FWSM transparent Mode, multiple pairs per context

Unanswered Question
Jun 11th, 2007

We are configuring an FWSM in transparent mode and would like to use multiple pais of vlans per context. We have a couple questions:

1. How does monitor-interface work in Transparent mode and what does it monitor? Is it looking at layer 2 or layer 3?

2. For each inside/outside pair, we need to configure a bridge group. Is it necessary to have an IP address on each BVI interface or only one per context?

3. Is there any drawback to having multiple vlan pairs per context versus having each pair in its own context?

TIA

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
ebreniz Tue, 06/19/2007 - 03:04

Transparent mode, the FWSM acts like a "bump in the wire," or a "stealth firewall," and is not a router hop. The FWSM connects the same network on its inside and outside interfaces, but each interface must be on a different VLAN. No dynamic routing protocols or NAT are required. However, like routed mode, transparent mode also requires ACLs to allow any traffic through aside from ARP packets. Transparent mode can allow certain types of traffic in an ACL that are blocked by routed mode, including unsupported routing protocols and multicast traffic. Transparent mode can also optionally use EtherType ACLs to allow non-IP traffic. Transparent mode only supports two interfaces, an inside interface and an outside interface.

http://www.cisco.com/en/US/docs/security/fwsm/fwsm22/configuration/guide/fwmode.html

lowen Thu, 06/21/2007 - 05:40

One ip address per context is fine, although you may find one per bvi/vlan pair facilitates some basic troubleshooting (e.g using ping to populate the arp cache to determine if a host is "behind" the correct interface and thus in the correct vlan, and similar reachability issues).

One potential drawback (depending on the total number of bvis or contexts, and the complexity of your configuration) of multiple vlan pairs per context is this: the fwsm is, by default, subdivided into 12 partitions, and each partition receives an equal share of limited resources (e.g. "slots" for ACEs). Contexts are somewhat arbitrarily assigned to partitions. Having multiple vlan pairs per context may increase the likelihood that a particular context/partition will exhaust its available resources. You have some control over number of partitions, assignment of resources to partitions, and assignment of contexts to partitions, but it adds management complexity.

Of course, one plus to multiple vlan pairs per context is fewer contexts need to be licensed for a given number of vlan pairs.

Actions

This Discussion