Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
677
Views
0
Helpful
2
Replies

FWSM transparent Mode, multiple pairs per context

bs6825
Level 1
Level 1

‎06-11-2007 01:51 PM - edited ‎03-11-2019 03:28 AM

We are configuring an FWSM in transparent mode and would like to use multiple pais of vlans per context. We have a couple questions:

1. How does monitor-interface work in Transparent mode and what does it monitor? Is it looking at layer 2 or layer 3?

2. For each inside/outside pair, we need to configure a bridge group. Is it necessary to have an IP address on each BVI interface or only one per context?

3. Is there any drawback to having multiple vlan pairs per context versus having each pair in its own context?

TIA

Labels:
0 Helpful
2 Replies 2

ebreniz
Level 6
Level 6

‎06-19-2007 03:04 AM

Transparent mode, the FWSM acts like a "bump in the wire," or a "stealth firewall," and is not a router hop. The FWSM connects the same network on its inside and outside interfaces, but each interface must be on a different VLAN. No dynamic routing protocols or NAT are required. However, like routed mode, transparent mode also requires ACLs to allow any traffic through aside from ARP packets. Transparent mode can allow certain types of traffic in an ACL that are blocked by routed mode, including unsupported routing protocols and multicast traffic. Transparent mode can also optionally use EtherType ACLs to allow non-IP traffic. Transparent mode only supports two interfaces, an inside interface and an outside interface.

http://www.cisco.com/en/US/docs/security/fwsm/fwsm22/configuration/guide/fwmode.html

0 Helpful

lowen
Level 1
Level 1

‎06-21-2007 05:40 AM

One ip address per context is fine, although you may find one per bvi/vlan pair facilitates some basic troubleshooting (e.g using ping to populate the arp cache to determine if a host is "behind" the correct interface and thus in the correct vlan, and similar reachability issues).

One potential drawback (depending on the total number of bvis or contexts, and the complexity of your configuration) of multiple vlan pairs per context is this: the fwsm is, by default, subdivided into 12 partitions, and each partition receives an equal share of limited resources (e.g. "slots" for ACEs). Contexts are somewhat arbitrarily assigned to partitions. Having multiple vlan pairs per context may increase the likelihood that a particular context/partition will exhaust its available resources. You have some control over number of partitions, assignment of resources to partitions, and assignment of contexts to partitions, but it adds management complexity.

Of course, one plus to multiple vlan pairs per context is fewer contexts need to be licensed for a given number of vlan pairs.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card