Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide, 2.2
Index
Downloads: This chapterpdf (PDF - 575.0KB) The complete bookPDF (PDF - 4.2MB) | Feedback

Index

Table Of Contents

Symbols - A - B - C - D - E - F - G - H - I - L - M - N - O - P - Q - R - S - T - U - V - W - X -

Index

Symbols

/bits subnet masks D-3

A

AAA

accounting 12-25

authentication

CLI 12-8

enable 12-8

network access 12-20

authorization

command 12-10

downloadable ACLs 12-23

network access 12-22

clearing settings 17-9

local database support 12-4

maximum rules A-5

overview 12-1

performance 12-2

server

adding 12-6

types 12-4

abbreviating commands C-2

abbreviations E-1

access control entries

See ACEs

access control lists

See ACLs

accounting 12-25

ACEs

expanded 10-7

logging 10-26

maximum 10-7

order 10-6

ACLs

comments 10-25

commitment 10-6

compilation 10-6

downloadable 12-23

EtherType 10-16

expanded 10-7

guidelines 10-6

inbound 10-10

inserting lines 10-25

IP address guidelines 10-7

logging 10-26

manual commit 10-24

maximum rules 10-7

memory 10-7

NAT addresses 10-7

network access 10-13

object groups10-17to 10-24

order of ACEs 10-6

OSPF, route map 10-17

outbound 10-10

policy NAT 10-4

pools A-5

remarks 10-25

standard 10-17

acronyms E-1

activation key 5-10

Active Directory 13-11

active state, failover 15-2

adaptive security algorithm 1-5

address range, subnets D-4

admin context

changing 5-20

overview 5-1

alternate address, ICMP message D-9

Apple QuickTime 13-15

application inspection

See inspection engines

application partition passwords, clearing 17-9

ARP inspection

enabling 7-4

overview 7-3

static entry 7-4

ARP spoofing 7-3

ARP test, failover 15-13

ASA 1-5

attacks, protection from 1-6

audience profile xvii

authentication

CLI 12-8

enable 12-8

FTP 12-21

HTTP 12-21

network access 12-20

overview 12-2

Telnet 12-21

timeout 12-2

authorization

CLI 12-10

command 12-10

network access 12-22

overview 12-2

B

backing up configuration 16-5

bandwidth

limiting 5-12

maximum A-1

banners 6-5

BGP 10-3

bits subnet masks D-3

booting

from the module 17-8

from the switch 2-13

boot partitions 2-13

BPDUs

ACL, EtherType 10-16

forwarding on the switch 2-12

bridge entry timeout 7-2

bridge table

See MAC address table

Broadcast Ping test 15-13

buffering URL replies 14-3

bypassing the firewall 2-7

C

caching URLs 14-4

capturing packets 17-10

Catalyst 6500

See switch

Catalyst OS versions 1-2

CEF A-1

changing between contexts 5-20

Cisco 7600

See switch

Cisco CallManager 13-18

Cisco Firewall MC 1-4

Cisco IOS versions 1-2

Cisco IP/TV 13-15

Cisco IP Phones

inspection engine 13-18

with DHCP 8-20

Cisco PDM 1-4

Cisco VPN Client 11-7

Class A, B, and C addresses D-1

classes

See resource management

classifier 5-2

CLI

abbreviating commands C-2

adding comments C-4

authentication 12-8

authorization 12-10

command line editing C-3

command output paging C-4

displaying C-4

help C-6

paging C-4

privilege levels 12-11

syntax formatting C-2

command authorization

local user database 12-10

TACACS+ 12-13

command-line interface

See CLI

command privilege levels 12-11

command prompts C-1

comments

ACLs 10-25

configuration C-4

Compact Flash 2-13

configuration

backing up 16-5

clearing 3-4

comments C-4

context files 5-2

downloading 16-5

examples B-1

failover 15-10

minimum xxiii

saving 3-3

switch 2-1

text file 3-4

URL for a context 5-18

viewing 3-3

configuration mode

accessing 3-2

prompt C-2

connection limits 6-9

console

authentication 12-8

port 3-1

contexts

See security contexts

control plane path 1-5

conventions xix

conversion error, ICMP message D-9

crash dump 17-11

D

data flow

routed firewall 4-3

transparent firewall 4-12

debug messages 17-10

default class 5-13

default route 8-2

denial of service attacks, protection 1-6

deny flows, logging 10-28

DHCP

relay 8-21

server

Cisco IP Phones 8-20

configuring 8-19

overview 8-19

transparent firewall 10-3

DMZ, definition 1-1

DNS

inspection engine 13-6

NAT effect on 9-13

protection from attacks 1-6

DNS Guard 1-6

domain name 6-5

dotted decimal subnet masks D-3

downloadable ACLs 12-23

dynamic NAT

See NAT

E

echo reply, ICMP message D-9

editing command lines C-3

EIGRP 10-3

embryonic limit

routed firewall 9-23

transparent firewall 6-10

enable

accessing 3-2

authentication 12-8

password

changing 6-2

default 6-2

established command

maximum rules A-5

security level requirements 6-7

EtherChannel

backplane

load-balancing 2-11

overview 2-11

EtherType

ACL 10-16

assigned numbers 10-16

examples B-1

extended ACL 10-13

F

failover

actions 15-12

active state 15-2

bandwidth 15-5

configuration file

Flash memory 15-11

replication 15-10

running memory 15-11

terminal messages 15-11

configuring 15-14

contexts 15-2

debugging 15-23

disabling 15-22

display 15-19

examples 15-26

FAQs 15-23

forcing 15-22

gratuitous ARPs 15-2

inter-chassis 15-4

interface monitoring 15-13

interface policy 15-15

interface tests 15-13

intra-chassis 15-4

IP addresses 15-2

link communications 15-3

MAC addresses 15-10

monitoring 15-12

network tests 15-13

primary unit 15-10

secondary unit 15-10

standby state 15-2

stateful failover

overview 15-2

state information 15-3

state link 15-3

statistics 15-21

switch configuration 2-11

system messages 15-23

testing 15-22

threshold 15-15

transparent firewall 15-9

triggers 15-11

trunk 2-12, 15-4

unit health 15-13

verifying 15-18

VLANs 15-3

fast path 1-5

features 1-3

filtering

adding a server 14-2

buffering replies 14-3

caching URLs 14-4

FTP 14-6

HTTP 14-5

HTTPS 14-6

long URL maximum 14-4

maximum rules A-5

overview 14-1

security level requirements 6-6

servers supported 14-1

show command output C-3

statistics 14-6

Firewall MC 1-4

firewall mode, setting 4-16

fixups

See inspection engines.

Flash memory

overview 2-13

partitions 2-13

size A-1

Flood Defender 1-6

Flood Guard 1-6

Frag Guard 1-6

fragment size 1-6

FTP

authentication 12-21

filtering 14-6

inspection engine 13-6

G

global addresses

recommendations 9-12

specifying 9-24

gratuitous ARPs, failover 15-2

guest user, maintenance partition 6-2

H

H.225, connection status 13-8

H.323

inspection engine 13-7

Skinny 13-18

version 13-7

help, command line C-6

host name 6-4

hosts, subnet masks for D-3

HSRP 4-9

HTTP

authentication 12-8

concurrent connections 11-4

filtering 14-5

inspection engine 13-10

long URL maximum 14-4

maximum rules A-5

HTTPS

filtering 14-6

management connection 11-4

maximum connections A-4

RSA key 11-4

I

ICMP

ACL 10-15

denied access 1-6

error inspection engine 13-11

inspection engine 13-10

management access 11-10

maximum rules A-5

object group 10-21

testing connectivity 17-4

type numbers D-9

IKE 11-5

ILS inspection engine 13-11

inbound ACLs 10-10

information reply, ICMP message D-9

information request, ICMP message D-9

inside, definition 1-1

inspection engines

configuring 13-4

DNS 13-6

FTP 13-6

H.323 13-7

HTTP 13-10

ICMP 13-10

ICMP error 13-11

ILS 13-11

LDAP 13-11

limitations 13-3

MGCP 13-12

NAT and PAT support 13-3

NetBIOS 13-14

OraServ 13-14

overview 13-1

RealAudio 13-14

RSH 13-15

RTSP 13-15

SCCP 13-18

security level requirements 6-6

SIP 13-16

Skinny 13-18

SMTP 13-19

SQL*Net 13-20

standards 13-3

static PAT 9-6

Sun RPC 13-21

TFTP 13-21

XDMCP 13-22

installation

module verification 2-2

software to any partition 16-3

software to current partition 16-2

interfaces

enabled status 6-7

failover monitoring 15-13

failover policy 15-15

global addresses 9-24

maximum A-2

naming 6-8

overview 1-7

security level

overview 6-6

setting 6-8

shared 5-5

standby address 15-16

turning off and on 6-9

IOS versions 1-2

IP addresses

classes D-1

configuring 8-2

management, transparent firewall 8-2

overlapping between contexts 5-3

private D-2

standby 15-16

subnet mask D-4

VPN client 11-7

IPSec

basic settings 11-5

client 11-7

management access 11-5

transforms 11-6

IP spoofing, protection from 1-6

IPX 2-7

ISAKMP 11-5

L

Layer 2 firewall

See transparent firewall

Layer 2 forwarding table

See MAC address table

LDAP inspection engine 13-11

level

See security level

link up/down test 15-13

load-balancing, backplane EtherChannel 2-11

local user database

adding a user 12-6

command authorization 12-10

logging in 12-9

support 12-4

lockout, recovering 12-19

logging

ACLs 10-26

system messages 17-1

login

FTP 12-21

local user 12-9

session 3-2

SSH 3-2

Telnet 3-2

viewing the user 12-18

login banners 6-5

login command 12-9

login password

changing 6-2

default 6-2

M

MAC addresses, failover 15-10

MAC address table

entry timeout 7-2

MAC learning, disabling 7-2

overview 4-12

resource management 5-16

static entry 7-2

MAC learning, disabling 7-2

Mail Guard 1-6, 13-19

maintenance partition

guest user 6-2

installing application software 16-3

password

changing 6-2

clearing 17-10

default 6-2

root user 6-2

software installation 16-5

management access authentication 12-8

management IP address, transparent firewall 8-2

management support 1-4

man-in-the-middle attack 7-3

manual commit 10-24

mapped interface name 5-18

mask reply, ICMP message D-9

mask request, ICMP message D-9

maximum connections 9-23

memory

ACLs 10-7

Flash A-1

RAM A-1

rules 10-7

message-of-the-day banner 6-5

MGCP inspection engine 13-12

Microsoft Exchange 13-19

minimum configuration xxiii

mobile redirection, ICMP message D-9

mode

context 5-11

firewall 4-16

monitoring

failover 15-12

OSPF 8-16

resource management 5-24

security contexts 5-23

SNMP 17-2

More prompt C-4

MPLS

LDP 10-16

router-id 10-16

TDP 10-16

MSFC

definition 1-2

overview 1-9

SVIs 2-7

multicast traffic 4-9

Multilayer Switch Feature Card

See MSFC

multiple mode, enabling 5-11

multiple SVIs 2-6

N

N2H2 Sentian filtering server 14-1

naming an interface 6-8

NAT

bypassing NAT

configuration 9-28

overview 9-7

DNS 9-13

dynamic NAT

configuring 9-22

implementation 9-16

overview 9-3

embryonic limit 9-23

examples 9-31

exemption from NAT

configuration 9-30

overview 9-7

identity NAT

configuration 9-28

overview 9-7

inspection engine support 13-3

maximum connections 9-23

NAT ID 9-16

order of statements 9-12

outside NAT 9-10

overlapping addresses 9-32

overview 9-1, 9-2

PAT

configuring 9-22

implementation 9-16

overview 9-4

policy NAT

maximum rules A-5

overview 9-8

port redirection 9-33

same security level 9-11

security level requirements 6-6

static NAT

configuring 9-25

overview 9-5

static PAT

configuring 9-26

overview 9-5

transparent firewall 4-11

types 9-3

NetBIOS inspection engine 13-14

NetMeeting 13-11

Network Activity test 15-13

Network Address Translation

See NAT

network processors 1-5

NPs 1-5

O

object groups

adding

ICMP 10-21

network 10-19

protocol 10-19

service 10-20

displaying 10-24

expanded 10-7

nesting 10-22

overview 10-18

removing 10-24

operating system 1-8

OraServ inspection engine 13-14

OSPF

ACL for route map 10-17

area authentication 8-11

area MD5 authentication 8-11

area parameters 8-11

authentication key 8-9

cost 8-9

dead interval 8-9

default route 8-14

displaying update packet pacing 8-16

enabling 8-5

hello interval 8-9

interface parameters 8-9

link-state advertisment 8-5

logging neighbor states 8-15

MD5 authentication 8-10

monitoring 8-16

NSSA 8-12

overview 8-4

packet pacing 8-16

processes 8-5

redistributing routes 8-6

route calculation timers 8-15

route map 8-6

route summarization 8-13

stub area 8-12

summary route cost 8-12

outbound ACLs 10-10

outside, definition 1-1

outside NAT 9-10

oversubscribing resources 5-12

P

packet capture 17-10

packet classifier 5-2

packet flow

routed firewall 4-3

transparent firewall 4-12

paging screen displays C-4

parameter problem, ICMP message D-9

partitions

application 2-13

boot 2-13

crash dump 2-13

Flash memory 2-13

maintenance 2-13

network configuration 2-13

passwords

clearing

application 17-9

maintenance 17-10

enable

changing 6-2

default 6-2

login

changing 6-2

default 6-2

maintenance partition

changing 6-2

default 6-2

troubleshooting 17-9

PAT

See NAT

PDM

allowing connections 11-4

installation 16-2

maximum connections A-4

version 1-4

ping

See ICMP

PIX

implicit permit 1-7

operating system 1-8

security levels 6-7

policy NAT

ACLs 10-4

dynamic, configuring 9-22

inspection engines 9-6

maximum rules A-5

overview 9-8

static, configuring 9-25

static PAT, configuring 9-27

pools

address

DHCP 8-19

global NAT 9-24

addresses

VPN 11-7

context rules A-5

port redirection, NAT 9-33

primary unit, failover

overview 15-10

setting 15-15

private networks D-2

privileged mode

accessing 3-2

authentication 12-8

prompt C-2

privilege levels, for commands 12-11

prompts

command C-1

more C-4

protocol numbers and literal values D-5

Q

quick start xxiii

R

RADIUS

adding a server 12-6

CLI authentication 12-8

downloadable ACLs 12-23

enable command authentication 12-9

network access authentication 12-21

network access authorization 12-23

support 12-4

RealAudio

inspection engine 13-14

RTSP 13-15

RealNetworks 13-15

RealPlayer 13-15

rebooting

from the module 17-8

from the switch 2-13

redirect, ICMP message D-9

redundancy

See failover

reloading

context 5-22

module 17-8

remarks 10-25

requirements 1-2

resetting

from the module 17-8

from the switch 2-13

resource management

assigning a context 5-19

configuring 5-14

default class 5-13

monitoring 5-24

oversubscribing 5-12

overview 5-12

resource types 5-16

unlimited 5-13

reverse route lookup

See Unicast RPF

RIP

default route updates 8-18

enabling 8-18

overview 8-18

passive 8-18

root user, maintenance partition 6-2

routed firewall mode, setting 4-16

route map ACL 10-17

router advertisement, ICMP message D-9

router solicitation, ICMP message D-9

routing

default route 8-2

OSPF8-4to 8-17

other protocols 10-3

RIP8-18to 8-19

static 8-3

RSA key 11-3, 11-4

RSH, inspection engine 13-15

RTSP, inspection engine 13-15

RTSP restrictions 13-15

rules

manually committing 10-24

maximum 10-7

pools for contexts A-5

S

same security level communication

embryonic connections 6-9

enabling 6-8

maximum connections 6-9

NAT 9-11

SCCP

fragmented packets 13-19

H.323 13-18

inspection engine 13-18

secondary unit, failover 15-10

security contexts

adding 5-17

admin context

changing 5-20

overview 5-1

assigning to a resource class 5-19

changing between 5-20

classifier 5-2

configuration

files 5-2

URL, changing 5-21

URL, setting 5-18

IP address overlap 5-3

logging in 5-9

mapped interface name 5-18

monitoring 5-23

multiple mode, enabling 5-11

name guidelines 5-17

nesting or cascading 5-9

overview 5-1

prompt C-1

reloading 5-22

removing 5-20

resource management 5-12

VLAN allocation 5-18

security level

allowing communication between the same level 6-8

overview 6-6

PIX comparison 6-7

same security 6-8

setting 6-8

security policy 1-7

Sentian filtering server 14-1

serial number 5-10

server

AAA 12-6

filtering 14-2

sessioning from the switch 3-1

session management path 1-5

shared VLANs 5-5

show command, filtering output C-3

shutting down an interface 6-9

Simple Network Management Protocol

See SNMP

single mode

backing up configuration 5-10

configuration 5-11

enabling 5-11

restoring 5-11

SIP inspection engine 13-16

SiteServer 13-11

site-to-site tunnel 11-8

Skinny

fragmented packets 13-19

H.323 13-18

inspection engine 13-18

SMTP

inspection engine 13-19

protection from attacks 1-6

SNMP

overview 17-2

traps 17-2

software installation

any partition 16-3

current partition 16-2

maintenance 16-5

source quench, ICMP message D-9

SPAN session 2-1

specifications A-1

SQL*Net inspection engine 13-20

SSH

authentication 12-8

concurrent connections 11-2

login 11-3

management access 11-2

maximum rules A-5

RSA key 11-3

username 11-4

version 11-2

standard ACL 10-17

standby state, failover 15-2

startup configuration 5-2

stateful failover

See failover

stateful inspection 1-5

state information 15-3

state link 15-3

static ARP entry 7-4

static bridge entry 7-2

static NAT

See NAT

static PAT

See NAT

static routes 8-3

stealth firewall

See transparent firewall

subcommand mode prompt C-2

subnet masks

/bits D-3

address range D-4

dotted decimal D-3

number of hosts D-3

overview D-2

Sun RPC, inspection engine 13-21

supervisor engine versions 1-2

supervisor IOS 1-2

SVIs

configuring 2-8

multiple 2-6

overview 2-6

switch

adding VLANs 2-3

assigning VLANs to module 2-2

assigning VLANs to ports 2-3

BPDU forwarding 2-12

configuration 2-1

failover compatibility with transparent firewall 2-12

failover configuration 2-11

maximum modules A-1

resetting the module 2-13

sessioning to the module 3-1

system requirements 1-2

trunk for failover 2-12

verifying module installation 2-2

switched virtual interfaces

See SVIs

Switch Fabric Module A-1

SYN packet attack protection 1-6

syntax formatting C-2

system configuration

network settings 5-2

overview 5-1

system requirements 1-2

T

TACACS+

adding a server 12-6

command authorization 12-13

network access authorization 12-22

support 12-4

TCP intercept

overview 1-6

security level requirements 6-6

TCP ports and literal values D-5

TCP sequence number randomization

disabling

routed mode 9-22

same security level 6-10

transparent firewall 6-10

security level requirements 6-7

Telnet

authentication 12-8

concurrent connections 11-1

management access 11-1

maximum rules A-5

test 15-13

testing configuration 17-4

TFTP inspection engine 13-21

time exceeded, ICMP message D-9

timestamp reply, ICMP message D-9

timestamp request, ICMP message D-9

traffic flow

routed firewall 4-3

transparent firewall 4-12

transparent firewall

ARP inspection

enabling 7-4

overview 7-3

static entry 7-4

data flow 4-12

DHCP packets, allowing 10-3

embryonic limit 6-10

EtherType ACL 10-16

examples B-15

failover 15-9

guidelines 4-11

HSRP 4-9

MAC address timeout 7-2

MAC learning, disabling 7-2

management IP address 8-2

maximum connections 6-10

mode, setting 4-16

multicast traffic 4-9

NAT 4-11

overview 4-9

packet handling 10-3

static bridge entry 7-2

TCP sequence number randomization, disabling 6-10

VLANs 4-9

VRRP 4-9

traps, SNMP 17-2

trunk, failover 15-4

U

UDP

connection state information 1-5

ports and literal values D-5

Unicast Reverse Path Forwarding 1-6

Unicast RPF 1-6

unprivileged mode

accesssing 3-2

password 6-2

prompt C-1

unreachable, ICMP message D-9

URL

context configuration, changing 5-21

context configuration, setting 5-18

filtering 14-1

user, logged in 12-18

V

virtual firewalls

See security contexts

Virtual Re-assembly 1-6

VLANs

adding to switch 2-3

allocating to a context 5-18

assiging to switch ports 2-3

assigning to FWSM 2-2

failover interface 15-3

interfaces 2-2

mapped interface name 5-18

maximum A-2

overview 1-7

shared 5-5

VoIP

gateways and gatekeepers 13-7

H.323 13-7

MGCP 13-12

SCCP 13-18

Skinny 13-18

VPN

basic settings 11-5

client tunnel 11-7

management access 11-5

site-to-site tunnel 11-8

transforms 11-6

VRRP 4-9

W

WAN ports 1-2

Websense Enterprise filtering server 14-1

X

XDMCP, inspection engine 13-22