cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
877
Views
0
Helpful
9
Replies

How do I enable 8 pairs of interfaces per context

I have my FWSM working in transparent mode with 3 context (one admin, and 2 aditional contexts) I am trying to configure 8 pairs of interfaces in one of my contexts (according to the documentation it is possible) but when I tried to enter more than 2 vlan interfaces in the context, I get this message: ERROR: Context interface limit of 2 reached on 'vlan4'

How can I configure the 8 pairs of interfaces in one context?

thanks!

1 Accepted Solution

Accepted Solutions

Hi Vicente

Apologies for delay, i had to upgrade our FWSM to version 3.1 before i could test. Specific version of software is 3.1(2).

It works fine for me so here are the steps i followed.

1) Created vlans 700-708 on the 6500.

2) Allocated these vlans to the FWSM on the switch ie. "firewall vlan-group 7 700-708"

3) Logged on to the FWSM in sys execution space.

4) Created a new context "trs" & allocated vlans 700-708 to that context.

5) Changed to the trs context. Made the context transparent "firewall transparent".

6) Did a sh run and the vlan interfaces from vlan700 -> vlan708 were there.

6) Assigned vlan700,701 to bridge-group 1

vlan702,703 to bridge-group 2 etc..

It all worked fine.

Is this how you have set it up ?

What version of the 3.1 software are you using - i can downoad the exact one to test if need be.

HTH

Jon

View solution in original post

9 Replies 9

Jon Marshall
Hall of Fame
Hall of Fame

Hi Vicente

My understanding was that with the FWSM in transparent mode each context can only support 2 vlans because it is in effect bridging between the 2.

Could you point me at the docs where it says you can use more than 2 vlans in on the same context.

Jon

Hi Jon,

Here is the doc: http://www.cisco.com/en/US/partner/products/hw/switches/ps708/products_module_configuration_guide_chapter09186a0080577c38.html#wp1220151

This is what it says regarding bridge groups:

"Bridge Groups

If you do not want the overhead of security contexts, or want to maximize your use of security contexts, you can configure up to eight pairs of interfaces, called bridge groups. Each bridge group connects to a separate network. Bridge group traffic is isolated from other bridge groups; traffic is not routed to another bridge group within the FWSM, and traffic must exit the FWSM before it is routed by an external router back to another bridge group in the FWSM. Although the bridging functions are separate for each bridge group, many other functions are shared between all bridge groups. For example, all bridge groups share a system log server or AAA server configuration. For complete security policy separation, use security contexts with one bridge group in each context. "

Thanks!

Vicente

Well you live and learn, i guess that's what Netpro is all about !

I have an FWSM in our lab at work so i might try this next week. One thing that struck me from the config was the following

"You can only assign two interfaces to a bridge group. You cannot assign the same interface to more than one bridge group"

Are you definitely using separate vlan interfaces pairs per bridge group ?

I will look at this in our lab as soon as i can

Jon

Jon,

I was trying to create more than one bridge group per context yesterday but I was not able to configure more than 2 interfaces in the context, so I am guessing how can you enable up to eight bridge groups in a context if you are not able to configure more than 2 interfaces per context. If you could try it at your lab please let me know the results, I will keep looking for the way to configure more than one bridge group per context.

regards

Hi Vicente

Apologies for delay, i had to upgrade our FWSM to version 3.1 before i could test. Specific version of software is 3.1(2).

It works fine for me so here are the steps i followed.

1) Created vlans 700-708 on the 6500.

2) Allocated these vlans to the FWSM on the switch ie. "firewall vlan-group 7 700-708"

3) Logged on to the FWSM in sys execution space.

4) Created a new context "trs" & allocated vlans 700-708 to that context.

5) Changed to the trs context. Made the context transparent "firewall transparent".

6) Did a sh run and the vlan interfaces from vlan700 -> vlan708 were there.

6) Assigned vlan700,701 to bridge-group 1

vlan702,703 to bridge-group 2 etc..

It all worked fine.

Is this how you have set it up ?

What version of the 3.1 software are you using - i can downoad the exact one to test if need be.

HTH

Jon

Hi Jon,

I didn't have a chance to come back to our laboratory yesterday. I will try your steps today as soon as poosible. I think the main issue here is the software version I am using in my FWSM. I am going to upgrade to the 3.1 version and I will let you know how it goes.

HTH

Vicente

Vicente

How did yout get on ?

Jon

Hi Jon,

I was able to to go to the lab yesterday and tried your steps, it worked fine the problem was the Software version I was using on the FWMS;

context SIIC

allocate-interface Vlan107 int107

allocate-interface Vlan108 int108

allocate-interface Vlan109 int109

allocate-interface Vlan7 int7

allocate-interface Vlan8 int8

allocate-interface Vlan9 int9

config-url disk:/SIIC.cfg

With the new version I was able to allocate more than 2 interfaces in the context.

I will dome more test to see if it wokrs fine filterint traffic.

Vicente

Hi,

I have a question related to this, is it possible with the base number of contexts  (Admin plus two other) to have three contexts each with 8 pairs of bridge group interfaces ?  Or would it be necessary to order additional context licenses ?

Thanks

Mark

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: