Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
573
Views
5
Helpful
3
Replies

Implementing FWSM with multiple context and failover

chrisbw
Level 1
Level 1

‎09-06-2007 07:16 AM - edited ‎03-11-2019 04:07 AM

I will shortly be implementing a FWSM solution, consisting of 2x FWSMs and 2x 6500 Chassis. Each chassis will have a FWSM installed, and ideally I'd like to run active/active with 2 contexts (+ admin context) and failover. I have the standard license.

I want to acheive the following:

Context A:

Active on FWSM A - Function is main flow of Traffic from inside to outside (internet traffic from inside network)

Context B:

Active on FWSM B - Function is to host multiple DMZ interfaces for servers. Inside hosts will also need to communicate with these servers (inside being the same IP ranges using Context A for their internet traffic).

I would also require to configue failover between the contexts, and outside and inside VLANs for both contexts will be the same (same IP range).

When using multiple context mode, all of the configuration examples I have seen so far have the MSFC outside the FWSM, having the MSFC face the internet.

This is not the way I would like to implement the solution, I'd much rather have the FWSM facing the internet.

Is this indeed the case when running multi-context, that the MSFC must be 'outside' in this scenario?

Thanks for any assistance.....

Labels:
0 Helpful
3 Replies 3

Jon Marshall
Hall of Fame
Hall of Fame

‎09-06-2007 09:03 AM

Hi Chris

Not sure if you are asking how to do the config or if your question is purely about the position of the MSFC.

Anyway in answer to your question about the MSFC, no it does not have to be in front of the FWSM. In fact when using multiple context you can have some contexts with MSFC in front and some with MSFC behind.

To configure with MSFC behind just make sure that the vlan on the outside of the FWSM towards the internet does not have an SVI for it on the MSFC ie. don't configure a layer 3 interface for that vlan on the 6500, just create it on the FWSM.

HTH

Jon

chrisbw
Level 1
Level 1
In response to Jon Marshall

‎09-06-2007 01:16 PM

Hi Jon,

Thanks for the response, thats what I was hoping for.

You have a few very useful posts in various threads on here, keep up the good work!

Chris.

0 Helpful

Jon Marshall
Hall of Fame
Hall of Fame
In response to chrisbw

‎09-06-2007 11:05 PM

Chris

Only a few !! :)

Glad to help and thanks for the rating.

Jon

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card