Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide, 2.3
Managing Security Contexts
Downloads: This chapterpdf (PDF - 444.0KB) The complete bookPDF (PDF - 4.49MB) | Feedback

Managing Security Contexts

Table Of Contents

Managing Security Contexts

Security Context Overview

Common Uses for Security Contexts

Unsupported Features

Context Configuration Files

How the FWSM Classifies Packets

Sharing Interfaces Between Contexts

NAT and Origination of Traffic

Sharing an Outside Interface

Sharing an Inside Interface

Logging into the FWSM in Multiple Context Mode

Enabling or Disabling Multiple Context Mode

Backing Up the Single Mode Configuration

Entering an Activation Key for Multiple Security Contexts

Enabling Multiple Context Mode

Restoring Single Context Mode

Configuring Resource Management

Classes and Class Members Overview

Resource Limits

Default Class

Class Members

Configuring a Class

Configuring Memory Partitions

Configuring a Security Context

Removing a Security Context

Changing the Admin Context

Changing Between Contexts and the System Execution Space

Changing the Security Context URL

Reloading a Security Context

Reloading by Clearing the Configuration

Reloading by Removing and Re-adding the Context

Monitoring Security Contexts

Viewing Context Information

Viewing Resource Allocation

Viewing Resource Usage

Monitoring SYN Attacks using TCP Intercept


Managing Security Contexts


This chapter tells how to configure multiple security contexts on the Firewall Services Module (FWSM), and includes the following sections:

Security Context Overview

Enabling or Disabling Multiple Context Mode

Configuring Resource Management

Configuring a Security Context

Removing a Security Context

Changing the Admin Context

Changing Between Contexts and the System Execution Space

Changing the Security Context URL

Reloading a Security Context

Monitoring Security Contexts

Security Context Overview

You can partition a single FWSM into multiple virtual firewalls, known as security contexts. Each context is an independent firewall, with its own security policy, interfaces, and administrators. Multiple contexts are similar to having multiple stand-alone firewalls.

Each context has its own configuration that identifies the security policy, interfaces, and almost all the options you can configure on a stand-alone firewall. If desired, you can allow individual context administrators to implement the security policy on the context. Some resources are controlled by the overall system administrator, such as VLANs and system resources, so that one context cannot affect other contexts inadvertently.

The system administrator adds and manages contexts by configuring them in the system configuration, which identifies basic settings for the FWSM. The system administrator has privileges to manage all contexts. The system configuration does not include any network interfaces or network settings for itself; rather, when the system needs to access network resources (such as downloading the contexts from the server), it uses one of the contexts that is designated as the admin context.

The admin context is just like any other context, except that when a user logs into the admin context (for example, over an SSH connection), then that user has system administrator rights, and can access the system execution space and all other contexts. Typically, the admin context provides network access to network-wide resources, such as a syslog server or context configuration server.

This section provides an overview of security contexts, and includes the following topics:

Common Uses for Security Contexts

Unsupported Features

Context Configuration Files

How the FWSM Classifies Packets

Sharing Interfaces Between Contexts

Logging into the FWSM in Multiple Context Mode

Common Uses for Security Contexts

You might want to use multiple security contexts in the following situations:

You are a service provider and want to sell firewall services to many customers. By enabling multiple security contexts on the FWSM, you can implement a cost-effective, space-saving solution that keeps all customer traffic separate and secure, and also eases configuration.

You are a large enterprise or a college campus and want to keep departments completely separate.

You are an enterprise that wants to provide distinct security policies to different departments.

You have any network that requires more than one firewall.

Unsupported Features

Multiple context mode does not support the following features:

Dynamic routing protocols

Security contexts support only static routes. You cannot enable OSPF or RIP in multiple context mode.

Multicast

Context Configuration Files

Each context has its own configuration file that identifies the security policy, interfaces, and almost all the options you can configure on a stand-alone firewall. You can store context configurations on the local disk partition on the Flash memory card, or you can download them from a TFTP, FTP, or HTTP(S) server.

In addition to individual security contexts, the FWSM also includes a system configuration that identifies basic settings for the FWSM, including a list of contexts. Like the single mode configuration, this configuration resides as the "startup" configuration in the flash partition.

The system configuration does not include any network interfaces or network settings for itself; rather, when the system needs to access network resources (such as downloading the contexts from a server), it uses one of the contexts that is designated as the admin context. The system configuration does include a specialized failover interface for failover traffic only, as well as the Ethernet Out-of-Band Channel (EOBC) to the switch, which does not require any configuration. If your system is already in multiple context mode, or if you convert from single mode, the admin context is created automatically as a file on the disk partition called admin.cfg. In the FWSM CLI, this context is named "admin." If you do not want to use admin.cfg as the admin context, you can change the admin context using the "Changing the Admin Context" section.

How the FWSM Classifies Packets

Each packet that enters the FWSM must be classified, so that the FWSM can determine to which context to send a packet. The classifier uses the following rules to assign the packet to a context:

1. If only one context is associated with the ingress interface, the FWSM classifies the packet into that context.

In transparent firewall mode, unique interfaces for contexts are required, so this method is used to classify packets at all times.

2. If multiple contexts are associated with the ingress interface, then the FWSM classifies the packet into a context by matching the destination address to one of the following context configurations:

a. Interface IP address (the ip address command)

The classifier looks at the interface IP address for traffic destined to an interface, such as management traffic.

b. Mapped address in a static NAT statement (the static command)

The classifier only looks at static commands where the mapped interface matches the ingress interface of the packet.

c. Mapped address in an active dynamic address translation (set by the global command).

The classifier looks at mapped IP addresses in the translation table for the ingress interface.


Note The classifier does not use a NAT exemption configuration for classification purposes because NAT exemption does not identify a mapped interface.

A packet must be classified in to a context based on one of the above methods. For example, if a context includes a static route that points to an external router as the next-hop to a subnet, and a different context includes a static command for the same subnet, then the classifier uses the static command to classify packets destined for that subnet and ignores the static route.


For example, if each context has unique interfaces, then the classifier associates the packet with the context based on the ingress interface. If you share an interface across contexts, however, then the classifier uses the destination address.

Because the destination address classification requires NAT (for through traffic), be sure to use unique interfaces for each context if you do not use NAT.

Figure 5-1 shows multiple contexts sharing an outside interface, while the inside interfaces are unique, allowing overlapping IP addresses. The classifier assigns the packet to Context B because Context B includes the address translation that matches the destination address.

Figure 5-1 Packet Classification with a Shared Interface

Note that all new incoming traffic must be classified, even from inside networks. Figure 5-2 shows a host on the Context B inside network accessing the Internet. The classifier assigns the packet to Context B because the ingress interface is VLAN 300, which is assigned to Context B.

Figure 5-2 Incoming Traffic from Inside Networks

For transparent firewalls, you must use unique interfaces. For the classifier, the lack of NAT support in transparent mode leaves unique interfaces as the only means of classification. Figure 5-3 shows a host on the Context B inside network accessing the Internet. The classifier assigns the packet to Context B because the ingress interface is VLAN 300, which is assigned to Context B.

Figure 5-3 Transparent Firewall Contexts

Sharing Interfaces Between Contexts

The FWSM lets you share an interface between contexts. However, packet classification requirements might make sharing interfaces impractical. Because the classifier relies on active NAT sessions to classify the destination addresses to a context, the classifier is limited by how you can configure NAT. If you do not want to perform NAT, you must use unique interfaces.


Note The FWSM does not support sharing the outside interface of one context with the inside interface of another context (known as cascading contexts). Traffic that is outbound from one context(from a higher to a lower security interface) can only enter another context as inbound traffic (lower to higher security); it cannot be outbound for both contexts, or inbound for both contexts.


This section includes the following topics:

NAT and Origination of Traffic

Sharing an Outside Interface

Sharing an Inside Interface

NAT and Origination of Traffic

The type of NAT configured determines whether the traffic can originate on the shared interface or if it can only respond to an existing connection. When you use dynamic NAT, you cannot initiate a connection to the real addresses. Therefore, traffic from the shared interface must be in response to an existing connection. Static NAT, however, lets you initiate connections, so you can initiate connections on the shared interface.

Sharing an Outside Interface

When you have an outside shared interface (connected to the Internet, for example), the destination addresses on the inside are limited, and are known by the system administrator, so configuring NAT for those addresses is easy, even if you want to configure static NAT.

Sharing an Inside Interface

Configuring an inside shared interface poses a problem, however, if you want to allow communication between the shared interface and the Internet, where the destination addresses are unlimited. For example, if you want to allow inside hosts on the shared interface to initiate traffic to the Internet, then you need to configure static NAT statements for each Internet address. This requirement necessarily limits the kind of Internet access you can provide for users on an inside shared interface. (If you intend to statically translate addresses for Internet servers, then you also need to consider DNS entry addresses and how NAT affects them. For example, if a server sends a packet to www.example.com, then the DNS server needs to return the translated address. Your NAT configuration determines DNS entry management.)

Figure 5-4 shows two servers on an inside shared interface. One server sends a packet to the translated address of a web server, and the FWSM classifies the packet to go through Context C because it includes a static translation for the address. The other server sends the packet to the real untranslated address, and the packet is dropped because the FWSM cannot classify it.

Figure 5-4 Originating Traffic on a Shared Interface

Logging into the FWSM in Multiple Context Mode

When you session into the FWSM, you access the system execution space. If you later configure Telnet or SSH access to a context, you can log into a specific context. If you log into a specific context, you can only access the configuration for that context. However, if you log into the admin context or session into the system execution space, you can access all contexts.

When you change to a context from admin, you continue to use the username and command authorization settings set in the admin context.

The system execution space does not support any AAA commands, but you can configure its own login and enable passwords, as well as usernames in the local database to provide individual logins.

Enabling or Disabling Multiple Context Mode

Your FWSM might already be configured for multiple security contexts depending on how you ordered it from Cisco. If you are upgrading, however, you might need to convert from single mode to multiple mode by following the procedures in this section. To view the mode, enter show mode.

The default software license lets you create and use two contexts in addition to the admin context. For more contexts (up to 100), purchase a license from Cisco Systems.

This section includes:

Backing Up the Single Mode Configuration

Entering an Activation Key for Multiple Security Contexts

Enabling Multiple Context Mode

Restoring Single Context Mode

Backing Up the Single Mode Configuration

When you convert from single mode to multiple mode, the FWSM converts the running configuration into two files: a new startup configuration (in Flash) that comprises the system configuration, and admin.cfg (in the disk partition) that comprises the admin context. The original running configuration is saved as old_running.cfg (in disk). The original startup configuration is not saved, so if it differs from the running configuration, you should back it up before proceeding.

Entering an Activation Key for Multiple Security Contexts

The activation key to enable more than two contexts (plus the admin context) is based on your FWSM serial number. Enter the following commands to view your serial number and to enter a key.

To show the serial number to give to Cisco when ordering your key, enter the following command:

FWSM> show version | include Number

Enter the pipe character (|) as part of the command.

To enter the activation key, enter the following command:

FWSM(config)# activation-key key

The key is a four-element hexadecimal string with one space between each element. For example, a key in the correct form might look like the following key:

0xe02888da 0x4ba7bed6 0xf1c123ae 0xffd8624e

The leading 0x specifier is optional; all values are assumed to be hexadecimal.

If you are already in multiple context mode, enter this command in the system execution space.


Note The activation key is not stored in your configuration file. The key is tied to the serial number of the device.


Enabling Multiple Context Mode

The context mode (single or multiple) is not stored in the configuration file, even though it does endure reboots. If you need to copy your configuration to another device, you will need to reenter this command on the new device.

When you convert from single mode to multiple mode, the FWSM converts the running configuration into two files: a new startup.cfg (in Flash) that comprises the system configuration, and admin.cfg (in the disk partition) that comprises the admin context. The original running configuration is saved as old_running.cfg (in disk). The original startup configuration is not saved. The FWSM automatically adds an entry for the admin context to the system configuration with the name "admin."


To enable multiple mode, enter the following command:

FWSM(config)# mode multiple

You are prompted to reboot the FWSM.


Restoring Single Context Mode

If you convert from multiple mode to single mode, the startup configuration is not automatically converted back to the original running configuration. You must copy the backup version of the original running configuration to the current startup configuration. (If you do not have the original configuration, you can start over at the command line.) Because the system configuration does not have any network interfaces as part of its configuration, you must session into the FWSM from the switch to perform the copy (see the "Sessioning and Logging into the Firewall Services Module" section on page 3-1).

To copy the old running configuration to the startup configuration and to change the mode to single mode, enter these commands in the system execution space:


Step 1 To copy the backup version of your original running configuration to the current startup configuration, enter the following command in the system execution space:

FWSM(config)# copy disk:old_running.cfg startup-config

Step 2 To set the mode to single mode, enter the following command in the system execution space:

FWSM(config)# mode single

The FWSM reboots.


Configuring Resource Management

By default, all security contexts have unlimited access to the resources of the FWSM, except where maximum limits per context are enforced. However, if you find that one or more contexts use too many resources, and they cause other contexts to be denied connections, for example, then you can configure resource management to limit the use of resources per context.


Note The FWSM does not limit the bandwidth per context; however, the switch containing the FWSM can limit bandwidth per VLAN. See the switch documentation for more information.


This section includes the following topics:

Classes and Class Members Overview

Configuring a Class

Classes and Class Members Overview

The FWSM manages resources by assigning contexts to resource classes. Each context uses the resource limits set by the class. This section includes the following topics:

Resource Limits

Default Class

Class Members

Resource Limits

When you create a class, the FWSM does not set aside a portion of the resources for each context assigned to the class; rather, the FWSM sets the maximum limit for a context. If you oversubscribe resources, or allow some resources to be unlimited, a few contexts can "use up" those resources, potentially affecting service to other contexts.

You can set the limit for all resources together as a percentage of the total available for the device. Also, you can set the limit for individual resources as a percentage or as an absolute value.

You can oversubscribe the FWSM by assigning more than 100 percent of the resources across all contexts. For example, you can set the Bronze class to limit connections to 20 percent per context, and then assign 10 contexts to the class for a total of 200 percent. If contexts concurrently use more than the system limit, then each context gets less than the 20 percent you intended. (See Figure 5-5.)

Figure 5-5 Resource Oversubscription

The FWSM lets you assign unlimited access to one or more resources in a class, instead of a percentage or absolute number. When a resource is unlimited, contexts can use as much of the resource as the system has available. For example, Context A, B, and C are in the Silver Class, which limits each class member to 1 percent of the system inspections per second, for a total of 3 percent; but the three contexts are currently only using 2 percent combined. Gold Class has unlimited access to inspections. The contexts in Gold Class can use more than the 97 percent of "unassigned" inspections; they can also use the 1 percent of inspections not currently in use by Context A, B, and C, even if that means that Context A, B, and C are unable to reach their 3 percent combined limit. (See Figure 5-6.) Setting unlimited access is similar to oversubscribing the FWSM, except that you have less control over how much you oversubscribe the system.

Figure 5-6 Unlimited Resources

Default Class

All contexts belong to the default class if they are not assigned to another class; you do not have to actively assign a context to the default class.

If a context belongs to a class other than the default class, those class settings always override the default class settings. However, if the other class has any settings that are not defined, then the member context uses the default class for those limits. For example, if you create a class with a 2 percent limit for all concurrent connections, but no other limits, then all other limits are inherited from the default class. Conversely, if you create a class with a 2 percent limit for all resources, the class uses no settings from the default class.

By default, the default class provides unlimited access to resources for all contexts, except for the following limits, which are by default set to the maximum allowed per context:

Telnet sessions—5 sessions.

SSH sessions—5 sessions.

IPSec sessions—5 sessions.

MAC addresses—65,535 entries.

Figure 5-7 shows the relationship between the default class and other classes. Contexts A and C belong to classes with some limits set; other limits are inherited from the default class. Context B inherits no limits from default because all limits are set in its class, the Gold class. Context D was not assigned to a class, and is by default a member of the default class.

Figure 5-7 Resource Classes

Class Members

To use the settings of a class, assign the context to the class when you define the context. All contexts belong to the default class if they are not assigned to another class; you do not have to actively assign a context to default. You can only assign a context to one resource class. The exception to this rule is that limits that are undefined in the member class are inherited from the default class; so in effect, a context could be a member of default plus another class.

Configuring a Class

To add or change a class in the system configuration, follow these steps. After you add the class, you can add more limits as required by following this procedure again for the same class name and specifying additional limits. You do not need to reenter existing resource commands; the commands you already set remain in place unless you remove them with the no form of the command. You can change the value of a particular resource limit by reentering the command with a new value.

To configure a resource class, follow these steps:


Step 1 To specify the class name and enter the class configuration mode, enter the following command in the system execution space:

FWSM(config)# class name

The name is a string up to 20 characters long. To set the limits for the default class, enter default for the name.

Step 2 To set the resource limits, see the following options:

To set all resource limits (shown in Table 5-1), enter the following command:

FWSM(config-resmgmt)# limit-resource all {number% | 0}

The number is an integer greater than or equal to 1. 0 (without a percent sign (%)) sets the resources to unlimited. You can assign more than 100 percent if you want to oversubscribe the device.

To set a particular resource limit, enter the following command:

FWSM(config-resmgmt)# limit-resource [rate] resource_name number[%]

For this particular resource, the limit overrides the limit set for all. Enter the rate argument to set the rate per second for certain resources. See Table 5-1 for resources for which you can set the rate per second.

Table 5-1 lists the resource types and the limits. See also the show resource types command.

Table 5-1 Resource Names and Limits 

Resource Name
Minimum and Maximum Number per Context
Total Number for System
Description

mac-addresses

N/A

65 K concurrent

For transparent firewall mode, the number of MAC addresses allowed in the MAC address table.

conns

N/A

999,900 concurrent

102,400 per second (rate)

TCP or UDP connections between any two hosts, including connections between one host and multiple other hosts.

Note For concurrent connections, the FWSM allocates half of the limit to each of two network processors (NPs) that accept connections. Typically, the connections are divided evenly between the NPs. However, in some circumstances, the connections are not evenly divided, and you might reach the maximum connection limit on one NP before reaching the maximum on the other. In this case, the maximum connections allowed is less than the limit you set. The NP distribution is controlled by the switch based on an algorithm. You can adjust this algorithm on the switch (see the "Customizing the FWSM Internal Interface" section on page 2-10), or you can adjust the connection limit upward to account for the inequity.

fixups

N/A

10,000 per second (rate)

Application inspection.

hosts

N/A

256 K concurrent

Hosts that can connect through the FWSM.

ipsec

1 minimum

5 maximum concurrent

10 concurrent

IPSec sessions

pdm

1 minimum

5 maximum concurrent

32 concurrent

PDM management sessions.

Note PDM sessions use two HTTPS connections: one for monitoring that is always present, and one for making configuration changes that is present only when you make changes. For example, the system limit of 32 PDM sessions represents a limit of 64 HTTPS sessions.

ssh

1 minimum

5 maximum concurrent

100 concurrent

SSH sessions.

syslogs

N/A

30,000 per second (rate)

System messages.

Note The FWSM can support 30,000 messages per second for messages sent to the FWSM terminal or buffer. If you send messages to a syslog server, the FWSM supports 25,000 per second.

telnet

1 minimum

5 maximum concurrent

100 concurrent

Telnet sessions.

xlates

N/A

256 K concurrent

NAT translations.



For example, to set the default class limit for conns to 10 percent instead of unlimited, enter the following commands:

FWSM(config)# class default
FWSM(config-class)# limit-resource conns 10%

All other resources remain at unlimited.

To add a class called gold with all resources set to 5 percent, except for fixups, with a setting of 10 percent, enter the following commands:

FWSM(config)# class gold
FWSM(config-class)# limit-resource all 5%
FWSM(config-class)# limit-resource fixups 10%

To add a class called silver with all resources set to 3 percent, except for syslogs, with a setting of 500 per second, enter the following commands:

FWSM(config)# class silver
FWSM(config-class)# limit-resource all 3%
FWSM(config-class)# limit-resource rate syslogs 500

Configuring Memory Partitions

In multiple context mode, the FWSM partitions the memory allocated to rule configuration, and assigns each context to a partition. By default, a context belongs to one of 12 partitions that offers a maximum of 12,130 rules, including ACEs, AAA rules, and others. The FWSM assigns contexts to the partitions in the order they are loaded at startup. For example, if you have 12 contexts, each context is assigned to its own partition, and can use 12,130 rules. If you add one more context, then context number 1 and the new context number 13 are both assigned to partition 1, and can use 12,130 rules divided between them; the other 11 contexts continue to use 12,130 rules each. If you delete contexts, the partition membership does not shift, so you might have some unequal distribution until you reboot, at which time the contexts are evenly distributed.


Note Rules are used up on a first come, first served basis, so one context might use more rules than another context.


See the "Rule Limits" section on page A-5 for more information about rule limits.

Alternatively, you can manually assign a context to a partition. To assign a context to a partition, see the "Configuring a Security Context" section. You can also reduce the number of partitions to better match the number of contexts you have.


Note Changing the number of partitions requires you to reload the FWSM.


To change the number of memory partitions, perform the following steps:


Step 1 To set the number of partitions, enter the following command in the system execution space:

FWSM(config)# resource acl-partition number_of_partitions

Where number_of_partitions is between 1 and 12.


Note If you assign a context to a partition, the partition numbering starts with 0. So if you have 12 partitions, the partition numbers are 0 through 11. See the "Configuring a Security Context" section to assign contexts to partitions.


You see the following prompt:

This configuration command leads to repartitioning of ACL memory. It will not take effect 
unless you save the configuration to startup configuration and reboot. Would you like to 
save the configuration and reboot now? [n]

Step 2 To reload the FWSM, enter Y.

If you do not reload the FWSM now, then make sure to save the configuration and reload later.

If you are using failover, you must also reload the other failover unit because the memory partitions must match on both units. Traffic loss can occur because both units are down at the same time.

Step 3 If you are using failover, reload the other unit by entering the following command:

FWSM(config)# reload


The following example shows how to verify the current mapping of contexts to memory partitions:

FWSM(config)# show resource acl-partition
Total number of configured partitions = 2
Partition #0
        Mode                       :exclusive
        List of Contexts        :bandn, borders
        Number of contexts   :2(RefCount:2)
        Number of rules         :0(Max:53087)
Partition #1
        Mode                       :non-exclusive
        List of Contexts        :admin, momandpopA, momandpopB, momandpopC
                                         momandpopD
        Number of contexts   :5(RefCount:5)
        Number of rules         :6(Max:53087)

For information about exclusive and non-exclusive partitions, see the "Configuring a Security Context" section.

Configuring a Security Context

The security context definition in the system configuration identifies the context name, configuration file URL, VLANs that a context can use, and the resource class to which a context belongs. After you add the context, you can add more VLAN interfaces as required by following this procedure again and specifying additional interfaces. You do not need to reenter other context commands again; the commands you already set remain in place unless you remove them with the no form of the command. You can change the value of single-instance commands by reentering the command with a new value. For commands that you can enter multiple times, such as the allocate-interface command, you must remove the command with the no form and then re-add the altered version.


Note Before you configure the first context, configure the ACL partition. See the "Configuring Memory Partitions" section.



Note If you do not have an admin context (for example, if you clear the configuration), then the first context you add must be the admin context. Before continuing with this procedure to add a context, enter the following command:

FWSM(config)# admin-context name

You can now enter the context name command to match the name you specified for the admin context.


To add or change a context in the system configuration, follow these steps:


Step 1 To add or modify a context, enter the following command in the system execution space:

FWSM(config)# context name

The name is a string up to 32 characters long. This name is case sensitive, so you can have two contexts named "customerA" and "CustomerA," for example.

We recommend you do not use the names "count" or "detail." These names are options in the show context command, so you cannot use the show context command to show information about a context called "count" or "detail." "system" is a reserved name, and cannot be used.

Step 2 (Optional) To add a description for this context, enter the following command:

FWSM(config-context)# description text

Step 3 To specify the VLAN interfaces you can use in the context, enter the following command:

FWSM(config-context)# allocate-interface vlannumber[-vlannumber] [map_name[-map_name]]

You can enter this command multiple times to specify different ranges. For transparent firewall mode, you can only use two interfaces per context. If you remove an allocation with the no form of this command, then any context commands that include this interface are removed from the running configuration.

Enter a VLAN number or a range of VLANs, typically from 1 to 1000 and from 1025 to 4094 (see the switch documentation for supported VLANs). You can assign the same VLANs to multiple contexts, if desired. See the "Sharing Interfaces Between Contexts" section for more information about shared VLAN limitations.

The map_name is an alphanumeric alias for the VLAN interface that can be used within the context instead of the VLAN number. If you do not specify a mapped name, the VLAN number is used within the context. For security purposes, you might not want the context administrator to know which VLANs are being used by the context. Instead of using the VLAN number in the nameif command, for example, you can use the mapped name.

A mapped name must start with a letter, end with a letter or digit, and have as interior characters only letters, digits, or an underscore. For example, you can use the following names:

int0
inta
int_0

If you specify a range of VLAN IDs, you can specify a matching range of mapped names. Follow these guidelines for ranges:

The mapped name must consist of an alphabetic portion followed by a numeric portion. The alphabetic portion of the mapped name must match for both ends of the range. For example, enter the following range:

int0-int10

The numeric portion of the mapped name must include the same quantity of numbers as the vlanx-vlany statement. For example, both ranges include 100 interfaces:

vlan100-vlan199 int1-int100

If you enter vlan100-vlan199 int1-int15 or vlan100-vlan199 happy1-sad5, for example, the command fails.

The following example shows VLANs 100, 200, and 300 through 305 assigned to the context. The mapped names are int1 through int8.

FWSM(config-context)# allocate-interface vlan100 int1
FWSM(config-context)# allocate-interface vlan200 int2
FWSM(config-context)# allocate-interface vlan300-vlan305 int3-int8

Step 4 To identify the URL from which the system downloads the context configuration, enter the following command:

FWSM(config-context)# config-url url

When you add a context URL, the system immediately loads the context so that it is running, if the configuration is available.


Note Enter the allocate-interface command(s) before you enter the config-url command. The FWSM must assign VLAN interfaces to the context before it loads the context configuration; the context configuration might include commands that refer to interfaces (nameif, nat, global...). If you enter the config-url command first, the FWSM loads the context configuration immediately. If the context contains any commands that refer to interfaces, those commands fail.


See the following URL syntax:

disk://[path/]filename

The disk is a 64-MB partition of Flash that uses a navigable file system. The disk partition is used only for context storage. The system configuration and the software image reside in the Flash partition (called flash). The filename does not require a file extension, although we recommend using ".cfg". If the configuration file is not available, you see the following message:

%Error opening disk:/filename (File not found)

You can then change to the context, configure it at the CLI, and enter the write memory command to write the file to Flash memory.


Note The admin context file must be stored on the internal Flash memory.


ftp://[user[:password]@]server/[path/]filename

The server must be accessible from the admin context. The filename does not require a file extension, although we recommend using ".cfg".

tftp://server/[path/]filename

The server must be accessible from the admin context. The filename does not require a file extension, although we recommend using ".cfg".

http://server/[path/]filename

The server must be accessible from the admin context. The filename does not require a file extension, although we recommend using ".cfg".

https://server/[path/]filename

The server must be accessible from the admin context. The filename does not require a file extension, although we recommend using ".cfg".

For example, enter the following command:

FWSM(config-context)# config-url ftp://joe:passw0rd1@10.1.1.1/configlets/test.cfg

Step 5 (Optional) To assign the context to a resource class, enter the following command:

FWSM(config-context)# member class_name

If you do not specify a class, the context belongs to the default class. You can only assign a context to one resource class.

For example, to assign the context to the gold class, enter the following command:

FWSM(config-context)# member gold

Step 6 (Optional) To map a context to a specific memory partition, enter the following command:

FWSM(config-context)# allocate-acl-partition partition_number

The partition_number is an integer from 0 to the number of partitions available, minus 1. The default is 12 partitions, so the range is 0 to 11. See the "Configuring Memory Partitions" section to configure the number of memory partitions.

When you assign a context to a partition, then the partition becomes exclusive. An exclusive partition only includes contexts that you specifically assign to it. Partitions that do not have contexts specifically assigned to them are non-exclusive and contexts are allocated to them in a round-robin fashion.


Note If you assign contexts to all partitions, then they are all exclusive. If you later add a context that is not assigned to a partition, however, then it is assigned to partition 0 by default.


For example, to assign the context to the first partition, enter the following command:

FWSM(config-context)# allocate-acl-partition 0


See the following sample context configurations:

FWSM(config)# context administrator
FWSM(config-context)# allocate-interface vlan10
FWSM(config-context)# allocate-interface vlan11
FWSM(config-context)# config-url disk://admin.cfg
FWSM(config-context)# context test
FWSM(config-context)# allocate-interface vlan100 int1
FWSM(config-context)# allocate-interface vlan200 int2
FWSM(config-context)# allocate-interface vlan300-vlan305 int3-int8
FWSM(config-context)# config-url ftp://joe:passw0rd@10.1.1.1/configlets/test.cfg
FWSM(config-context)# member gold
FWSM(config-context)# context sample
FWSM(config-context)# allocate-interface vlan101 int1
FWSM(config-context)# allocate-interface vlan201 int2
FWSM(config-context)# allocate-interface vlan306-vlan311 int3-int8
FWSM(config-context)# config-url ftp://joe:passw0rd@10.1.1.1/configlets/sample.cfg
FWSM(config-context)# member silver

Removing a Security Context

You can only remove a context by editing the system configuration. You cannot remove the current admin context, unless you remove all contexts.


Note If you use failover, there is a delay between when you remove the context on the active unit and when the context is removed on the standby unit. You might see an error message indicating that the number of interfaces on the active and standby units are not consistent; this error is temporary and can be ignored.


See the following commands for removing contexts:

To remove a single context, enter the following command in the system execution space:

FWSM(config)# no context name

All context subcommands are also removed.

To remove all contexts (including the admin context), enter the following command in the system execution space:

FWSM(config)# clear context

Changing the Admin Context

You can set any context to be the admin context.


To set the admin context, enter the following command in the system execution space:

FWSM(config)# admin-context context_name


Changing Between Contexts and the System Execution Space

If you log into the system execution space or the admin context, you can change between contexts and perform configuration and monitoring tasks within each context. The "running" configuration that you edit in configuration mode, or that is used in the copy or write commands, depends on your location. When you are in the system execution space, the running configuration consists only of the system configuration; when you are in a context, the running configuration consists only of that context. For example, you cannot view all running configurations (system plus all contexts) by entering the show running-config command. Only the current configuration displays.

To change between the system execution space and a context, or between contexts, see the following commands:

To change to a context, enter the following command:

FWSM# changeto context name

The prompt changes to the following:

FWSM/name#

To change to the system execution space, enter the following command:

FWSM/admin# changeto system

The prompt changes to the following:

FWSM#

Changing the Security Context URL

You cannot change the security context URL without reloading the configuration from the new URL. When you reload the configuration, the new configuration merges with the one in running memory. A merge adds any new commands from the new configuration to the running configuration. If the configurations are the same, no changes occur. If commands conflict or if commands affect the running of the context, then the effect of the merge depends on the command. You might get errors, or you might have unexpected results. If the running configuration is blank (for example, if the server was unavailable and the configuration was never downloaded), then the new configuration is used.

If you do not want to merge the configurations, you can clear the running configuration, which disrupts any communications through the context, and then reload the configuration from the new URL.

To change the URL for a context, follow these steps:


Step 1 If you do not want to merge the configuration, change to the context and clear its configuration by entering the following commands. If you want to perform a merge, skip to step 2.

FWSM# changeto context name
FWSM/name# configuration terminal
FWSM/name(config)# clear config all

Step 2 If required, change to the system execution space by entering the following command:

FWSM/name(config)# changeto system

Step 3 To enter the context configuration mode for the context you want to change, enter the following command:

FWSM(config)# context name

Step 4 To enter the new URL, enter the following command:

FWSM(config)# config-url new_url

The system immediately loads the context so that it is running.


Reloading a Security Context

You can reload the context in two ways:

Clear the running configuration and then import the startup configuration.

This action clears most attributes associated with the context, such as connections, and NAT tables.

Remove the context from the system configuration.

This action clears additional attributes, such as memory allocation, which might be useful for troubleshooting. However, to add the context back to the system requires you to respecify the URL, VLANs, and class membership.

This section includes the following topics:

Reloading by Clearing the Configuration

Reloading by Removing and Re-adding the Context

Reloading by Clearing the Configuration

To reload the context by clearing the context configuration, and reloading the configuration from the URL, follow these steps:


Step 1 To change to the context that you want to reload, enter the following command:

FWSM# changeto context name

Step 2 To access configuration mode, enter the following command:

FWSM/name# configuration terminal

Step 3 To clear the running configuration, enter the following command:

FWSM/name(config)# clear configure all

This command stops the context from running.

Step 4 To reload the configuration, enter the following command:

FWSM/name(config)# copy startup-config running-config

The FWSM copies the configuration from the URL specified in the system configuration. You cannot change the URL from within a context.


Reloading by Removing and Re-adding the Context

To reload the context by removing the context and then re-adding it, follow the steps in the following sections:

1. "Removing a Security Context" section

2. "Configuring a Security Context" section

Monitoring Security Contexts

This section describes how to view and monitor context information, and includes the following topics:

Viewing Context Information

Viewing Resource Allocation

Viewing Resource Usage

Viewing Context Information

From the system execution space, you can view a list of contexts including the name, class, interfaces, and configuration file URL.


From the system execution space, view all contexts by entering the following command:

FWSM# show context [name [detail]| count]

The detail option shows additional information. See the sample displays below for more information.

If you want to show information for a particular context, specify the name.

The count option shows the total number of contexts.


The following sample display shows three contexts:

FWSM# show context
Context Name      Class      Interfaces           URL
*admin            default    Vlan10,22,55-57      disk:/admin.cfg
 contexta         gold       vlan10,100-101       disk:/contexta.cfg
 contextb         silver     vlan10,110-111       disk:/contextb.cfg

Total active Security Contexts: 3

Table 5-2 shows each field description.

Table 5-2 show context Fields

Field
Description

Context Name

Lists all context names. The context name with the asterisk (*) is the admin context.

Class

The class to which the context belongs.

Interfaces

The VLAN interfaces assigned to the context.

URL

The URL from which the FWSM loads the context configuration.


The following sample display shows the detail option:

FWSM# show context detail
Context "admin", is ADMIN and active
 Config URL: disk:/admin.cfg
 Interfaces: Vlan10,22,55-57
 Class: default, Flags: 0x00000057, ID: 1

Context "contexta", is active
 Config URL: disk:/contexta.cfg
 Interfaces: vlan10,100-101 
 Class: default, Flags: 0x00000055, ID: 2

The "Flags" and "ID" fields are for internal use only.

Viewing Resource Allocation

From the system execution space, you can view the allocation for each resource across all classes and class members.


From the system execution space, view the resource allocation by entering the following command:

FWSM# show resource allocation [detail]

This command shows the resource allocation, but does not show the actual resources being used. See the "Viewing Resource Usage" section for more information about actual resource usage.

The detail argument shows additional information. See the sample displays below for more information.


The following sample display shows the total allocation of each resource as an absolute value and as a percentage of the available system resources:

FWSM# show resource allocation
Resource                    Total       % of Avail
 Conns [rate]               35000           35.00%
 Fixups [rate]              35000           35.00%
 Syslogs [rate]             10500           35.00%
 Conns                     305000           30.50%
 Hosts                      78842           30.07%
 IPsec                          7           35.00%
 SSH                           35           35.00%
 Telnet                        35           35.00%
 Xlates                     91749           34.99%
 All                    unlimited 

Table 5-3 shows each field description.

Table 5-3 show resource allocation Fields

Field
Description

Resource

The name of the resource that you can limit.

See the "Configuring a Class" section for more information about each resource name.

Total

The total amount of the resource that is allocated across all contexts. The amount is an absolute number of concurrent instances or instances per second. If you specified a percentage in the class definition, the FWSM converts the percentage to an absolute number for this display.

% of Avail

The percentage of the total system resources that is allocated across all contexts.


The following sample display shows the detail option:

FWSM# show resource allocation detail
Resource Origin:
    A    Value was derived from the resource 'all'
    C    Value set in the definition of this class
    D    Value set in default class
Resource         Class          Mmbrs  Origin      Limit      Total    Total %
Conns [rate]     default          all      CA  unlimited                     
                 gold               1       C      34000      34000     20.00%
                 silver             1      CA      17000      17000     10.00%
                 bronze             0      CA       8500                     
                 All Contexts:      3                         51000     30.00%

Fixups [rate]    default          all      CA  unlimited                     
                 gold               1      DA  unlimited                     
                 silver             1      CA      10000      10000     10.00%
                 bronze             0      CA       5000                     
                 All Contexts:      3                         10000     10.00%

Syslogs [rate]   default          all      CA  unlimited                     
                 gold               1       C       6000       6000     20.00%
                 silver             1      CA       3000       3000     10.00%
                 bronze             0      CA       1500                     
                 All Contexts:      3                          9000     30.00%

Conns            default          all      CA  unlimited                     
                 gold               1       C     200000     200000     20.00%
                 silver             1      CA     100000     100000     10.00%
                 bronze             0      CA      50000                     
                 All Contexts:      3                        300000     30.00%

Hosts            default          all      CA  unlimited                     
                 gold               1      DA  unlimited                     
                 silver             1      CA      26214      26214      9.99%
                 bronze             0      CA      13107                     
                 All Contexts:      3                         26214      9.99%

IPSec            default          all       C          5                     
                 gold               1       D          5          5     50.00%
                 silver             1      CA          1          1     10.00%
                 bronze             0      CA  unlimited                     
                 All Contexts:      3                            11    110.00%

SSH              default          all       C          5                     
                 gold               1       D          5          5      5.00%
                 silver             1      CA         10         10     10.00%
                 bronze             0      CA          5                     
                 All Contexts:      3                            20     20.00%

Telnet           default          all       C          5                     
                 gold               1       D          5          5      5.00%
                 silver             1      CA         10         10     10.00%
                 bronze             0      CA          5                     
                 All Contexts:      3                            20     20.00%

Xlates           default          all      CA  unlimited                     
                 gold               1      DA  unlimited                     
                 silver             1      CA      23040      23040     10.00%
                 bronze             0      CA      11520                     
                 All Contexts:      3                         23040     10.00%

mac-addresses    default          all       C      65535                     
                 gold               1       D      65535      65535    100.00%
                 silver             1      CA       6553       6553      9.99%
                 bronze             0      CA       3276                     
                 All Contexts:      3                        137623    209.99%

Table 5-4 shows each field description.

Table 5-4 show resource allocation detail Fields

Field
Description

Resource

The name of the resource that you can limit.

See the "Configuring a Class" section for more information about each resource name.

Class

The name of each class, including the default class.

The All contexts field shows the total values across all classes.

Mmbrs

The number of contexts assigned to each class.

Origin

The origin of the resource limit, as follows:

A—You set this limit with the all option, instead of as an individual resource.

C—This limit is derived from the member class.

D—This limit was not defined in the member class, but was derived from the default class. For a context assigned to the default class, the value will be "C" instead of "D."

The FWSM can combine "A" with "C" or "D."

Limit

The limit of the resource per context, as an absolute number. If you specified a percentage in the class definition, the FWSM converts the percentage to an absolute number for this display.

Total

The total amount of the resource that is allocated across all contexts in the class. The amount is an absolute number of concurrent instances or instances per second. If the resource is unlimited, this display is blank.

% of Avail

The percentage of the total system resources that is allocated across all contexts in the class. If the resource is unlimited, this display is blank.


Viewing Resource Usage

From the system execution space, you can view the resource usage.


From the system execution space, view the resource usage for each context by entering the following command:

FWSM# show resource usage [context context_name | top n | all | summary | system] 
[resource {[rate] resource_name | all} | detail] [counter counter_name [count_threshold]]

all is the default, and shows resource usage for each context individually.

Enter the top n keyword to show the contexts that are the top n users of the specified resource. You must specify a single resource type, and not resource all, with this option.

The summary option shows the total for all contexts together. For example, the denied column shows the items that have been denied for each context limit. The system option shows the counts for the entire system. For the limit and denied counts, for example, you only see a number in the denied column if the system limit is reached, not if one or more context limits are reached.

For the resource name, see Table 5-1 for resource names.

The detail keyword shows the resources you can limit in a class, plus other system resources for which you cannot configure limits.

The counter counter_name is one of the following keywords:

current—Shows the active concurrent instances or the current rate of the resource.

peak—Shows the peak concurrent instances, or the peak rate of the resource since the statistics were last cleared, either using the clear resource usage command or because the device rebooted.

denied—Shows the number of denied uses of the resource, since the resource statistics were last cleared.

all—(Default) Shows all statistics.

The count_threshold sets the number above which resources are shown. The default is 1. If the usage of the resource is below the number you set, then the resource is not shown. If you specify all for the counter name, then the count_threshold applies to the current usage.


Note To show all resources, set the count_threshold to 0.



The following sample display shows the resource usage for all contexts and all resources.

FWSM# show resource usage summary
Resource              Current         Peak      Limit     Denied Context
Syslogs [rate]           1743         2132      12000(U)       0 Summary
Conns                     584          763     100000(S)       0 Summary
Xlates                   8526         8966      93400          0 Summary
Hosts                     254          254     262144          0 Summary
Conns [rate]              270          535      42200       1704 Summary
Fixups [rate]             270          535     100000(S)       0 Summary
U = Some contexts are unlimited and are not included in the total.
S = All contexts are unlimited; system limit is shown.

Monitoring SYN Attacks using TCP Intercept

TCP intercept uses the SYN cookies algorithm to prevent TCP SYN-flooding attacks. A SYN-flooding attack consists of a series of SYN packets usually originating from spoofed IP addresess. The constant flood of SYN packets keeps the server's SYN queue full which prevents it from servicing connection requests. When the embryonic connection threshold of a connection is crossed, the FWSM acts as a proxy for the server and generates a SYN-ACK response to the client's SYN request. When the FWSM receives an ACK back from the client, it can then authenticate the client and allow the connection to the server.

You can monitor the rate of attacks for individual contexts using the show perfmon command; you can monitor the amount of resources being used by TCP intercept for individual contexts using the show resource usage detail command; you can monitor the resources being used by TCP intercept for the entire system using the show resource usage summary detail command.


Note Beginning with Release 2.3, using the show local host command is not a reliable method for monitoring the rate of SYN attacks.


The following sample display shows the rate of TCP intercepts for a context called admin.

FWSM/admin# show perfmon
 
Context:admin
PERFMON STATS:   Current      Average
Xlates               0/s          0/s
Connections          0/s          0/s
TCP Conns            0/s          0/s
UDP Conns            0/s          0/s
URL Access           0/s          0/s
URL Server Req       0/s          0/s
WebSns Req           0/s          0/s
TCP Fixup            0/s          0/s
HTTP Fixup           0/s          0/s
FTP Fixup            0/s          0/s
AAA Authen           0/s          0/s
AAA Author           0/s          0/s
AAA Account          0/s          0/s
TCP Intercept    322779/s      322779/s

The following sample display shows the amount of resources being used by TCP intercept for individual contexts. (Sample text in italics shows the TCP intercept information.)

FWSM(config)# show resource usage detail        
Resource              Current         Peak      Limit        Denied Context
memory                 843732       847288  unlimited             0 admin
chunk:channels             14           15  unlimited             0 admin
chunk:fixup                15           15  unlimited             0 admin
chunk:hole                  1            1  unlimited             0 admin
chunk:ip-users             10           10  unlimited             0 admin
chunk:list-elem            21           21  unlimited             0 admin
chunk:list-hdr              3            4  unlimited             0 admin
chunk:route                 2            2  unlimited             0 admin
chunk:static                1            1  unlimited             0 admin
tcp-intercept-rate     328787       803610  unlimited             0 admin
np-statics                  3            3  unlimited             0 admin
statics                     1            1  unlimited             0 admin
ace-rules                   1            1        N/A             0 admin
console-access-rul          2            2        N/A             0 admin
fixup-rules                14           15        N/A             0 admin
memory                 959872       960000  unlimited             0 c1
chunk:channels             15           16  unlimited             0 c1
chunk:dbgtrace              1            1  unlimited             0 c1
chunk:fixup                15           15  unlimited             0 c1
chunk:global                1            1  unlimited             0 c1
chunk:hole                  2            2  unlimited             0 c1
chunk:ip-users             10           10  unlimited             0 c1
chunk:udp-ctrl-blk          1            1  unlimited             0 c1
chunk:list-elem            24           24  unlimited             0 c1
chunk:list-hdr              5            6  unlimited             0 c1
chunk:nat                   1            1  unlimited             0 c1
chunk:route                 2            2  unlimited             0 c1
chunk:static                1            1  unlimited             0 c1
tcp-intercept-rate      16056        16254  unlimited             0 c1
globals                     1            1  unlimited             0 c1
np-statics                  3            3  unlimited             0 c1
statics                     1            1  unlimited             0 c1
nats                        1            1  unlimited             0 c1
ace-rules                   2            2        N/A             0 c1
console-access-rul          2            2        N/A             0 c1
fixup-rules                14           15        N/A             0 c1
memory              232695716    232020648  unlimited             0 system
chunk:channels             17           20  unlimited             0 system
chunk:dbgtrace              3            3  unlimited             0 system
chunk:fixup                15           15  unlimited             0 system
chunk:ip-users              4            4  unlimited             0 system
chunk:list-elem          1014         1014  unlimited             0 system
chunk:list-hdr              1            1  unlimited             0 system
chunk:route                 1            1  unlimited             0 system
block:16384               510          885  unlimited             0 system
block:2048                 32           34  unlimited             0 system


The following sample output shows the resources being used by TCP intercept for the entire system. (Sample text in italics shows the TCP intercept information.)

FWSM(config)# show resource usage summary detail
Resource              Current         Peak      Limit        Denied Context
memory              238421312    238434336  unlimited             0 Summary
chunk:channels             46           48  unlimited             0 Summary
chunk:dbgtrace              4            4  unlimited             0 Summary
chunk:fixup                45           45  unlimited             0 Summary
chunk:global                1            1  unlimited             0 Summary
chunk:hole                  3            3  unlimited             0 Summary
chunk:ip-users             24           24  unlimited             0 Summary
chunk:udp-ctrl-blk          1            1  unlimited             0 Summary
chunk:list-elem          1059         1059  unlimited             0 Summary
chunk:list-hdr             10           11  unlimited             0 Summary
chunk:nat                   1            1  unlimited             0 Summary
chunk:route                 5            5  unlimited             0 Summary
chunk:static                2            2  unlimited             0 Summary
block:16384               510          885       8192(S)          0 Summary
block:2048                 32           35       1000(S)          0 Summary
tcp-intercept-rate     341306       811579  unlimited             0 Summary
globals                     1            1       1051(S)          0 Summary
np-statics                  6            6       4096(S)          0 Summary
statics                     2            2       2048(S)          0 Summary
nats                        1            1       2048(S)          0 Summary
ace-rules                   3            3     116448(S)          0 Summary
console-access-rul          4            4       4356(S)          0 Summary
fixup-rules                43           44       8032(S)          0 Summary
S = System:Total exceeds the system limit; the system limit is shown