Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Managing Security Contexts in FWSM.

Dear Experts,

We have two FWSM modules where mulitcontext is configured with two failover groups Group1 and Group 2 . Group 1 is activated on FWSM module 1 and Group 2 is activated on FWSM 2.

The issue that i came accross is when i shared the management VLAN interface among the multiple contexts that belongs to group 1 ( started with group 1 only for testing )  , the arp entry on MSFC is showing the same mac address for individual managment IP address.

For example , we have VLAN 900 that is assigned to ADMIN context with the IP of x.x.x.100 , belongs to group 1. We shared the same management VLAN 900 to another security context that also belongs to same group 1 , with the IP of x.x.x.101 . But when i checked the arp enry , it shows the same MAC entry for both x.x.x.100  &  x.x.x.101.

In ASA , we have option to generate unique MAC address using enable mac-address auto command.

Could you please advice , how do i achive the same on FWSM so that i can share common vlan among multiple context for management purpose.

Regards

Shiji

2 ACCEPTED SOLUTIONS

Accepted Solutions
Red

Managing Security Contexts in FWSM.

Hi Shinji,

The way FWSM works is very different from the ASA, it does not have the mac-address auto feature to generate different mac-addresses for the same interface shared in different contexts.

It would always show you the same mac-address for the interface in different contexts. The packet classification for the FWSM is very different from ASA.

The switch would always forward the packets to the same mac address, the FWSM would then do the packet classification to send the traffic to the correct context.

The two things on which this classification is based on are:

Source interface (VLAN)

Destination address

So, even if you have the same mac for all the different contexts, the FWSM would still route it to correct context based on the above.

You can go through this doc for further explanation:

http://www.cisco.com/en/US/docs/security/fwsm/fwsm22/configuration/guide/context.html#wp1036573

Hope this helps.

Thanks,
Varun Rao
Security Team,
Cisco TAC

Thanks, Varun Rao Security Team, Cisco TAC
Red

Managing Security Contexts in FWSM.

Hi Shiji,

That's correct, just keep a different ip for each interface in each context, that is only required.

Thanks,
Varun Rao
Security Team,
Cisco TAC

Thanks, Varun Rao Security Team, Cisco TAC
4 REPLIES
Red

Managing Security Contexts in FWSM.

Hi Shinji,

The way FWSM works is very different from the ASA, it does not have the mac-address auto feature to generate different mac-addresses for the same interface shared in different contexts.

It would always show you the same mac-address for the interface in different contexts. The packet classification for the FWSM is very different from ASA.

The switch would always forward the packets to the same mac address, the FWSM would then do the packet classification to send the traffic to the correct context.

The two things on which this classification is based on are:

Source interface (VLAN)

Destination address

So, even if you have the same mac for all the different contexts, the FWSM would still route it to correct context based on the above.

You can go through this doc for further explanation:

http://www.cisco.com/en/US/docs/security/fwsm/fwsm22/configuration/guide/context.html#wp1036573

Hope this helps.

Thanks,
Varun Rao
Security Team,
Cisco TAC

Thanks, Varun Rao Security Team, Cisco TAC
New Member

Managing Security Contexts in FWSM.

Hi Varun,

Thanks for your help on this.

So it means that i can share common management interface vlan on each security contexts so that monitoring server will treat /monitor each context seperately. Is that correct Varun ?

Regards

Shiji

Red

Managing Security Contexts in FWSM.

Hi Shiji,

That's correct, just keep a different ip for each interface in each context, that is only required.

Thanks,
Varun Rao
Security Team,
Cisco TAC

Thanks, Varun Rao Security Team, Cisco TAC
New Member

Managing Security Contexts in FWSM.

Many thanks Varun for your support.

Regards

Shiji

288
Views
0
Helpful
4
Replies
CreatePlease login to create content