FWSM Single to 2 Context

Unanswered Question

Hi all,

I have a FWSM in a 7609 that is currently up and running in a single context, supporting our Internet access and customer circuits. We have a need to stand up a second context for our daughter company. I would like to know if there are any things I need to watch out for, other than the obvious (backup current config, etc)? FWSM is running 3.2 (3) code and we only have the 2 context basic license.

Any advise or pointers would be very appreciated.

TIA - Jim

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Jon Marshall Mon, 03/17/2008 - 10:41
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Hi Jim

Things to be aware of

1) You have 3 contexts available to you. The admin context and then the 2 other contexts. Haven't done it on v3.x but when i switched to multiple context mode on v2.x it moved my existing firewall config into the admin context which you probably don't want.

2) When you switch to multiple context you get what's called the "system exection space". So when you log onto the firewall "sess slot x proc 1" you are in system execution space (SEP for short).

3) To allocate a vlan to the firewall you still have to add to the "firewall vlan-group ..." in the 6500 switch config but there is now an additional step where you then have to add it to the context in the SEP before you can assign it in your context.

4) You cannot run a dynamic routing protocol in multi context mode so if you are currently running one be prepared to add a lot of statics.

5) Failover is configured in SEP.

6) To change to context from SEP -

ch con

7) To change back to SEP -

ch sys

8) Shared interfaces. If you decide that you are going to use the same vlan on the outside for both contexts this is fine but you need to read up on the FWSM classifier - if you have a look in the relevant configuration guides there is a good explanation of how the classifier works.

For your info here is the output from the SEP on one of our lab FWSM's.

SZ-JFH-F00-DTE-FW1# sh run

: Saved


FWSM Version 2.3(2)

resource acl-partition 12

enable password 2KFQnbNIdI.2KYOU encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

hostname SZ-JFH-F00-DTE-FW1

ftp mode passive

pager lines 24

logging buffer-size 4096

class default

limit-resource All 0

limit-resource IPSec 5

limit-resource Mac-addresses 65535

limit-resource PDM 5

limit-resource SSH 5

limit-resource Telnet 5



failover lan unit primary

failover lan interface fover vlan 200

failover polltime unit 1 holdtime 15

failover polltime interface 15

failover interface-policy 50%

failover link statefover vlan 201

failover interface ip fover standby

failover interface ip statefover standby

arp timeout 14400


timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 rpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0

:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

terminal width 511

admin-context admin-ct

context admin-ct

allocate-interface vlan5

allocate-interface vlan501

config-url disk:/admin-ct.cfg


context test-ct

description Shared Middleware Infrastructure (SMI) Test

allocate-interface vlan62

allocate-interface vlan64-vlan65

allocate-interface vlan69

allocate-interface vlan92-vlan93

allocate-interface vlan95

config-url disk:/test-ct.cfg


context dev-ct

description Shared Middleware Infrastructure (SMI) Development

allocate-interface vlan52

allocate-interface vlan54-vlan55

allocate-interface vlan59

allocate-interface vlan82-vlan83

allocate-interface vlan85

allocate-interface vlan120-vlan121

allocate-interface vlan123

allocate-interface vlan125

allocate-interface vlan134-vlan135

config-url disk:/dev-ct.cfg



: end


Note: SEP is not an official abbreviation - i just used it because i'm a lazy and pretty bad typist :-)

HTH, any more questions just shout



This Discussion