Implementing FWSM with multiple context and failover

Unanswered Question
Sep 6th, 2007

I will shortly be implementing a FWSM solution, consisting of 2x FWSMs and 2x 6500 Chassis. Each chassis will have a FWSM installed, and ideally I'd like to run active/active with 2 contexts (+ admin context) and failover. I have the standard license.

I want to acheive the following:

Context A:

Active on FWSM A - Function is main flow of Traffic from inside to outside (internet traffic from inside network)

Context B:

Active on FWSM B - Function is to host multiple DMZ interfaces for servers. Inside hosts will also need to communicate with these servers (inside being the same IP ranges using Context A for their internet traffic).

I would also require to configue failover between the contexts, and outside and inside VLANs for both contexts will be the same (same IP range).

When using multiple context mode, all of the configuration examples I have seen so far have the MSFC outside the FWSM, having the MSFC face the internet.

This is not the way I would like to implement the solution, I'd much rather have the FWSM facing the internet.

Is this indeed the case when running multi-context, that the MSFC must be 'outside' in this scenario?

Thanks for any assistance.....

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Jon Marshall Thu, 09/06/2007 - 09:03

Hi Chris

Not sure if you are asking how to do the config or if your question is purely about the position of the MSFC.

Anyway in answer to your question about the MSFC, no it does not have to be in front of the FWSM. In fact when using multiple context you can have some contexts with MSFC in front and some with MSFC behind.

To configure with MSFC behind just make sure that the vlan on the outside of the FWSM towards the internet does not have an SVI for it on the MSFC ie. don't configure a layer 3 interface for that vlan on the 6500, just create it on the FWSM.



chrisbw Thu, 09/06/2007 - 13:16

Hi Jon,

Thanks for the response, thats what I was hoping for.

You have a few very useful posts in various threads on here, keep up the good work!



This Discussion