Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Shared Interface between FWSM Contexts

Is it possible to setup an Active/Active FWSM Configuration where there is a shared interface between both Active contexts.

There will be 2 x 6506's with a FWSM each. I want to have an Active Context on each FWSM in the 6506's. And I want to make a shared interface between these active/active contexts across both 6506's.

Possible?

1 ACCEPTED SOLUTION

Accepted Solutions

Re: Shared Interface between FWSM Contexts

You are right.

As I said the decision to pick Context is made on the "Destination address" defined in a NAT statement.

For your outgoing traffic (from vlan 20) hitting internet. It would be practically impossible to define NAT statements for internet Hosts.

One option here would be to introduce two VRFs between vlan 20 and the two FWSM contexts.

Syed Iftekhar Ahmed

6 REPLIES

Re: Shared Interface between FWSM Contexts

What do you mean by shared interfaces? YOu share interfaces because you are falling short of phyiscal interfaces, there is no such thing on the FWSM. Just VLANS?

Regards

Farrukh

New Member

Re: Shared Interface between FWSM Contexts

Right sorry, I meant shared vlans.

In an msfc-outside config, I want to have a switch connect into active context1 on vlan 5. I want another switch connect into context2 on vlan 6 from another switch. Now I want for both of these contexts to share "vlan 10".

Keep i n mind that Active context1 will be on 6506-1 and Active context2 will be on 6506-2.

So my question is, can I setup a shared vlan for use between these 2 contexts.

Re: Shared Interface between FWSM Contexts

You can only share it if interfaces are in routed mode. Normally only outside interfaces can be shared because of the FWSM's single MAC address limitation & Static statement requirement.

You need to use static NAT statements as In case of shared interfaces. FWSM's "Classifier" intercepts the traffic and depending on the destination IP hands the traffic over to the appropriated context.

Syed Iftekhar Ahmed

Re: Shared Interface between FWSM Contexts

New Member

Re: Shared Interface between FWSM Contexts

Thank you both so much for the responses. Please take a look at my diagram of what I want to accomplish. I want to be able to access the Mail servers, DNS, filers, etc from both vlans.

Basically I want to be able to share "vlan 20", between C-1 (Context 1) and C-2 (Context 2)

I want to be able to connect to vlan 20 from vlan 10 and vlan 30 at any time.

From what you said, I can only share the Outside Vlan & Interface but I cannot share the inside vlan, in my case vlan 20.

Is this correct?

Re: Shared Interface between FWSM Contexts

You are right.

As I said the decision to pick Context is made on the "Destination address" defined in a NAT statement.

For your outgoing traffic (from vlan 20) hitting internet. It would be practically impossible to define NAT statements for internet Hosts.

One option here would be to introduce two VRFs between vlan 20 and the two FWSM contexts.

Syed Iftekhar Ahmed

596
Views
3
Helpful
6
Replies