4 security level with 2 FWSM contexts

Answered Question
Mar 30th, 2009
User Badges:

Hello,


I have to implement a DC with two 6509, ACE and FWMS with only a default license for 2 VFW.

But the problem I have, is that I have 4 separate networks where I like to give a different security level.

I'm using the FWSM in transparent mode.


Any idea ? about using VRF ? ACE or something else ?


Suggestions will be appreciated.


Regards,

Omar

Correct Answer by spreed about 8 years 1 month ago

Hello Omar,

Although I'm not familiar with the ACE blade we do run 2 X 6509s with FWSMs.


In your case you could connect your 4 networks to a single context (VFW) since the max network connections per context is 8. You would create 4 BVIs (Bridge Virtual Interfaces.) Security levels in FWSMs don't have much meaning since you are required to specifically allow traffic to pass through the context regardless of which side of the BVI it comes from. By default no traffic flows at all. All traffic is filtered with ACLs.


You could also create a VRF on the 6509 that could act as a central or core routing point for your networks. (We do this for 18 separate contexts and call it the fusion VRF.) However you would only use a VRF if you wanted to keep the routing table isolated from the global table running on the 6509's.

Otherwise this is unnecessary.


If you chose to run the FWSMs in multiple context mode you could have two networks per context, still connect them to a fusion VRF, and also run an Active/Active FWSM configuration which allows you to do a type of load sharing along with failover. One context is active and one context is standby on FWSM A and on FWSM B the roles reverse. This shares active traffic across the FWSM blades.


Hope this brief description is helpful for you.


Simon

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
spreed Mon, 04/06/2009 - 08:06
User Badges:

Hello Omar,

Although I'm not familiar with the ACE blade we do run 2 X 6509s with FWSMs.


In your case you could connect your 4 networks to a single context (VFW) since the max network connections per context is 8. You would create 4 BVIs (Bridge Virtual Interfaces.) Security levels in FWSMs don't have much meaning since you are required to specifically allow traffic to pass through the context regardless of which side of the BVI it comes from. By default no traffic flows at all. All traffic is filtered with ACLs.


You could also create a VRF on the 6509 that could act as a central or core routing point for your networks. (We do this for 18 separate contexts and call it the fusion VRF.) However you would only use a VRF if you wanted to keep the routing table isolated from the global table running on the 6509's.

Otherwise this is unnecessary.


If you chose to run the FWSMs in multiple context mode you could have two networks per context, still connect them to a fusion VRF, and also run an Active/Active FWSM configuration which allows you to do a type of load sharing along with failover. One context is active and one context is standby on FWSM A and on FWSM B the roles reverse. This shares active traffic across the FWSM blades.


Hope this brief description is helpful for you.


Simon

omar.elmohri Mon, 04/06/2009 - 08:26
User Badges:

Simon,


Thank you for the details.

I think that I'll not need the VRF. And I'll use 2 contexts and on each one I'll use 4 bridge-groups to have a total of 8 separate region that I'll need.


Regards,

Omar

Actions

This Discussion