Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Installation and Configuration Note, 1.1(2)
Installing the Hardware
Downloads: This chapterpdf (PDF - 436.0KB) The complete bookPDF (PDF - 4.49MB) | Feedback

Installing the Firewall Services Module

Table Of Contents

Installing the Firewall Services Module

System Requirements

Memory and Storage Requirements

Software Requirements

Hardware Requirements

Required Tools

Installing and Removing the Module

Slot Assignments

Removing a Module

Installing a Module

Verifying the Installation

Using the CLI


Installing the Firewall Services Module


This chapter describes how to install the Firewall Services Module including the software and hardware requirements.

This chapter contains these sections:

System Requirements

Required Tools

Installing and Removing the Module

Using the CLI

System Requirements

This section describes the software and hardware requirements for the module:

Memory and Storage Requirements

Software Requirements

Hardware Requirements

Memory and Storage Requirements

There are no additional memory or storage requirements for this module. The module contains the following memory:

1 GB RAM

128 MB compact Flash

Software Requirements

Table 2-1 lists the Firewall Services Module software versions supported by the Catalyst operating system and the Cisco IOS software.

Table 2-1 Firewall Services Module Software Compatibility 

Firewall Services Module Software
Catalyst OS Software
Cisco IOS Software
Application Image
Maintenance Image
   

1.1(1)

1.1(1)

7.5

12.1(13)E with Supervisor Engine 2 and an MSFC 2

1.1(2)

1.1(2)

7.5 with a Supervisor Engine 1a, and an MSFC 2 or a Supervisor Engine2 and an MSFC 2.

12.1(13)E with a Supervisor Engine 2 and an MSFC 2


Hardware Requirements

The Cisco IOS software and Catalyst operating system, require a Catalyst 6500 series switch or Cisco 7600 series switch with a Supervisor Engine 1a (Catalyst operating system only) and an MSFC 2, or a Supervisor Engine 2(Catalyst operating system and Cisco IOS) and an MSFC 2. The module is supported on the Supervisor Engine with Cisco IOS software and the Catalyst operating system software.


Note Before installing the module, you must install the Catalyst 6500 series switch chassis and at least one supervisor engine. For information on installing the switch chassis, refer to the Catalyst 6000 Family Installation Guide.


Required Tools

These tools are required to install the module in the Catalyst 6500 series switches:

Flat-blade screwdriver

Phillips-head screwdriver

Wrist strap or other grounding device

Antistatic mat or antistatic foam

Whenever you handle the module, always use a wrist strap or other grounding device to prevent electrostatic discharge (ESD).

Installing and Removing the Module


Warning During this procedure, wear grounding wrist straps to avoid ESD damage to the card. Do not directly touch the backplane with your hand or any metal tool, or you could shock yourself.


All Catalyst 6500 series switches support hot swapping, which allows you to install, remove, replace, and rearrange modules without turning off the system power. For more information on removing the module from a switch, see the "Removing a Module" section.

When the system detects that a module has been installed or removed, the system automatically runs diagnostic and discovery routines, acknowledges the presence or absence of the module, and resumes system operation.

This section describes how to install and verify the operation of the Firewall Services Module in the Catalyst 6500 series switches and contains the following sections:

Slot Assignments, page 9

Removing a Module

Installing a Module

Verifying the Installation

Slot Assignments

The Catalyst 6006 and 6506 switch chassis have six slots, the Catalyst 6009 and 6509 switch chassis have nine slots, and the Catalyst 6513 switch chassis has thirteen slots.


Note The Catalyst 6509-NEB switch has vertical slots, which are numbered 1 to 9 from right to left. Install the modules with the component side facing to the right.


Each slot is used as follows:

Slot 1 is reserved for the supervisor engine.

Slot 2 can be used for a redundant supervisor engine in case the supervisor engine in slot 1 fails.

If a redundant supervisor engine is not required, slots 2 through 6 on the 6-slot chassis, (slots 2 through 9 on the 9-slot chassis, and slots 2 through 13 on the 13-slot chassis) are available for switching modules, such as the Firewall Services Module.

The empty slots require filler plates, which are blank switching-module carriers, to maintain consistent airflow through the switch chassis.

Removing a Module

This section describes how to remove an existing module from a chassis slot.


Warning During this procedure, wear grounding wrist straps to avoid ESD damage to the card. Do not directly touch the backplane with your hand or any metal tool, or you could shock yourself.



Warning Before you install, operate, or service the system, read the Site Preparation and Safety Guide. This guide contains important safety information you should know before working with the system.



Warning Invisible laser radiation may be emitted from disconnected fibers or connectors. Do not stare into beams or view directly with optical instruments.


To remove a supervisor engine or module from the chassis, perform these steps:


Step 1 Disconnect any network interface cables attached to the supervisor engine or module.

Step 2 Verify that the captive installation screws on all of the modules in the chassis are tight.

This step ensures that the space created by the removed module is maintained.


Note If the captive installation screws are loose, the electromagnetic interference (EMI) gaskets on the installed modules will push the modules toward the open slot, reducing the opening size and making it difficult to install the replacement module.


Step 3 Loosen the two captive installation screws on the supervisor engine or module.

Step 4 Depending on the orientation of the slots in the chassis (horizontal or vertical), perform one of the following set of substeps:

Horizontal slots

a. Place your thumbs on the left and right ejector levers, and simultaneously rotate the levers outward to unseat the module from the backplane connector.

b. Grasp the front edge of the module and slide the module part of the way out of the slot. Place your other hand under the module to support the weight of the module. Do not touch the module circuitry.

Vertical slots

a. Place your thumbs on the ejector levers located at the top and bottom of the module, and simultaneously rotate the levers outward to unseat the module from the backplane connector.

b. Grasp the edges of the module, and slide the module straight out of the slot. Do not touch the module circuitry.

Step 5 Place the module on an antistatic mat or antistatic foam, or immediately reinstall it in another slot.

Step 6 If the slot is to remain empty, install a module filler plate to keep dust out of the chassis and to maintain proper airflow through the chassis.



Warning Blank faceplates (filler panels) serve three important functions: they prevent exposure to hazardous voltages and currents inside the chassis; they contain electromagnetic interference (EMI) that might disrupt other equipment; and they direct the flow of cooling air through the chassis. Do not operate the system unless all cards and faceplates are in place.


Installing a Module

This section describes how to install modules in the Catalyst 6500 series switches.


Caution To prevent ESD damage, handle modules by the carrier edges only.


Warning During this procedure, wear grounding wrist straps to avoid ESD damage to the card. Do not directly touch the backplane with your hand or any metal tool, or you could shock yourself.



Warning Invisible laser radiation may be emitted from disconnected fibers or connectors. Do not stare into beams or view directly with optical instruments.



Warning Before you install, operate, or service the system, read the Site Preparation and Safety Guide. This guide contains important safety information you should know before working with the system.


To install a supervisor engine or module in the chassis, perform these steps:


Step 1 Choose a slot for the supervisor engine or module.

Step 2 Verify that there is enough clearance to accommodate any interface equipment that you will connect directly to the supervisor engine or module ports. If possible, place modules between empty slots that contain only module filler plates.

Step 3 Verify that the captive installation screws are tightened on all modules installed in the chassis.

This action ensures that the EMI gaskets on all modules are fully compressed in order to maximize the opening space for the new module or the replacement module.


Note If the captive installation screws are loose, the EMI gaskets on the installed modules will push adjacent modules toward the open slot, reducing the opening size and making it difficult to install the replacement module.


Step 4 Remove the module filler plate by removing the two Phillips pan-head screws from the filler plate. To remove a module, refer to "Removing a Module" section.

Step 5 Fully open both ejector levers on the new or replacement module. (See Figure 2-1.)

Figure 2-1 Positioning the Module in a Horizontal Slot Chassis

Step 6 Depending on the orientation of the slots in the chassis (horizontal or vertical), perform one of the following sets of substeps:

Horizontal slots

a. Position the supervisor engine or module in the slot. (See Figure 2-1.) Make sure that you align the sides of the module carrier with the slot guides on each side of the slot.

b. Carefully slide the supervisor engine or module into the slot until the EMI gasket along the top edge of the module makes contact with the module in the slot above it and both ejector levers have closed to approximately 45 degrees with respect to the module faceplate. (See Figure 2-2.)

Figure 2-2 Clearing the EMI Gasket in a Horizontal Slot Chassis

c. Using the thumb and forefinger of each hand, grasp the two ejector levers and press down to create a small (0.040 inch [1 mm]) gap between the module's EMI gasket and the module above it. (See Figure 2-2.)


Caution Do not press down too hard on the levers. They will bend and be damaged.

d. While pressing down, simultaneously close the left and right ejector levers to fully seat the supervisor engine or module in the backplane connector. The ejector levers are fully closed when they are flush with the module faceplate. (See Figure 2-3.)

Figure 2-3 Ejector Lever Closure in a Horizontal Slot Chassis


Note Failure to fully seat the module in the backplane connector can result in error messages.


e. Tighten the two captive installation screws on the supervisor engine or module.


Note Make sure the ejector levers are fully closed before tightening the captive installation screws.


Vertical slots

a. Position the supervisor engine or switching module in the slot. (See Figure 2-4.) Make sure that you align the sides of the switching-module carrier with the slot guides on the top and bottom of the slot.

Figure 2-4 Positioning the Module in a Vertical Slot Chassis

b. Carefully slide the supervisor engine or module into the slot until the EMI gasket along the right edge of the module makes contact with the module in the slot adjacent to it and both ejector levers have closed to approximately 45 degrees in relation to the faceplate. (See Figure 2-5.)

c. Using the thumb and forefinger of each hand, grasp the two ejector levers and exert a slight pressure to the left, deflecting the module approximately 0.040 inches (1 mm) to create a small gap between the module's EMI gasket and the module adjacent to it. (See Figure 2-5.)

Figure 2-5 Clearing the EMI Gasket in a Vertical Slot Chassis


Caution Do not exert too much pressure on the ejector levers. They will bend and be damaged.

d. While pressing on the ejector levers, simultaneously close them to fully seat the supervisor engine or module in the backplane connector. The ejector levers are fully closed when they are flush with the module faceplate. (See Figure 2-6.)

Figure 2-6 Ejector Lever Closure in a Vertical Slot Chassis

e. Tighten the two captive installation screws on the module.


Note Make sure the ejector levers are fully closed before tightening the captive installation screws.



Verifying the Installation

This section describes how to verify the module installation.

To verify that the system acknowledges the new module and has brought it online, enter the show module [mod-num | all] command.

This example shows the output of the show module command on the Catalyst 6500 series switch:

Router# show module 
Mod Slot Ports Module-Type               Model               Sub Status
--- ---- ----- ------------------------- ------------------- --- ------
1   1    2     1000BaseX Supervisor      WS-X6K-SUP1A-2GE    yes ok
15  1    1     Multilayer Switch Feature WS-F6K-MSFC         no  ok
2   2    48    10/100BaseTX Ethernet     WS-X6348-RJ-45      yes ok
4   4    2     Intrusion Detection Syste WS-X6381-IDS        no  ok
6   6    8     1000BaseX Ethernet        WS-X6408-GBIC       no  ok

This example shows the output of the show module command on the Cisco 7600 series Internet Router:

Router> show module
Mod Ports Card Type                              Model              Serial No.
--- ----- -------------------------------------- ------------------ -----------
  1    2  Catalyst 6000 supervisor 2 (Active)    WS-X6K-SUP2-2GE    SAD0444099Y
  2   48  48 port 10/100 mb RJ-45 ethernet       WS-X6248-RJ-45     SAD03475619
  3    2  Intrusion Detection System             WS-X6381-IDS       SAD04250KV5
  4    6  Firewall Module                        WS-SVC-FWM-1       SAD062302U4

When the module initially boots, by default it runs a partial memory test. To perform a full memory test, enter the hw-module module module_number reset device:partition mem-test-full command. This command is specific to Cisco IOS software and is not available in Catalyst operating system software.

A full memory test takes more time to complete than a partial memory test depending on the memory size. Table 2-2 lists the memory test time and approximate boot time for a long memory test.

Table 2-2 Memory Test Duration

Memory Size
Boot Time

1 GB

6 minutes


This example shows how to do a full memory test for module 5:

Router(config)# hw-module module 5 reset mem-test-full

Using the CLI

The software interface for the module is the Cisco IOS and the Catalyst operating system command-line interface accessed through a Telnet connection to the switch or through the switch console interface. Refer to the Catalyst 6500 Series Operating system Software Configuration Guide and the Catalyst 6500 Series Software Configuration Guide for details.

To understand the Cisco IOS command-line interface and Cisco IOS command modes, refer to Chapter 2, "Command-Line Interfaces," in the Catalyst 6500 Series IOS Software Configuration Guide.

To understand the Catalyst operating system command-line interface and Catalyst operating system command modes, refer to Chapter 2, "Command-Line Interfaces," in the Catalyst 6500 Series Configuration Guide.

Unless your switch is located in a fully trusted environment, we recommend that you configure the module through a Telnet connection using Secure Shell (SSH) encryption.

You can session into the module from the switch console and configure the firewall. Session is a Telnet interface through the Ethernet out-of-band channel (EOBC) of the switch backplane.

You can also make a Telnet connection into the module from a specified host and on a specific interface. Telnet support for this host should be configured or enabled from the module console.

Console output is redirected to all active Telnet sessions. When no Telnet session is available, the output is saved to a buffer. The buffer output can be subsequently examined when you make a Telnet connection into the module.

The module application software is similar to the Cisco PIX firewall software. This publication describes only the commands unique to the Firewall Services Module. For information about the PIX commands, refer to the PIX documentation at the following URLs:

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_60/index.htm

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_62/index.htm