We have a FWSM in a 6513 for the core of our campus. It is not in prodcution as yet. Still using external PIX 525 at this time.
I was going to use a single context model with MSFC behind the firewall. Some of our recent needs will add VLANs for a DMZ and departments that need isolated. There is an example in the Intro to the firewall services module of the MSFC behind and in front of the FWSM. The diagram for the MSFC behind shows a DMZ and HR VLAN. How can those be secure with that model. I would have thought you would need to place the FWSM behind the MSFC to do that?
Insn't it true if you place the FWSM behind the MSFC you are limiting routing to the speed of the FWSM?
I had thoughts of moving to multi context mode. Then placing most of our VLAN that route between each other in one context with MSFC behind the FWSM. Then a context for each special application and have the FWSM behind the MSFC. But I read the multi context mode doesn't support multicast which we use.
My other option I have considered was to use the FWSM in single context with MSFC behind and use external ASA boxes in building that require deparment isolation.