Common Uses For Security Contexts; Context Configuration Files; How The Fwsm Classifies Packets; Chapter 5 Managing Security Context - Cisco Catalyst 6500 Series Configuration Manual
Catalyst 6500 series switch and
cisco 7600 series router firewall services
Hide thumbs
Also See for Catalyst 6500 Series:
- Software configuration manual (570 pages) ,
- Configuration note (212 pages) ,
- Installation manual (194 pages)
Table of Contents
Advertisement
Security Context Overview
This section provides an overview of security contexts, and includes the following topics:
•
•
•
•
•
•
Common Uses for Security Contexts
You might want to use multiple security contexts in the following situations:
•
•
•
•
Context Configuration Files
Each context has its own configuration file that identifies the security policy, interfaces, and almost all
the options you can configure on a stand-alone firewall. You can store context configurations on the local
disk partition on the Flash memory card, or you can download them from a TFTP, FTP, or HTTP(S)
server.
In addition to individual security contexts, the FWSM also includes a system configuration that
identifies basic settings for the FWSM, including a list of contexts. Like the single mode configuration,
this configuration resides as the "startup" configuration in the flash partition.
The system configuration does not include any network interfaces or network settings for itself; rather,
when the system needs to access network resources (such as downloading the contexts from a server), it
uses one of the contexts that is designated as the admin context. The system configuration does include
a specialized failover interface for failover traffic only, as well as the Ethernet Out-of-Band Channel
(EOBC) to the switch, which does not require any configuration. If your system is already in multiple
context mode, or if you convert from single mode, the admin context is created automatically as a file
on the disk partition called admin.cfg. In the FWSM CLI, this context is named "admin." If you do not
want to use admin.cfg as the admin context, you can change the admin context using the
Admin Context" section on page
How the FWSM Classifies Packets
Each packet that enters the FWSM must be classified, so that the FWSM can determine to which context
to send a packet. The classifier checks for the following characteristics:
•
•
Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide
5-2
Common Uses for Security Contexts, page 5-2
Context Configuration Files, page 5-2
How the FWSM Classifies Packets, page 5-2
IP Routing Support, page 5-5
Sharing Resources and Interfaces Between Contexts, page 5-5
Logging into the FWSM in Multiple Context Mode, page 5-9
You are a service provider and want to sell firewall services to many customers. By enabling
multiple security contexts on the FWSM, you can implement a cost-effective, space-saving solution
that keeps all customer traffic separate and secure, and also eases configuration.
You are a large enterprise or a college campus and want to keep departments completely separate.
You are an enterprise that wants to provide distinct security policies to different departments.
You have any network that requires more than one firewall.
Source interface (VLAN)
Destination address
5-22.
Chapter 5
Managing Security Contexts
"Changing the
OL-6392-01
Advertisement
Table of Contents
Troubleshooting
