Cisco Catalyst 6500 Series Configuration Manual page 37

Chapter 1 Introduction to the Firewall Services Module
For multiple context mode, if you place the MSFC behind the FWSM, you should only connect it to a
single context. If you connect the MSFC to multiple contexts, the MSFC will route between the contexts,
which might not be your intention. The typical scenario for multiple contexts is to use the MSFC in front
of all the contexts to route between the Internet and the switched networks (see
Figure 1-3
Switch
Admin
Context
Routed Firewall and Transparent Firewall Modes
The FWSM can run in two firewall modes:
•
•
In routed mode, the FWSM is considered to be a router hop in the network. It performs NAT between
connected networks, and can use OSPF or passive RIP (in single context mode). Routed mode supports
up to 256 interfaces per context or in single mode, with a maximum of 1000 interfaces divided between
all contexts.
In transparent mode, the FWSM acts like a "bump in the wire," or a "stealth firewall," and is not a router
hop. The FWSM connects the same network on its inside and outside interfaces, but each interface must
be on a different VLAN. No dynamic routing protocols or NAT are required. However, like routed mode,
transparent mode also requires ACLs to allow traffic through. Transparent mode can also optionally use
EtherType ACLs to allow non-IP traffic. Transparent mode only supports two interfaces, an inside
interface and an outside interface.
OL-6392-01
MSFC Placement with Multiple Contexts
Context A
VLAN 201
Admin Inside
Network Customer A
Routed
Transparent
Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide
Internet
VLAN 100
MSFC
VLAN 200
Context B
VLAN 202 VLAN 203
Inside
Customer B
How the Firewall Services Module Works
Figure
Context C
VLAN 204
Inside
Customer C
1-3).
1-11