Cisco Catalyst 6500 Series Configuration Manual page 29

Chapter 1 Introduction to the Firewall Services Module
3. Supports transparent firewall mode when you use failover. Failover requires BPDU forwarding to the FWSM, or else you can
4. When you use Catalyst OS on the supervisor, you can use any of the supported Cisco IOS releases above on the MSFC. (When
Features
This section describes the FWSM features, and includes the following topics:
•
•
•
General Features
Table 1-2
Table 1-2 General FWSM Features
Feature
Transparent firewall or routed
firewall mode
Multiple security contexts
Resource management for
security contexts
Communication between
same security level
Bidirectional NAT and policy
NAT
OL-6392-01
have a loop. Other releases that do not support BPDU forwarding only support transparent mode without failover.
you use Cisco IOS software on the supervisor, you use the same release on the MSFC.) The supervisor software determines
the FWSM feature support. For example, if you use Catalyst OS Release 7.6(1) on the supervisor and Cisco IOS 12.1(13)E
on the MSFC, then the switch does support multiple SVIs, because Catalyst OS Release 7.6(1) supports multiple SVIs.
Features, page 1-3
Stateful Inspection Feature, page 1-5
Other Protection Features, page 1-6
lists the features of the FWSM.
Description
The firewall can run in one of the following modes:
Routed—The FWSM is considered to be a router hop in the network. It performs NAT
•
between connected networks. In single context mode, you can use OSPF
3
RIP .
Transparent—The FWSM acts like a "bump in the wire," and is not a router hop. The
•
FWSM connects the same network on its inside and outside interfaces, but each interface
must be on a different VLAN. No dynamic routing protocols or NAT are required.
In multiple context mode, you can create up to 100 separate security contexts (depending on
your software license). A security context is a virtual firewall that has its own security policy
and interfaces. Multiple contexts are similar to having multiple stand-alone firewalls.
Contexts are conveniently contained within a single module.
You can run all security contexts in routed mode or in transparent mode; you cannot run some
contexts in one mode and others in another.
With the default software license, you can run up to two security contexts in addition to an
admin context. For more contexts, you must purchase a license.
You can limit resources per context so one context does not use up too many resources. You
create classes that define resource limitations as an absolute value or as a percentage, and then
assign a context to one of these classes.
You can configure interfaces on the same security level to communicate with each other. This
feature is off by default, and you can enable or disable this feature on a per context basis. In
earlier releases, no communication between interfaces with the same security level was
possible.
You can perform NAT on inside and outside addresses. For policy NAT, you can identify
addresses to be translated using an extended ACL
determining which addresses to translate.
Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide
4
, which allows you more control in
Features
1
2
or passive
1-3