Security Configuration Guide: Zone-Based Policy Firewall, Cisco IOS XE Release 3S
IPv6 Zone-Based Firewall Support over VASI Interfaces
Downloads: This chapterpdf (PDF - 1.43MB) The complete bookPDF (PDF - 6.41MB) | The complete bookePub (ePub - 1.22MB) | Feedback

IPv6 Zone-Based Firewall Support over VASI Interfaces

Contents

IPv6 Zone-Based Firewall Support over VASI Interfaces

This feature supports VRF-Aware Service Infrastructure (VASI) interfaces over IPv6 firewalls. This feature allows you to apply services such as access control lists (ACLs), Network Address Translation (NAT), policing, and zone-based firewalls to traffic that flows across two different virtual routing and forwarding (VRF) instances. VASI interfaces support the redundancy of Route Processors (RPs) and Forwarding Processors (FPs). VASI interfaces support IPv4 and IPv6 unicast traffic.

This module provides information about VASI interfaces and describes how to configure VASI interfaces.

Finding Feature Information

Your software release may not support all the features documented in this module. For the latest caveats and feature information, see Bug Search Tool and the release notes for your platform and software release. To find information about the features documented in this module, and to see a list of the releases in which each feature is supported, see the feature information table at the end of this module.

Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/​go/​cfn. An account on Cisco.com is not required.

Restrictions for IPv6 Zone-Based Firewall Support over VASI Interfaces

  • Multiprotocol Label Switching (MPLS) traffic over VRF-Aware Software Infrastructure (VASI) interfaces is not supported.
  • IPv4 and IPv6 multicast traffic is not supported.
  • VASI interfaces do not support the attachment of queue-based features. The following commands are not supported on modular QoS CLI (MQC) policies that are attached to VASI interfaces:
    • bandwidth (policy-map class)
    • fair-queue
    • priority
    • queue-limit
    • random-detect
    • shape

Information About IPv6 Zone-Based Firewall Support over VASI Interfaces

VASI Overview

VRF-Aware Software Infrastructure (VASI) provides the ability to apply services such as, a firewall, IPsec, and Network Address Translation (NAT), to traffic that flows across different virtual routing and forwarding (VRF) instances. VASI is implemented by using virtual interface pairs, where each of the interfaces in the pair is associated with a different VRF instance. The VASI virtual interface is the next-hop interface for any packet that needs to be switched between these two VRF instances. VASI interfaces provide the framework to configure a firewall or NAT between VRF instances.

Each interface pair is associated with two different VRF instances. The pairing is done automatically based on the two interface indexes such that the vasileft interface is automatically paired to the vasiright interface. For example, in the figure below, vasileft1 and vasiright1 are automatically paired, and a packet entering vasileft1 is internally handed over to vasiright1.

On VASI interfaces, you can configure either static routing or dynamic routing with Internal Border Gateway Protocol (IBGP), Enhanced Interior Gateway Routing Protocol (EIGRP), or Open Shortest Path First (OSPF). IBGP dynamic-routing protocol restrictions and configurations are valid for IBGP routing configurations between VASI interfaces.

The following figure shows an inter-VRF VASI configuration on the same device.

Figure 1. Inter-VRF VASI Configuration

When an inter-VRF VASI is configured on the same device, the packet flow happens in the following order:
  1. A packet enters the physical interface that belongs to VRF 1 (Gigabit Ethernet 0/2/0.3).
  2. Before forwarding the packet, a forwarding lookup is done in the VRF 1 routing table. Vasileft1 is chosen as the next hop, and the Time to Live (TTL) value is decremented from the packet. Usually, the forwarding address is selected on the basis of the default route in the VRF. However, the forwarding address can also be a static route or a learned route. The packet is sent to the egress path of vasileft1 and then automatically sent to the vasiright1 ingress path.
  3. When the packet enters vasiright1, a forwarding lookup is done in the VRF 2 routing table, and the TTL is decremented again (second time for this packet).
  4. VRF 2 forwards the packet to the physical interface, Gigabit Ethernet 0/3/0.5.

The following figure shows how VASI works in a Multiprotocol Label Switching (MPLS) VPN configuration.


Note


In the following figure, MPLS is enabled on the Gigabit Ethernet interface, but MPLS traffic is not supported across VASI pairs.


Figure 2. VASI with an MPLS VPN Configuration

When VASI is configured with a Multiprotocol Label Switching (MPLS) VPN, the packet flow happens in the following order:
  1. A packet arrives on the MPLS interface with a VPN label.
  2. The VPN label is stripped from the packet, a forwarding lookup is done within VRF 2, and the packet is forwarded to vasiright1. The TTL value is decremented from the packet.
  3. The packet enters vasileft1 on the ingress path, and another forwarding lookup is done in VRF 1. The packet is sent to the egress physical interface in VRF1 (Gigabit Ethernet 0/2/0.3). The TTL is again decremented from the packet.

How to Configure IPv6 Zone-Based Firewall Support over VASI Interfaces

Configuring VRFs and Address Family Sessions

SUMMARY STEPS

    1.    enable

    2.    configure terminal

    3.    vrf definition vrf-name

    4.    address-family ipv6

    5.    exit-address-family

    6.    end


DETAILED STEPS
     Command or ActionPurpose
    Step 1 enable


    Example:
    Device> enable 
     
    Enables privileged EXEC mode.
    • Enter your password if prompted.
     
    Step 2 configure terminal


    Example:
    Device# configure terminal 
     

    Enters global configuration mode.

     
    Step 3 vrf definition vrf-name


    Example:
    Device(config)# vrf definition VRF1 
     

    Configures a virtual routing and forwarding (VRF) routing table instance and enters VRF configuration mode.

     
    Step 4 address-family ipv6


    Example:
    Device(config-vrf)# address-family ipv6 
     

    Enters address family configuration mode and configures sessions that carry standard IPv6 address prefixes.

     
    Step 5 exit-address-family


    Example:
    Device(config-vrf-af)# exit-address-family 
     

    Exits address family configuration mode and enters VRF configuration mode.

     
    Step 6 end


    Example:
    Device(config-vrf)# end 
     

    Exits VRF configuration mode and enters privileged EXEC mode.

     

    Configuring Class Maps and Policy Maps for VASI Support

    SUMMARY STEPS

      1.    enable

      2.    configure terminal

      3.    ipv6 unicast-routing

      4.    class-map type inspect match-any class-map-name

      5.    match protocol name

      6.    match protocol name

      7.    exit

      8.    policy-map type inspect policy-map-name

      9.    class type inspect class-map-name

      10.    inspect

      11.    exit

      12.    class class-default

      13.    end


    DETAILED STEPS
       Command or ActionPurpose
      Step 1 enable


      Example:
      Device> enable
       
      Enables privileged EXEC mode.
      • Enter your password if prompted.
       
      Step 2 configure terminal


      Example:
      Device# configure terminal
       

      Enters global configuration mode.

       
      Step 3 ipv6 unicast-routing


      Example:
      Device(config)# ipv6-unicast routing
       

      Enables the forwarding of IPv6 unicast datagrams.

       
      Step 4 class-map type inspect match-any class-map-name


      Example:
      Device(config)# class-map type inspect match-any c-map
       

      Creates an inspect type class map and enters QoS class-map configuration mode.

       
      Step 5 match protocol name


      Example:
      Device(config-cmap)# match protocol icmp
       

      Configures a match criterion for a class map on the basis of a specified protocol.

       
      Step 6 match protocol name


      Example:
      Device(config-cmap)# match protocol tcp
       

      Configures a match criterion for a class map on the basis of a specified protocol.

       
      Step 7 exit


      Example:
      Device(config-cmap)# exit
       

      Exits QoS class-map configuration mode and enters global configuration mode.

       
      Step 8 policy-map type inspect policy-map-name


      Example:
      Device(config)# policy-map type inspect p-map
       

      Creates a protocol-specific inspect-type policy map and enters QoS policy-map configuration mode.

       
      Step 9 class type inspect class-map-name


      Example:
      Device(config-pmap)# class type inspect c-map
       

      Specifies the traffic class on which an action is to be performed and enters QoS policy-map class configuration mode.

       
      Step 10 inspect


      Example:
      Device(config-pmap-c)# inspect
       

      Enables stateful packet inspection.

       
      Step 11 exit


      Example:
      Device(config-pmap-c)# exit
       

      Exits QoS policy-map class configuration mode and enters QoS policy-map configuration mode.

       
      Step 12 class class-default


      Example:
      Device(config-pmap)# class class-default
       
      Applies the policy map settings to the predefined default class and enters QoS policy-map class configuration mode.
      • If traffic does not match any of the match criteria in the configured class maps, it is directed to the predefined default class.
       
      Step 13 end


      Example:
      Device(config-pmap-c)# end
       

      Exits QoS policy-map class configuration mode and enters privileged EXEC mode.

       

      Configuring Zones and Zone Pairs for VASI Support

      SUMMARY STEPS

        1.    enable

        2.    configure terminal

        3.    zone security zone-name

        4.    exit

        5.    zone-pair security zone-pair-name source source-zone destination destination-zone

        6.    service-policy type inspect policy-map-name

        7.    exit

        8.    interface type number

        9.    vrf forwarding vrf-name

        10.    no ip address

        11.    zone member security zone-name

        12.    ipv6 address ipv6-address/prefix-length

        13.    ipv6 enable

        14.    negotiation auto

        15.    exit

        16.    interface type number

        17.    no ip address

        18.    ipv6 address ipv6-address/prefix-length

        19.    ipv6 enable

        20.    negotiation auto

        21.    end


      DETAILED STEPS
         Command or ActionPurpose
        Step 1 enable


        Example:
        Device> enable 
         
        Enables privileged EXEC mode.
        • Enter your password if prompted.
         
        Step 2 configure terminal


        Example:
        Device# configure terminal 
         

        Enters global configuration mode.

         
        Step 3 zone security zone-name


        Example:
        Device(config)# zone security in 
         
        Creates a security zone and enters security zone configuration mode.
        • Your configuration must have two security zones to create a zone pair: a source and a destination zone.
        • In a zone pair, you can use the default zone as either the source or the destination zone.
         
        Step 4 exit


        Example:
        Device(config-sec-zone)# exit 
         

        Exits security zone configuration mode and enters global configuration mode.

         
        Step 5 zone-pair security zone-pair-name source source-zone destination destination-zone


        Example:
        Device(config)# zone-pair security in-out source in destination out 
         
        Creates a zone pair and enters security zone-pair configuration mode.
        • To apply a policy, you must configure a zone pair.
         
        Step 6 service-policy type inspect policy-map-name


        Example:
        Device(config-sec-zone-pair)# service-policy type inspect p-map 
         
        Attaches a policy map to a top-level policy map.
        • If a policy is not configured between a pair of zones, traffic is dropped by default.
         
        Step 7 exit


        Example:
        Device(config-sec-zone-pair)# exit
         

        Exits security zone-pair configuration mode and enters global configuration mode.

         
        Step 8 interface type number


        Example:
        Device(config)# interface gigabitethernet 0/0/0 
         

        Configures an interface and enters interface configuration mode.

         
        Step 9 vrf forwarding vrf-name


        Example:
        Device(config-if)# vrf forwarding VRF1
         

        Associates a virtual routing and forwarding (VRF) instance or a virtual network with an interface or subinterface.

         
        Step 10 no ip address


        Example:
        Device(config-if)# no ip address
         

        Removes an IP address or disables IP processing.

         
        Step 11 zone member security zone-name


        Example:
        Device(config-if)# zone member security in
         

        Attaches an interface to a security zone.

         
        Step 12 ipv6 address ipv6-address/prefix-length


        Example:
        Device(config-if)# ipv6 address 2001:DB8:2:1234/64 
         

        Configures an IPv6 address based on an IPv6 general prefix and enables IPv6 processing on an interface.

         
        Step 13 ipv6 enable


        Example:
        Device(config-if)# ipv6 enable 
         

        Enables IPv6 processing on an interface that has not been configured with an explicit IPv6 address.

         
        Step 14 negotiation auto


        Example:
        Device(config-if)# negotiation auto 
         

        Enables advertisement of speed, duplex mode, and flow control on a Gigabit Ethernet interface.

         
        Step 15 exit


        Example:
        Device(config-if)# exit
         

        Exits interface configuration mode and enters global configuration mode.

         
        Step 16 interface type number


        Example:
        Device(config)# interface gigabitethernet 0/0/1 
         

        Configures an interface and enters interface configuration mode.

         
        Step 17 no ip address


        Example:
        Device(config-if)# no ip address
         

        Removes an IP address or disables IP processing.

         
        Step 18 ipv6 address ipv6-address/prefix-length


        Example:
        Device(config-if)# ipv6 address 2001:DB8:3:1234/64 
         

        Configures an IPv6 address based on an IPv6 general prefix and enables IPv6 processing on an interface.

         
        Step 19 ipv6 enable


        Example:
        Device(config-if)# ipv6 enable 
         

        Enables IPv6 processing on an interface that has not been configured with an explicit IPv6 address.

         
        Step 20 negotiation auto


        Example:
        Device(config-if)# negotiation auto 
         

        Enables advertisement of speed, duplex mode, and flow control on a Gigabit Ethernet interface.

         
        Step 21 end


        Example:
        Device(config-if)# end 
         

        Exits interface configuration mode and enters privileged EXEC mode.

         

        Configuring VASI Interfaces

        SUMMARY STEPS

          1.    enable

          2.    configure terminal

          3.    interface type number

          4.    vrf forwarding vrf-name

          5.    ipv6 address ipv6-address/prefix-length link-local

          6.    ipv6 address ipv6-address/prefix-length

          7.    ipv6 enable

          8.    no keepalive

          9.    zone member security zone-name

          10.    exit

          11.    interface type number

          12.    ipv6 address ipv6-address/prefix-length link-local

          13.    ipv6 address ipv6-address/prefix-length

          14.    ipv6 enable

          15.    no keepalive

          16.    exit

          17.    ipv6 route ipv6-prefix/prefix-length interface-type interface-number ipv6-address

          18.    ipv6 route vrf vrf-name ipv6-prefix/prefix-length interface-type interface-number ipv6-address

          19.    end


        DETAILED STEPS
           Command or ActionPurpose
          Step 1 enable


          Example:
          Device> enable
           
          Enables privileged EXEC mode.
          • Enter your password if prompted.
           
          Step 2 configure terminal


          Example:
          Device# configure terminal
           

          Enters global configuration mode.

           
          Step 3 interface type number


          Example:
          Device(config)# interface vasileft 1
           

          Configures a VASI interface and enters interface configuration mode.

           
          Step 4 vrf forwarding vrf-name


          Example:
          Device(config-if)# vrf forwarding VRF1
           

          Associates a virtual routing and forwarding (VRF) instance or a virtual network with an interface or subinterface.

           
          Step 5 ipv6 address ipv6-address/prefix-length link-local


          Example:
          Device(config-if)# ipv6 address FE80::8EB6:4FFF:FE6C:E701 link-local
           

          Configures an IPv6 link-local address for an interface and enable IPv6 processing on the interface.

           
          Step 6 ipv6 address ipv6-address/prefix-length


          Example:
          Device(config-if)# ipv6 address 2001:DB8:4:1234/64
           

          Configures an IPv6 address based on an IPv6 general prefix and enables IPv6 processing on an interface.

           
          Step 7 ipv6 enable


          Example:
          Device(config-if)# ipv6 enable
           

          Enables IPv6 processing on an interface that has not been configured with an explicit IPv6 address.

           
          Step 8 no keepalive


          Example:
          Device(config-if)# no keepalive
           

          Disables keepalive packets.

           
          Step 9 zone member security zone-name


          Example:
          Device(config-if)# zone member security out
           

          Attaches an interface to a security zone.

           
          Step 10 exit


          Example:
          Device(config-if)# exit
           

          Exits interface configuration mode and enters global configuration mode.

           
          Step 11 interface type number


          Example:
          Device(config)# interface vasiright 1
           

          Configures a VASI interface and enters interface configuration mode.

           
          Step 12 ipv6 address ipv6-address/prefix-length link-local


          Example:
          Device(config-if)# ipv6 address FE80::260:3EFF:FE11:6770 link-local
           

          Configures an IPv6 link-local address for an interface and enable IPv6 processing on the interface.

           
          Step 13 ipv6 address ipv6-address/prefix-length


          Example:
          Device(config-if)# ipv6 address 2001:DB8:4:1234/64
           

          Configures an IPv6 address based on an IPv6 general prefix and enables IPv6 processing on an interface.

           
          Step 14 ipv6 enable


          Example:
          Device(config-if)# ipv6 enable
           

          Enables IPv6 processing on an interface that has not been configured with an explicit IPv6 address.

           
          Step 15 no keepalive


          Example:
          Device(config-if)# no keepalive
           

          Disables keepalive packets.

           
          Step 16 exit


          Example:
          Device(config-if)# exit
           

          Exits interface configuration mode and enters global configuration mode.

           
          Step 17 ipv6 route ipv6-prefix/prefix-length interface-type interface-number ipv6-address


          Example:
          Device(config)# ipv6 route 2001::/64 vasileft 1 2001::/64
           

          Establishes static IPv6 routes.

           
          Step 18 ipv6 route vrf vrf-name ipv6-prefix/prefix-length interface-type interface-number ipv6-address


          Example:
          Device(config)# ipv6 route vrf vrf1 2001::/64 vasiright 1 2001::/64
           

          Specifies all VRF tables or a specific VRF table for an IPv6 address.

           
          Step 19 end


          Example:
          Device(config# end
           

          Exits global configuration mode and enters privileged EXEC mode.

           

          Configuration Examples for IPv6 Zone-Based Firewall Support over VASI Interfaces

          Example: Configuring VRFs and Address Family Sessions

          Device# configure terminal 
          Device(config)# vrf definition VRF1 
          Device(config-vrf)# address-family ipv6
          Device(config-vrf-af)# exit-address-family
          Device(config-vrf)# end 
          

          Example: Configuring Class Maps and Policy Maps for VASI Support

          Device# configure terminal
          Device(config)# ipv6-unicast routing
          Device(config)# class-map type inspect match-any c-map
          Device(config-cmap)# match protocol icmp
          Device(config-cmap)# match protocol tcp
          Device(config-cmap)# match protocol udp
          Device(config-cmap)# exit
          Device(config)# policy-map type inspect p-map
          Device(config-pmap)# class type inspect c-map
          Device(config-pmap-c)# inspect
          Device(config-pmap-c)# exit
          Device(config-pmap)# class class-default
          Device(config-pmap-c)# end

          Example: Configuring Zones and Zone Pairs for VASI Support

          Device# configure terminal
          Device(config)# zone security in
          Device(config)# exit
          Device(config)# zone security out
          Device(config)# exit
          Device(config)# zone-pair security in-out source in destination out
          Device(config-sec-zone-pair)# service-policy type inspect p-map
          Device(config-sec-zone-pair)# exit 
          Device(config)# interface gigabitethernet 0/0/0
          Device(config-if)# vrf forwarding VRF1
          Device(config-if)# no ip address
          Device(config-if)# zone member security in
          Device(config-if)# ipv6 address 2001:DB8:2:1234/64 
          Device(config-if)# ipv6 enable
          Device(config-if)# negotiation auto 
          Device(config-if)# exit
          Device(config)# interface gigabitethernet 0/0/1
          Device(config-if)# no ip address
          Device(config-if)# ipv6 address 2001:DB8:3:1234/64
          Device(config-if)# ipv6 enable
          Device(config-if)# negotiation auto 
          Device(config-if)# end
          

          Example: Configuring VASI Interfaces

          Device# configure terminal
          Device(config)# interface vasileft 1
          Device(config-if)# vrf forwarding VRF1
          Device(config-if)# ipv6 address FE80::8EB6:4FFF:FE6C:E701 link-local
          Device(config-if)# ipv6 address 2001:DB8:4:1234/64
          Device(config-if)# ipv6 enable
          Device(config-if)# no keepalive
          Device(config-if)# zone-member security out
          Device(config-if)# exit
          Device(config)# interface vasiright 1
          Device(config-if)# ipv6 address FE80::260:3EFF:FE11:6770 link-local
          Device(config-if)# ipv6 address 2001:DB8:4:1234/64
          Device(config-if)# ipv6 enable
          Device(config-if)# no keepalive
          Device(config-if)# exit
          Device(config)# ipv6 route 2001::/64 vasileft 1 2001::/64
          Device(config)# ipv6 route vrf vrf1 2001::/64 vasiright 1 2001::/64
          Device(config)# end      

          Additional References for Firewall Stateful Interchassis Redundancy

          Technical Assistance

          Description

          Link

          The Cisco Support and Documentation website provides online resources to download documentation, software, and tools. Use these resources to install and configure the software and to troubleshoot and resolve technical issues with Cisco products and technologies. Access to most tools on the Cisco Support and Documentation website requires a Cisco.com user ID and password.

          http:/​/​www.cisco.com/​cisco/​web/​support/​index.html

          Feature Information for IPv6 Zone-Based Firewall Support over VASI Interfaces

          The following table provides release information about the feature or features described in this module. This table lists only the software release that introduced support for a given feature in a given software release train. Unless noted otherwise, subsequent releases of that software release train also support that feature.

          Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/​go/​cfn. An account on Cisco.com is not required.

          Table 1 Feature Information for IPv6 Zone-Based Firewall Support VASI Interfaces

          Feature Name

          Releases

          Feature Information

          IPv6 Zone-Based Firewall Support over VASI Interfaces

          Cisco IOS XE Release 3.7S

          This feature supports VASI interfaces over IPv6 firewalls. This feature allows you to apply services such as access control lists (ACLs), Network Address Translation (NAT), policing, and zone-based firewalls to traffic that flows across two different virtual routing and forwarding (VRF) instances. VASI interfaces support the redundancy of Route Processors (RPs) and Forwarding Processors (FPs). VASI interfaces support IPv4 and IPv6 unicast traffic.

          No commands were introduced or modified for this feature.