FW in VSS Environment

Unanswered Question
Jun 21st, 2009
User Badges:

Working in a VSS environment, one firewall in each catalyst, configured with two context and Active / Passive scenario. One VLAN exist between two context, but no communication between context over the VLAN. ARP is showing same mac-address on two different VLAN and on two different context.


Context APP:

Inside 172.20.0.10 001b.380c.7e4c

Inside 172.20.70.249 001b.380c.7e4c

Inside 172.20.0.5 001b.380d.0357

DMZ.NMS 172.16.12.7 0023.334d.e3bc

DMZ.NMS 172.16.12.6 0023.334d.e37c

Outside.INT 172.16.10.3 0024.971f.4900

Outside.EDN 172.16.10.37 0025.45f4.7000

Outside.EDN 172.16.10.35 0024.971f.4900


Context INT

Outside.INT 202.14.71.165 0013.c34d.1ad0

Inside.INT 172.16.10.2 0024.971f.4d00

Inside.INT 172.16.10.1 0024.971f.4900

Inside.EDN 172.16.10.33 0024.971f.4900

Inside.EDN 172.16.10.37 0025.45f4.7000

DMZ2 202.125.132.154 0014.5e18.a042


Same mac-address entry on security interface Outside.EDN, Outside.INT, Inside.INT and Inside.EDN.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 3 (1 ratings)
Loading.
Kureli Sankar Mon, 06/22/2009 - 12:12
User Badges:
  • Cisco Employee,

What is the question?


FWSM only has one MAC address. So, you will see the same MAC address on all the vlans. Since the interface is shared between the two contexts you will see the same MAC there as well.


When you share the outside interface, then you have to make sure to translate the inside networks.


When you share the inside interface, you need to translated the outside network (this gets ugly if the outside interface faces the internet).


Pls. read below:

http://www.cisco.com/en/US/docs/security/fwsm/fwsm32/configuration/guide/contxt_f.html#wp1124236



Actions

This Discussion