How do I enable 8 pairs of interfaces per context

Answered Question
Mar 15th, 2007
User Badges:

I have my FWSM working in transparent mode with 3 context (one admin, and 2 aditional contexts) I am trying to configure 8 pairs of interfaces in one of my contexts (according to the documentation it is possible) but when I tried to enter more than 2 vlan interfaces in the context, I get this message: ERROR: Context interface limit of 2 reached on 'vlan4'


How can I configure the 8 pairs of interfaces in one context?


thanks!

Correct Answer by Jon Marshall about 10 years 2 months ago

Hi Vicente


Apologies for delay, i had to upgrade our FWSM to version 3.1 before i could test. Specific version of software is 3.1(2).


It works fine for me so here are the steps i followed.


1) Created vlans 700-708 on the 6500.

2) Allocated these vlans to the FWSM on the switch ie. "firewall vlan-group 7 700-708"

3) Logged on to the FWSM in sys execution space.

4) Created a new context "trs" & allocated vlans 700-708 to that context.

5) Changed to the trs context. Made the context transparent "firewall transparent".

6) Did a sh run and the vlan interfaces from vlan700 -> vlan708 were there.

6) Assigned vlan700,701 to bridge-group 1

vlan702,703 to bridge-group 2 etc..


It all worked fine.


Is this how you have set it up ?


What version of the 3.1 software are you using - i can downoad the exact one to test if need be.


HTH


Jon


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Jon Marshall Thu, 03/15/2007 - 11:19
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Hi Vicente


My understanding was that with the FWSM in transparent mode each context can only support 2 vlans because it is in effect bridging between the 2.


Could you point me at the docs where it says you can use more than 2 vlans in on the same context.


Jon

vicente.madrigal Thu, 03/15/2007 - 11:50
User Badges:

Hi Jon,


Here is the doc: http://www.cisco.com/en/US/partner/products/hw/switches/ps708/products_module_configuration_guide_chapter09186a0080577c38.html#wp1220151


This is what it says regarding bridge groups:


"Bridge Groups

If you do not want the overhead of security contexts, or want to maximize your use of security contexts, you can configure up to eight pairs of interfaces, called bridge groups. Each bridge group connects to a separate network. Bridge group traffic is isolated from other bridge groups; traffic is not routed to another bridge group within the FWSM, and traffic must exit the FWSM before it is routed by an external router back to another bridge group in the FWSM. Although the bridging functions are separate for each bridge group, many other functions are shared between all bridge groups. For example, all bridge groups share a system log server or AAA server configuration. For complete security policy separation, use security contexts with one bridge group in each context. "


Thanks!




Jon Marshall Thu, 03/15/2007 - 12:09
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Vicente


Well you live and learn, i guess that's what Netpro is all about !


I have an FWSM in our lab at work so i might try this next week. One thing that struck me from the config was the following


"You can only assign two interfaces to a bridge group. You cannot assign the same interface to more than one bridge group"


Are you definitely using separate vlan interfaces pairs per bridge group ?


I will look at this in our lab as soon as i can


Jon

vicente.madrigal Thu, 03/15/2007 - 12:25
User Badges:

Jon,


I was trying to create more than one bridge group per context yesterday but I was not able to configure more than 2 interfaces in the context, so I am guessing how can you enable up to eight bridge groups in a context if you are not able to configure more than 2 interfaces per context. If you could try it at your lab please let me know the results, I will keep looking for the way to configure more than one bridge group per context.


regards

Correct Answer
Jon Marshall Fri, 03/16/2007 - 01:33
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Hi Vicente


Apologies for delay, i had to upgrade our FWSM to version 3.1 before i could test. Specific version of software is 3.1(2).


It works fine for me so here are the steps i followed.


1) Created vlans 700-708 on the 6500.

2) Allocated these vlans to the FWSM on the switch ie. "firewall vlan-group 7 700-708"

3) Logged on to the FWSM in sys execution space.

4) Created a new context "trs" & allocated vlans 700-708 to that context.

5) Changed to the trs context. Made the context transparent "firewall transparent".

6) Did a sh run and the vlan interfaces from vlan700 -> vlan708 were there.

6) Assigned vlan700,701 to bridge-group 1

vlan702,703 to bridge-group 2 etc..


It all worked fine.


Is this how you have set it up ?


What version of the 3.1 software are you using - i can downoad the exact one to test if need be.


HTH


Jon


vicente.madrigal Fri, 03/16/2007 - 10:42
User Badges:

Hi Jon,


I didn't have a chance to come back to our laboratory yesterday. I will try your steps today as soon as poosible. I think the main issue here is the software version I am using in my FWSM. I am going to upgrade to the 3.1 version and I will let you know how it goes.


HTH


Vicente

Jon Marshall Wed, 03/21/2007 - 00:55
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Vicente


How did yout get on ?


Jon

vicente.madrigal Thu, 03/22/2007 - 08:57
User Badges:

Hi Jon,


I was able to to go to the lab yesterday and tried your steps, it worked fine the problem was the Software version I was using on the FWMS;


context SIIC

allocate-interface Vlan107 int107

allocate-interface Vlan108 int108

allocate-interface Vlan109 int109

allocate-interface Vlan7 int7

allocate-interface Vlan8 int8

allocate-interface Vlan9 int9

config-url disk:/SIIC.cfg


With the new version I was able to allocate more than 2 interfaces in the context.


I will dome more test to see if it wokrs fine filterint traffic.


Vicente

markturner Mon, 08/08/2011 - 04:36
User Badges:

Hi,

I have a question related to this, is it possible with the base number of contexts  (Admin plus two other) to have three contexts each with 8 pairs of bridge group interfaces ?  Or would it be necessary to order additional context licenses ?


Thanks


Mark

Actions

This Discussion