1-12
Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide
OL-6392-01
Chapter 1 Introduction to the Firewall Services Module
How the Firewall Services Module Works
You might use a transparent firewall to simplify your network configuration. Transparent mode is also
useful if you want the firewall to be invisible to attackers. You can also use a transparent firewall for
traffic that would otherwise be blocked in routed mode. For example, a transparent firewall can allow
multicast streams using an EtherType ACL.
See Chapter 7, “Configuring Bridging Parameters and ARP Inspection,” for more information.
Security Contexts
You can partition a single FWSM into multiple virtual firewalls, known as security contexts. Each
context is an independent system, with its own security policy, interfaces, and administrators. Multiple
contexts are similar to having multiple stand-alone firewalls.
Each context has its own configuration that identifies the security policy, interfaces, and almost all the
options you can configure on a stand-alone firewall. If desired, you can allow individual context
administrators to implement the security policy on the context. Some resources are controlled by the
overall system administrator, such as VLANs and system resources, so that one context cannot affect
other contexts inadvertently.
The system administrator adds and manages contexts by configuring them in the system configuration,
which identifies basic settings for the module. The system administrator has privileges to manage all
contexts. The system configuration does not include any network interfaces or network settings for itself;
rather, when the system needs to access network resources (such as downloading the contexts from the
server), it uses one of the contexts that is designated as the admin context.
The admin context is just like any other context, except that when a user logs into the admin context (for
example, over an SSH connection), then that user has system administrator rights, and can access the
system configuration and all other context configurations. Typically, the admin context provides network
access to network-wide resources, such as a syslog server or context configuration server.
With the default software license, you can run up to two security contexts plus the admin context. For
more contexts, you must purchase a license.
Note You can run all your contexts in routed mode or transparent mode; you cannot run some contexts in one
mode and others in another.
Note Multiple context mode supports static routing only.
See Chapter 5, “Managing Security Contexts,” for more information.
To Next Page
Loading...
Need help?
General