Shared Interface between FWSM Contexts

Answered Question
Jul 30th, 2008

Is it possible to setup an Active/Active FWSM Configuration where there is a shared interface between both Active contexts.

There will be 2 x 6506's with a FWSM each. I want to have an Active Context on each FWSM in the 6506's. And I want to make a shared interface between these active/active contexts across both 6506's.

Possible?

I have this problem too.
0 votes
Correct Answer by Syed Iftekhar Ahmed about 8 years 4 months ago

You are right.

As I said the decision to pick Context is made on the "Destination address" defined in a NAT statement.

For your outgoing traffic (from vlan 20) hitting internet. It would be practically impossible to define NAT statements for internet Hosts.

One option here would be to introduce two VRFs between vlan 20 and the two FWSM contexts.

Syed Iftekhar Ahmed

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (2 ratings)
Loading.
Farrukh Haroon Wed, 07/30/2008 - 07:03

What do you mean by shared interfaces? YOu share interfaces because you are falling short of phyiscal interfaces, there is no such thing on the FWSM. Just VLANS?

Regards

Farrukh

cisconoobie Wed, 07/30/2008 - 09:34

Right sorry, I meant shared vlans.

In an msfc-outside config, I want to have a switch connect into active context1 on vlan 5. I want another switch connect into context2 on vlan 6 from another switch. Now I want for both of these contexts to share "vlan 10".

Keep i n mind that Active context1 will be on 6506-1 and Active context2 will be on 6506-2.

So my question is, can I setup a shared vlan for use between these 2 contexts.

Syed Iftekhar Ahmed Wed, 07/30/2008 - 10:21

You can only share it if interfaces are in routed mode. Normally only outside interfaces can be shared because of the FWSM's single MAC address limitation & Static statement requirement.

You need to use static NAT statements as In case of shared interfaces. FWSM's "Classifier" intercepts the traffic and depending on the destination IP hands the traffic over to the appropriated context.

Syed Iftekhar Ahmed

cisconoobie Thu, 07/31/2008 - 07:49

Thank you both so much for the responses. Please take a look at my diagram of what I want to accomplish. I want to be able to access the Mail servers, DNS, filers, etc from both vlans.

Basically I want to be able to share "vlan 20", between C-1 (Context 1) and C-2 (Context 2)

I want to be able to connect to vlan 20 from vlan 10 and vlan 30 at any time.

From what you said, I can only share the Outside Vlan & Interface but I cannot share the inside vlan, in my case vlan 20.

Is this correct?

Correct Answer
Syed Iftekhar Ahmed Thu, 07/31/2008 - 09:55

You are right.

As I said the decision to pick Context is made on the "Destination address" defined in a NAT statement.

For your outgoing traffic (from vlan 20) hitting internet. It would be practically impossible to define NAT statements for internet Hosts.

One option here would be to introduce two VRFs between vlan 20 and the two FWSM contexts.

Syed Iftekhar Ahmed

Actions

This Discussion