Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1031
Views
3
Helpful
6
Replies

Shared Interface between FWSM Contexts

Go to solution
cisconoobie
Level 2
Level 2

‎07-30-2008 05:39 AM - edited ‎03-11-2019 06:22 AM

Is it possible to setup an Active/Active FWSM Configuration where there is a shared interface between both Active contexts.

There will be 2 x 6506's with a FWSM each. I want to have an Active Context on each FWSM in the 6506's. And I want to make a shared interface between these active/active contexts across both 6506's.

Possible?

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Syed Iftekhar Ahmed
Level 8
Level 8
In response to cisconoobie

‎07-31-2008 09:55 AM

You are right.

As I said the decision to pick Context is made on the "Destination address" defined in a NAT statement.

For your outgoing traffic (from vlan 20) hitting internet. It would be practically impossible to define NAT statements for internet Hosts.

One option here would be to introduce two VRFs between vlan 20 and the two FWSM contexts.

Syed Iftekhar Ahmed

View solution in original post

0 Helpful
6 Replies 6

Go to solution
Farrukh Haroon
VIP Alumni
VIP Alumni

‎07-30-2008 07:03 AM

What do you mean by shared interfaces? YOu share interfaces because you are falling short of phyiscal interfaces, there is no such thing on the FWSM. Just VLANS?

Regards

Farrukh

0 Helpful

Go to solution
cisconoobie
Level 2
Level 2
In response to Farrukh Haroon

‎07-30-2008 09:34 AM

Right sorry, I meant shared vlans.

In an msfc-outside config, I want to have a switch connect into active context1 on vlan 5. I want another switch connect into context2 on vlan 6 from another switch. Now I want for both of these contexts to share "vlan 10".

Keep i n mind that Active context1 will be on 6506-1 and Active context2 will be on 6506-2.

So my question is, can I setup a shared vlan for use between these 2 contexts.

0 Helpful

Go to solution
Syed Iftekhar Ahmed
Level 8
Level 8
In response to cisconoobie

‎07-30-2008 10:21 AM

You can only share it if interfaces are in routed mode. Normally only outside interfaces can be shared because of the FWSM's single MAC address limitation & Static statement requirement.

You need to use static NAT statements as In case of shared interfaces. FWSM's "Classifier" intercepts the traffic and depending on the destination IP hands the traffic over to the appropriated context.

Syed Iftekhar Ahmed

0 Helpful

Go to solution
cisconoobie
Level 2
Level 2
In response to Farrukh Haroon

‎07-31-2008 07:49 AM

Thank you both so much for the responses. Please take a look at my diagram of what I want to accomplish. I want to be able to access the Mail servers, DNS, filers, etc from both vlans.

Basically I want to be able to share "vlan 20", between C-1 (Context 1) and C-2 (Context 2)

I want to be able to connect to vlan 20 from vlan 10 and vlan 30 at any time.

From what you said, I can only share the Outside Vlan & Interface but I cannot share the inside vlan, in my case vlan 20.

Is this correct?

Preview file
173 KB
0 Helpful

Go to solution
Syed Iftekhar Ahmed
Level 8
Level 8
In response to cisconoobie

‎07-31-2008 09:55 AM

You are right.

As I said the decision to pick Context is made on the "Destination address" defined in a NAT statement.

For your outgoing traffic (from vlan 20) hitting internet. It would be practically impossible to define NAT statements for internet Hosts.

One option here would be to introduce two VRFs between vlan 20 and the two FWSM contexts.

Syed Iftekhar Ahmed

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card