Chapter 5
Managing Security Contexts
The FWSM uses the characteristic that is unique and not shared across contexts. For example, if you
share a VLAN across contexts, then the classifier uses the IP address. See the
Interfaces Between Contexts" section on page 5-5
The FWSM classifier only "knows" about context IP addresses that have static NAT translations or that
have active NAT translations (xlates). The classifier only looks at static statements where the global
interface matches the source interface of the packet.
You can share a VLAN interface so long as each IP address space on that VLAN is unique, or you can
have overlapping IP addresses so long as the VLANs are unique.
sharing an outside VLAN, while the inside VLANs are unique, allowing overlapping IP addresses.
Figure 5-1
Switch
Admin
Context
OL-6392-01
Multiple Security Contexts
Context A
VLAN 201
VLAN 202
Admin
Inside
Network
Customer A
Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide
for more information about sharing VLANs.
Internet
VLAN 200
Classifier
VLAN 200
Context B
Context C
VLAN 203
Inside
Customer B
Security Context Overview
"Sharing Resources and
Figure 5-1
shows multiple contexts
Unique IP address
on common subnet
for each context
VLAN 204
Inside
Customer C
5-3