Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
598
Views
0
Helpful
4
Replies

Managing Security Contexts in FWSM.

Go to solution
s.aliyarukunju
Level 1
Level 1

‎09-02-2012 11:21 PM - edited ‎03-11-2019 04:49 PM

Dear Experts,

We have two FWSM modules where mulitcontext is configured with two failover groups Group1 and Group 2 . Group 1 is activated on FWSM module 1 and Group 2 is activated on FWSM 2.

The issue that i came accross is when i shared the management VLAN interface among the multiple contexts that belongs to group 1 ( started with group 1 only for testing )  , the arp entry on MSFC is showing the same mac address for individual managment IP address.

For example , we have VLAN 900 that is assigned to ADMIN context with the IP of x.x.x.100 , belongs to group 1. We shared the same management VLAN 900 to another security context that also belongs to same group 1 , with the IP of x.x.x.101 . But when i checked the arp enry , it shows the same MAC entry for both x.x.x.100  &  x.x.x.101.

In ASA , we have option to generate unique MAC address using enable mac-address auto command.

Could you please advice , how do i achive the same on FWSM so that i can share common vlan among multiple context for management purpose.

Regards

Shiji

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
varrao
Level 10
Level 10

‎09-03-2012 12:30 AM

Hi Shinji,

The way FWSM works is very different from the ASA, it does not have the mac-address auto feature to generate different mac-addresses for the same interface shared in different contexts.

It would always show you the same mac-address for the interface in different contexts. The packet classification for the FWSM is very different from ASA.

The switch would always forward the packets to the same mac address, the FWSM would then do the packet classification to send the traffic to the correct context.

The two things on which this classification is based on are:

Source interface (VLAN)

Destination address

So, even if you have the same mac for all the different contexts, the FWSM would still route it to correct context based on the above.

You can go through this doc for further explanation:

http://www.cisco.com/en/US/docs/security/fwsm/fwsm22/configuration/guide/context.html#wp1036573

Hope this helps.

Thanks,
Varun Rao
Security Team,
Cisco TAC

https://www.facebook.com/photo.php?fbid=432493266796403&set=at.201471063231959.48030.100001072017861.559966796&type=1&theater
Thanks,
Varun Rao

View solution in original post

0 Helpful

Go to solution
varrao
Level 10
Level 10
In response to s.aliyarukunju

‎09-04-2012 06:13 AM

Hi Shiji,

That's correct, just keep a different ip for each interface in each context, that is only required.

Thanks,
Varun Rao
Security Team,
Cisco TAC

Thanks,
Varun Rao

View solution in original post

0 Helpful
4 Replies 4

Go to solution
varrao
Level 10
Level 10

‎09-03-2012 12:30 AM

Hi Shinji,

The way FWSM works is very different from the ASA, it does not have the mac-address auto feature to generate different mac-addresses for the same interface shared in different contexts.

It would always show you the same mac-address for the interface in different contexts. The packet classification for the FWSM is very different from ASA.

The switch would always forward the packets to the same mac address, the FWSM would then do the packet classification to send the traffic to the correct context.

The two things on which this classification is based on are:

Source interface (VLAN)

Destination address

So, even if you have the same mac for all the different contexts, the FWSM would still route it to correct context based on the above.

You can go through this doc for further explanation:

http://www.cisco.com/en/US/docs/security/fwsm/fwsm22/configuration/guide/context.html#wp1036573

Hope this helps.

Thanks,
Varun Rao
Security Team,
Cisco TAC

https://www.facebook.com/photo.php?fbid=432493266796403&set=at.201471063231959.48030.100001072017861.559966796&type=1&theater
Thanks,
Varun Rao
0 Helpful

Go to solution
s.aliyarukunju
Level 1
Level 1
In response to varrao

‎09-04-2012 06:09 AM

Hi Varun,

Thanks for your help on this.

So it means that i can share common management interface vlan on each security contexts so that monitoring server will treat /monitor each context seperately. Is that correct Varun ?

Regards

Shiji

0 Helpful

Go to solution
varrao
Level 10
Level 10
In response to s.aliyarukunju

‎09-04-2012 06:13 AM

Hi Shiji,

That's correct, just keep a different ip for each interface in each context, that is only required.

Thanks,
Varun Rao
Security Team,
Cisco TAC

Thanks,
Varun Rao
0 Helpful

Go to solution
s.aliyarukunju
Level 1
Level 1
In response to varrao

‎09-04-2012 10:22 PM

Many thanks Varun for your support.

Regards

Shiji

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card