Security Context Overview
Common Uses for Security Contexts
You might want to use multiple security contexts in the following situations:
•
•
•
•
Unsupported Features
Multiple context mode does not support the following features:
•
•
Context Configuration Files
This section describes how the FWSM implements multiple context mode configurations, and includes
the following topics:
•
•
•
Context Configurations
The FWSM includes a configuration for each context that identifies the security policy, interfaces, and
almost all the options you can configure on a standalone device. You can store context configurations on
the internal flash memory or the external flash memory card, or you can download them from a TFTP,
FTP, or HTTP(S) server.
System Configuration
The system administrator adds and manages contexts by configuring each context configuration location,
allocated interfaces, and other context operating parameters in the system configuration, which, like a
single mode configuration, is the startup configuration. The system configuration identifies basic
settings for the FWSM. The system configuration does not include any network interfaces or network
settings for itself; rather, when the system needs to access network resources (such as downloading the
contexts from the server), it uses one of the contexts that is designated as the admin context. The system
configuration does include a specialized failover interface for failover traffic only.
Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM
4-2
You are a service provider and want to sell security services to many customers. By enabling
multiple security contexts on the FWSM, you can implement a cost-effective, space-saving solution
that keeps all customer traffic separate and secure, and also eases configuration.
You are a large enterprise or a college campus and want to keep departments completely separate.
You are an enterprise that wants to provide distinct security policies to different departments.
You have any network that requires more than one firewall.
Most dynamic routing protocols. BGP stub mode is supported.
Security contexts support only static routes or BGP stub mode. You cannot enable OSPF or RIP in
multiple context mode. You can, however, configure Route Health Injection, which lets you inject
static, connected, and NAT addresses into the MSFC routing table. See the
Health Injection" section on page
Multicast routing. Multicast bridging is supported.
Context Configurations, page 4-2
System Configuration, page 4-2
Admin Context Configuration, page 4-3
8-32.
Chapter 4
Configuring Security Contexts
"Configuring Route
OL-20748-01