How many transparent contexts will an FWSM support?

Unanswered Question
Sep 4th, 2009

As stated in the Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide Using the CLI Release 4.0.pdf, "If you do not want the overhead of security contexts, or want to maximize your use of security contexts, you can configure up to eight pairs of interfaces, called bridge groups. Each bridge group connects to a separate network. Bridge group traffic is isolated from other bridge groups; (p 113, section 5-7)"

That sounds like the FWSM only supports 8 transparent firewalls contexts.

However, in the product bullit "New Cisco Catalyst 6500 Firewall Security System Bundle with Supervisor Engine 720-3BXL" it says that the FWSM will support 250 firewall contexts.

So my question is, if I do place the transparent firewall into a context, will it actually support 250 transparent firewall?

I have not been able to find any supporting documentation.

Thanks in advance,

Faron

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Jon Marshall Fri, 09/04/2009 - 21:50

Faron

"That sounds like the FWSM only supports 8 transparent firewalls contexts."

That's not what it is saying. Basically when you set up a transparent firewall it firewalls between 2 vlans only. Note it's 2 vlans using the same IP subnet. So if you then want to firewall between another 2 vlans you need to use another context.

What it is saying is that if you need to firewall between more than 2 vlans rather than use contexts the FWSM will support up to 8 bridge groups ie. so instead of firewalling between 2 vlans you can now firewall between 8 pairs of vlans ie. 16. If you couldn't do this you would need 8 contexts.

However the FWSM supports 8 bridge groups per context. So it is not saying that in total you can only have 8 transparent firewall contexts. It is saying you have can as many contexts as your license allows (up to 250) and within each context you could if you wanted to firewall between 16 vlans. Obviously you don't have to use bridge groups at all. If you had a 250 context license it is unlikely that you would need to use them. You could use standard transparent firewalls ie. firewall between 2 vlans per context.

Jon

fwhopper Tue, 09/08/2009 - 04:56

Jon,

Thanks for your update. After re-reading it several times, I see what you mean now.

Faron

Actions

This Discussion