Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
371
Views
0
Helpful
2
Replies

4 security level with 2 FWSM contexts

Go to solution
omar.elmohri
Level 1
Level 1

‎03-30-2009 06:39 AM

Hello,

I have to implement a DC with two 6509, ACE and FWMS with only a default license for 2 VFW.

But the problem I have, is that I have 4 separate networks where I like to give a different security level.

I'm using the FWSM in transparent mode.

Any idea ? about using VRF ? ACE or something else ?

Suggestions will be appreciated.

Regards,

Omar

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
spreed
Level 4
Level 4

‎04-06-2009 08:06 AM

Hello Omar,

Although I'm not familiar with the ACE blade we do run 2 X 6509s with FWSMs.

In your case you could connect your 4 networks to a single context (VFW) since the max network connections per context is 8. You would create 4 BVIs (Bridge Virtual Interfaces.) Security levels in FWSMs don't have much meaning since you are required to specifically allow traffic to pass through the context regardless of which side of the BVI it comes from. By default no traffic flows at all. All traffic is filtered with ACLs.

You could also create a VRF on the 6509 that could act as a central or core routing point for your networks. (We do this for 18 separate contexts and call it the fusion VRF.) However you would only use a VRF if you wanted to keep the routing table isolated from the global table running on the 6509's.

Otherwise this is unnecessary.

If you chose to run the FWSMs in multiple context mode you could have two networks per context, still connect them to a fusion VRF, and also run an Active/Active FWSM configuration which allows you to do a type of load sharing along with failover. One context is active and one context is standby on FWSM A and on FWSM B the roles reverse. This shares active traffic across the FWSM blades.

Hope this brief description is helpful for you.

Simon

View solution in original post

0 Helpful
2 Replies 2

Go to solution
spreed
Level 4
Level 4

‎04-06-2009 08:06 AM

Hello Omar,

Although I'm not familiar with the ACE blade we do run 2 X 6509s with FWSMs.

In your case you could connect your 4 networks to a single context (VFW) since the max network connections per context is 8. You would create 4 BVIs (Bridge Virtual Interfaces.) Security levels in FWSMs don't have much meaning since you are required to specifically allow traffic to pass through the context regardless of which side of the BVI it comes from. By default no traffic flows at all. All traffic is filtered with ACLs.

You could also create a VRF on the 6509 that could act as a central or core routing point for your networks. (We do this for 18 separate contexts and call it the fusion VRF.) However you would only use a VRF if you wanted to keep the routing table isolated from the global table running on the 6509's.

Otherwise this is unnecessary.

If you chose to run the FWSMs in multiple context mode you could have two networks per context, still connect them to a fusion VRF, and also run an Active/Active FWSM configuration which allows you to do a type of load sharing along with failover. One context is active and one context is standby on FWSM A and on FWSM B the roles reverse. This shares active traffic across the FWSM blades.

Hope this brief description is helpful for you.

Simon

0 Helpful

Go to solution
omar.elmohri
Level 1
Level 1
In response to spreed

‎04-06-2009 08:26 AM

Simon,

Thank you for the details.

I think that I'll not need the VRF. And I'll use 2 contexts and on each one I'll use 4 bridge-groups to have a total of 8 separate region that I'll need.

Regards,

Omar

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents