03-15-2007 10:32 AM - edited 03-11-2019 02:46 AM
I have my FWSM working in transparent mode with 3 context (one admin, and 2 aditional contexts) I am trying to configure 8 pairs of interfaces in one of my contexts (according to the documentation it is possible) but when I tried to enter more than 2 vlan interfaces in the context, I get this message: ERROR: Context interface limit of 2 reached on 'vlan4'
How can I configure the 8 pairs of interfaces in one context?
thanks!
Solved! Go to Solution.
03-16-2007 01:33 AM
Hi Vicente
Apologies for delay, i had to upgrade our FWSM to version 3.1 before i could test. Specific version of software is 3.1(2).
It works fine for me so here are the steps i followed.
1) Created vlans 700-708 on the 6500.
2) Allocated these vlans to the FWSM on the switch ie. "firewall vlan-group 7 700-708"
3) Logged on to the FWSM in sys execution space.
4) Created a new context "trs" & allocated vlans 700-708 to that context.
5) Changed to the trs context. Made the context transparent "firewall transparent".
6) Did a sh run and the vlan interfaces from vlan700 -> vlan708 were there.
6) Assigned vlan700,701 to bridge-group 1
vlan702,703 to bridge-group 2 etc..
It all worked fine.
Is this how you have set it up ?
What version of the 3.1 software are you using - i can downoad the exact one to test if need be.
HTH
Jon
03-15-2007 11:19 AM
Hi Vicente
My understanding was that with the FWSM in transparent mode each context can only support 2 vlans because it is in effect bridging between the 2.
Could you point me at the docs where it says you can use more than 2 vlans in on the same context.
Jon
03-15-2007 11:50 AM
Hi Jon,
Here is the doc: http://www.cisco.com/en/US/partner/products/hw/switches/ps708/products_module_configuration_guide_chapter09186a0080577c38.html#wp1220151
This is what it says regarding bridge groups:
"Bridge Groups
If you do not want the overhead of security contexts, or want to maximize your use of security contexts, you can configure up to eight pairs of interfaces, called bridge groups. Each bridge group connects to a separate network. Bridge group traffic is isolated from other bridge groups; traffic is not routed to another bridge group within the FWSM, and traffic must exit the FWSM before it is routed by an external router back to another bridge group in the FWSM. Although the bridging functions are separate for each bridge group, many other functions are shared between all bridge groups. For example, all bridge groups share a system log server or AAA server configuration. For complete security policy separation, use security contexts with one bridge group in each context. "
Thanks!
03-15-2007 12:09 PM
Vicente
Well you live and learn, i guess that's what Netpro is all about !
I have an FWSM in our lab at work so i might try this next week. One thing that struck me from the config was the following
"You can only assign two interfaces to a bridge group. You cannot assign the same interface to more than one bridge group"
Are you definitely using separate vlan interfaces pairs per bridge group ?
I will look at this in our lab as soon as i can
Jon
03-15-2007 12:25 PM
Jon,
I was trying to create more than one bridge group per context yesterday but I was not able to configure more than 2 interfaces in the context, so I am guessing how can you enable up to eight bridge groups in a context if you are not able to configure more than 2 interfaces per context. If you could try it at your lab please let me know the results, I will keep looking for the way to configure more than one bridge group per context.
regards
03-16-2007 01:33 AM
Hi Vicente
Apologies for delay, i had to upgrade our FWSM to version 3.1 before i could test. Specific version of software is 3.1(2).
It works fine for me so here are the steps i followed.
1) Created vlans 700-708 on the 6500.
2) Allocated these vlans to the FWSM on the switch ie. "firewall vlan-group 7 700-708"
3) Logged on to the FWSM in sys execution space.
4) Created a new context "trs" & allocated vlans 700-708 to that context.
5) Changed to the trs context. Made the context transparent "firewall transparent".
6) Did a sh run and the vlan interfaces from vlan700 -> vlan708 were there.
6) Assigned vlan700,701 to bridge-group 1
vlan702,703 to bridge-group 2 etc..
It all worked fine.
Is this how you have set it up ?
What version of the 3.1 software are you using - i can downoad the exact one to test if need be.
HTH
Jon
03-16-2007 10:42 AM
Hi Jon,
I didn't have a chance to come back to our laboratory yesterday. I will try your steps today as soon as poosible. I think the main issue here is the software version I am using in my FWSM. I am going to upgrade to the 3.1 version and I will let you know how it goes.
HTH
Vicente
03-21-2007 12:55 AM
Vicente
How did yout get on ?
Jon
03-22-2007 08:57 AM
Hi Jon,
I was able to to go to the lab yesterday and tried your steps, it worked fine the problem was the Software version I was using on the FWMS;
context SIIC
allocate-interface Vlan107 int107
allocate-interface Vlan108 int108
allocate-interface Vlan109 int109
allocate-interface Vlan7 int7
allocate-interface Vlan8 int8
allocate-interface Vlan9 int9
config-url disk:/SIIC.cfg
With the new version I was able to allocate more than 2 interfaces in the context.
I will dome more test to see if it wokrs fine filterint traffic.
Vicente
08-08-2011 04:36 AM
Hi,
I have a question related to this, is it possible with the base number of contexts (Admin plus two other) to have three contexts each with 8 pairs of bridge group interfaces ? Or would it be necessary to order additional context licenses ?
Thanks
Mark
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: