07-30-2008 05:39 AM - edited 03-11-2019 06:22 AM
Is it possible to setup an Active/Active FWSM Configuration where there is a shared interface between both Active contexts.
There will be 2 x 6506's with a FWSM each. I want to have an Active Context on each FWSM in the 6506's. And I want to make a shared interface between these active/active contexts across both 6506's.
Possible?
Solved! Go to Solution.
07-31-2008 09:55 AM
You are right.
As I said the decision to pick Context is made on the "Destination address" defined in a NAT statement.
For your outgoing traffic (from vlan 20) hitting internet. It would be practically impossible to define NAT statements for internet Hosts.
One option here would be to introduce two VRFs between vlan 20 and the two FWSM contexts.
Syed Iftekhar Ahmed
07-30-2008 07:03 AM
What do you mean by shared interfaces? YOu share interfaces because you are falling short of phyiscal interfaces, there is no such thing on the FWSM. Just VLANS?
Regards
Farrukh
07-30-2008 09:34 AM
Right sorry, I meant shared vlans.
In an msfc-outside config, I want to have a switch connect into active context1 on vlan 5. I want another switch connect into context2 on vlan 6 from another switch. Now I want for both of these contexts to share "vlan 10".
Keep i n mind that Active context1 will be on 6506-1 and Active context2 will be on 6506-2.
So my question is, can I setup a shared vlan for use between these 2 contexts.
07-30-2008 10:21 AM
You can only share it if interfaces are in routed mode. Normally only outside interfaces can be shared because of the FWSM's single MAC address limitation & Static statement requirement.
You need to use static NAT statements as In case of shared interfaces. FWSM's "Classifier" intercepts the traffic and depending on the destination IP hands the traffic over to the appropriated context.
Syed Iftekhar Ahmed
07-30-2008 06:05 PM
You can find some examples here:
http://www.cisco.com/en/US/docs/security/fwsm/fwsm32/configuration/guide/exampl_f.html#wp1049516
Regards
Farrukh
07-31-2008 07:49 AM
Thank you both so much for the responses. Please take a look at my diagram of what I want to accomplish. I want to be able to access the Mail servers, DNS, filers, etc from both vlans.
Basically I want to be able to share "vlan 20", between C-1 (Context 1) and C-2 (Context 2)
I want to be able to connect to vlan 20 from vlan 10 and vlan 30 at any time.
From what you said, I can only share the Outside Vlan & Interface but I cannot share the inside vlan, in my case vlan 20.
Is this correct?
07-31-2008 09:55 AM
You are right.
As I said the decision to pick Context is made on the "Destination address" defined in a NAT statement.
For your outgoing traffic (from vlan 20) hitting internet. It would be practically impossible to define NAT statements for internet Hosts.
One option here would be to introduce two VRFs between vlan 20 and the two FWSM contexts.
Syed Iftekhar Ahmed
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: