FWSM : Difference between single or multiple contexts

mchockalingam · ‎07-24-2008

I am really confused about when to use single context or when to run multiple contexts on the FWSM.

We are experimenting with MPLS and I have multiple VRFs. We would like to apply policy between different VRFs on the FWSM.

Looks like this can be done with single context. But it also raises a question of when will multiple context be useful?

dhananjoy chowdhury · ‎07-24-2008

Multiple security contexts is useful : -

- For a Manages Security Secvice Provider selling firewall services to many customers. You can have individual virtual FW's for each customer which functions independently with security policies based on each customers requirements..

- When you have multiple departments and you want to have 1 FW per dept. with different Security policies / config for each dept.

Marwan ALshawi · ‎07-24-2008

interesting question

lets consider ur case as an example

let say you have multiple customers and as in your case you have VRFs

so one of your customers need the firewall be in transperant mode L2 and other customer need it to be L3 and each on ehave deffrent security policies requerment

so i the case the best way to deal with it is deploying Firewall with multiple context

it will work exactly like you have multiple Firewalls each with interfaces and policies

and also with deferent IP addresing

while this separation is all vitualy

so lets say VRF one have static route to internet trough the ip address of FWSM contex 1

and VRF 2 has static route to the internet through FWSM ip address of FWSM context 2

so briefly it is virtal separation to your firewall

can run one context in L2 mode, other one in layer three mode

also with FWSM multiple context and MSFC

u can make a cusomer connect to ur MSFC then the FWSM while other context connected directly to other customer

customer---FWSM context1---MSFC--internet

customer2---MSFC--FWSM context2--internet

thanks

Rate If helpful

ksvy_ksvy · ‎07-25-2008

sounds like you can run both transparent and routed mode contexts concurrently on the same fwsm, using 3.1?

I couldn't find the white page for this

thanks, kevin

Marwan ALshawi · ‎07-26-2008

i think i have put this concept mistakenly!

the firewall should operate in one mode because the firewall mode is selected on the global firewall mode not on the context level thats why

however, as i mentioned above with FWSM and multiple context design u can achive alot more flexablity when u have more than one customer

in a ddition to the flexablity to the FWSM placemnt

before the MSFC or after the MSFC

also if u have any loadbalancing module u can achive more flexablity with multiple contxt because u might have an application servers which need loadbalancing so u make the context1 behined the loadbalancer module

and u have at the same time database servers that only comunicat with the applications not with users directly in this case u dont need loadbalancing for those database servers

so in context2 there will be no comunication between the firewall and the loadbalncer

at the same time the comunication between the application server and the database server will be between context through the MSFC which is more secur

without multiple context u cant achive this

i mentioned this because this is another example to those i have mentioned earlier

this is apply to data center design

thank you

Rate if helpful

dhananjoy chowdhury · ‎07-26-2008

Hi,

With the introduction of FWSM 3.1, mixed-mode operation is also supported. This allows the capability to have both transparent and routed contexts operate simultaneously on the same FWSM.

http://www.cisco.com/en/US/docs/security/fwsm/fwsm31/configuration/guide/fwmode_f.html#wp1220586

Marwan ALshawi · ‎07-26-2008

cool

then i sound rushed in this topic

all things i have mentioned ok, but the modes thing disapointed me this time

but i rmeber i read it before somewhere about mixed-mode

ksvy_ksvy · ‎07-27-2008

hello, very good.... this is what I was wanting to verify, thank you

I am to configure one routed mode context and one transparent mode context on the same 6509 fwsm, which is has v3.1

there with be two vlans per context

each context's pair of vlans with be used to connect to adjoining equipment

any other suggestions would be appreciated

thanks, again

mchockalingam · ‎07-27-2008

Thank you for all the responses. I am running 2.3(4) on the FWSM, but after reading all the posts, I am going to upgrade it to 3.1 and lab test the multiple context.