03-14-2006 08:10 AM - edited 03-09-2019 02:15 PM
Hello,
We are considering implementing contexts to control access for a number of agencies' traffic we manage. I have some questions about contexts I haven't been able to find clear answers to:
1) In a failover FWSM setup, if one primary context goes down but not the others, does it failover to the secondary module context?
2) Does the context licensing for the secondary FWSM need to be a duplicate of the primary? i.e. do you need 2 seperate licenses for say, 20 contexts?
3) If the module is in single context mode and you convert it to multiple context, what happens to the running config? Are its rulesets, interfaces converted to the admin context? If not, what is the easiest way to move the single context config into a 'working' context that we can then pull rules, interfaces, etc. out of for new context conversions as they are needed?
Thanks for your help!
03-14-2006 08:34 AM
1.)
Question: In a failover FWSM setup, if one primary context goes down but not the others, does it failover to the secondary module context?
Answer: Yes and No it depends on the trigger of how much interface failed the failover will occour, But remember you are using Virtual interfaces
VLAN they usually never goes down.
Failover Triggers
The module can fail if one of the following events occurs:
The module has a hardware failure or a power failure.
The module has a software failure.
Too many monitored interfaces fail.
Because the FWSM can have a large number of interfaces, it cannot monitor every interface. Rather, you configure the FWSM to monitor a subset of interfaces. The FWSM fails over when a certain number of monitored interfaces fails; you configure the failure threshold to be an absolute value or a percentage of the total number of monitored interfaces.
See the "Failover Monitoring" section for more information about when a module or interface is considered to be failed.
Reference Using Failover (Version 2.3):
2.)
Question: Does the context licensing for the secondary FWSM need to be a duplicate of the primary? i.e. do you need 2 seperate licenses for say, 20 contexts?
Answer: YES, you need 2 times a licence Pack for 20 contextes.
3.)
Question: If the module is in single context mode and you convert it to multiple context, what happens to the running config? Are its rulesets, interfaces converted to the admin context? If not, what is the easiest way to move the single context config into a 'working' context that we can then pull rules, interfaces, etc. out of for new context conversions as they are needed?
Answer: When you convert from single mode to multiple mode, the FWSM converts the running configuration into two files: a new startup.cfg (in Flash) that comprises the system configuration, and admin.cfg (in the disk partition) that comprises the admin context. The original running configuration is saved as old_running.cfg (in disk). The original startup configuration is not saved. The FWSM automatically adds an entry for the admin context to the system configuration with the name "admin."
Note: The Admin context is just to access and manage the FWSM not to use as a Virtual Fireall (PIX) !
http://www.cisco.com/univercd/cc/td/doc/product/lan/cat6000/mod_icn/fwsm/fwsm_2_3/fwsm_cfg/index.htm
sincerely
Patrick
03-14-2006 09:08 AM
Thank you Patrick, that is most helpful. One last question about the conversion - So according to the doc's the old single context config is saved to a file and you can then load that saved config into a new context within the new multi-context space thus restoring the original config but now the FWSM has capablity to use multi-contexts..
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide