multiple fwsm context on same vlan

Unanswered Question
Sep 5th, 2007

Hi,

I've noticed that for a reason, you cannot assign the same vlan onto multiple context within the FWSM.

Is there a way to go around this limitation? Does anybody know if this will be addressed.

Regards,

Stephane

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Jon Marshall Wed, 09/05/2007 - 06:47

Hi Stephane

You should be able to as the FWSM supports the concept of a shared vlan between contexts. On our production FWSM's we have a vlan for the outside interfaces that is shared between contexts so each outside interface has an IP address out of the same subnet.

Jon

stephg Wed, 09/05/2007 - 08:03

Hi Jon,

I thought that multiple contexts within the same fwsm share the same mac address. Is this correct

Jon Marshall Wed, 09/05/2007 - 09:27

Hi

Taken from our production FWSM

Admin context

=============

Interface vlan241 "outside", is up, line protocol is up

MAC address 0015.624a.4780, MTU 1500

IP address 10.181.107.132, subnet mask 255.255.255.128

ebus context

============

Interface vlan241 "outside", is up, line protocol is up

MAC address 0015.624a.4780, MTU 1500

IP address 10.181.107.134, subnet mask 255.255.255.128

So yes they do share the same mac-address bur remember that these are purely virtual interfaces. How the FWSM decides which context to send the traffic to is all to do with the classifier and indeed when you share a vlan you do have to be aware of how the FWSM clasifier works or it can be quite confusing :-)

Jon

stephg Tue, 09/11/2007 - 09:55

Hi,

But using the classifier, you had to create a static nat to get it working. On top of it I would need to cascade contexts, which I think does not work.

Why does'nt the fwsm now it's own ip's and that you have to NAT to get it working.

Wouldn't static routes work

Jon Marshall Tue, 09/11/2007 - 23:14

Stephane

Not sure i follow. Your original question was about not being able to share a vlan across contexts and i pointed out that you can.

As far as statics are concerned, yes you need to setup static translations because the classifier first looks at the vlan interface the packet comes in on but as the vlan is shared it then needs a translation to work out which context to use.

Could you explain what you mean regarding static routes ?

Jon

Actions

This Discussion