this wouldnt be a problem. You might possibly also cause a problem for all the customers when configuring a single firewall to which all of them are connected. Possible missconfiguration can cause network outage for all the connected customer while the same mistake on a Multiple Context Mode FWSM would only affect the single customer.

I dont know if there is much to say about the architecture of the FWSM (From my part atleast).

Configuration wise the FWSM is connected to the actual core device with an 6Gbps Etherchannel. This internal interface between the FWSM and the C6500/7600 carries the Vlans to and from the FWSM module. Theres to my knowledge 3 Processors on the FWSM that handle different tasks related to the FWSM operation.

Here is a good document on these forums about the FWSM Architecture

https://supportforums.cisco.com/docs/DOC-12713

Heres also a link to a page with the Configuration Guides and Command References of the FWSMs. They contain alot of information on different configuration tasks and how the FWSM operates

http://www.cisco.com/en/US/products/hw/modules/ps2706/ps4452/tsd_products_support_model_home.html

Hope the information has been helpfull

- Jouni

0 Helpful

Go to solution
kamlesh yadav
Level 1
Level 1
In response to Jouni Forss

‎03-03-2013 08:46 PM

Thanks Jouni for sharing such valauble knowledge.

Its really helpful for me.thank you so much.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card